[CentOS] iptables - Forwarding with port translation thru an OpenVPN tunnel

Mon Oct 19 00:06:43 UTC 2009
Bazy <bazy84 at gmail.com>

On Mon, Oct 19, 2009 at 2:04 AM, Barry Brimer <lists at brimer.org> wrote:
>> I have a CentOS-5.3 "main" server with a static public IP address
>> running Apache, OpenVPN, and a bunch of other services.
>>
>> The primary IP address for the only NIC in this box is used by
>> Apache on standard ports 80 and 443.   I have a secondary
>> static public IP address assigned to this same NIC as eth0:1
>>
>> I have a working OpenVPN tunnel going to another CentOS-5.3 server
>> which has Apache listening on its eth0 NIC for requests on non-standard
>> ports 29080 and 29443(don't ask!).  This server is accessible on its
>> static public IP address and thru OpenVPN tunnel from the main server.
>>
>> The main server is the OpenVPN server as well, with private IP address
>> 172.16.xxx.1/32 auto-assigned to it.  The second server is a VPN client
>> with IP address 172.16.xxx.yyy/32 assigned.  The narrow netmasks are the
>> OpenVPN default, presumably used for isolation among multiple clients.
>>
>> OpenVPN is configured to run over the main server's NIC via its eth0:1
>> secondary IP address  64.aaa.bbb.ccc    The main server has a static
>> route set up between its eth0:1 IP and the remote server's public
>> IP address (not the tunnel IP).  This route is only there so that during
>> initial VPN negotiations the data will move via eth0:1's IP address.
>>
>> Things like ping, SSH, scp and HTTP/HTTPS all work correctly thru the
>> VPN in both directions, so the VPN itself is solid.
>>
>> Ok, so now I want external HTTP/HTTPS requests made to the main
>> server's eth0:1 public IP address to be forwarded thru the VPN to the
>> second remote server, with port translation along the way.
>>
>> Here is what I want to happen:
>>
>> Outside world HTTP/HTTPS requests to eth0:1 ports 80/443
>>    |
>>    V
>> CentOS eth0:1 (64.aaa.bbb.ccc)
>>    |
>>    V
>> Translate to ports 29080/29443
>>    |
>>    V
>> Forward requests thru the tunnel to 172.16.xxx.yyy
>>    |
>>    V
>> Remote Apache responds, packets return thru VPN to "main"
>>    |
>>    V
>> Response goes back to the outside world via 64.aaa.bbb.ccc
>>
>>
>> HTTP/HTTPS requests to the 64.aaa.bbb.ccc public IP just hang and time out.
>> Direct requests to the remote server on the non-standard ports work fine.
>> I've tried lots of iptables example entries found on several forums but so
>> far none of them seem to work.
>>
>> Does anyone have a cookbook-like complete set of iptables rules that will
>> accomplish what I need?  Is it possible I need to set up strong-end routing
>> on the remote server to send the response packets back thru the VPN? (such a
>> pain to configure)   Any assistance will be most gratefully received!
>
> I don't have a cookbook per se .. but here's my 30-second attempt:
>
> 1.  You need a PREROUTING DNAT rule to redirect traffic to the VPN address
> of the other web server.
> 2.  You need a POSTROUTING SNAT rule to ensure that all of the traffic
> comes back to the main server (of course your web server logs will have
> all the connections from the main server's VPN IP address in its log
> files) **OR** the default route of the web server needs to be the VPN IP
> address on the main server.
> 3.  You need a POSTROUTING SNAT rule to SNAT the appropriate traffic out
> from the desired IP address.
>
> You *might* be able to you policy routing to help in steps 2 and 3.
>
> Hope this helps,
> Barry

Hello,

You might want to take a look at apache's mod_proxy
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html.