FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-03-2008, 08:44 PM
Morten SundstrÝm
 
Default Forward all traffic from public IP A to public IP B?

Need
help.




Im trying to forward all traffic to a public server(A) to another
public server(B) except traffic to port 22. Found this on google but
cant get it to work. Could someone help me please.


Server A has one NIC server B has one NIC. Do i need 2 NICS in server
A.




#!/bin/sh


iptables -F


iptables -F INPUT


iptables -F OUTPUT


iptables -F FORWARD


iptables -X


iptables -F -t nat


iptables -P INPUT ACCEPT


iptables -P OUTPUT ACCEPT


iptables -P FORWARD ACCEPT




echo 1 > /proc/sys/net/ipv4/ip_forward


iptables -t nat -A PREROUTING -i eth0 --protocol tcp --destination-port
! 22 -j DNAT --to-destination "IP B"


iptables -t nat -A PREROUTING -i eth0 --protocol udp -j DNAT
--to-destination "IP B"


# END



/etc/rc.d/init.d/iptables status

Table: filter

Chain INPUT (policy ACCEPT)

num* target**** prot opt source************** destination



Chain FORWARD (policy ACCEPT)

num* target**** prot opt source************** destination



Chain OUTPUT (policy ACCEPT)

num* target**** prot opt source************** destination



Table: mangle

Chain PREROUTING (policy ACCEPT)

num* target**** prot opt source************** destination



Chain INPUT (policy ACCEPT)

num* target**** prot opt source************** destination



Chain FORWARD (policy ACCEPT)

num* target**** prot opt source************** destination



Chain OUTPUT (policy ACCEPT)

num* target**** prot opt source************** destination



Chain POSTROUTING (policy ACCEPT)

num* target**** prot opt source************** destination



Table: nat

Chain PREROUTING (policy ACCEPT)

num* target**** prot opt source************** destination

1*** DNAT****** tcp* --* 0.0.0.0/0*********** 0.0.0.0/0********** tcp
dpt:!22 to:"IP B"

2*** DNAT****** udp* --* 0.0.0.0/0*********** 0.0.0.0/0**********
to:"IP B"



Chain POSTROUTING (policy ACCEPT)

num* target**** prot opt source************** destination



Chain OUTPUT (policy ACCEPT)

num* target**** prot opt source************** destination







/Morten.



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-03-2008, 09:00 PM
"nate"
 
Default Forward all traffic from public IP A to public IP B?

Morten SundstrÝm wrote:
> Need help.
>
> Im trying to forward all traffic to a public server(A) to another public
> server(B) except traffic to port 22. Found this on google but cant get
> it to work. Could someone help me please.

Is server (B) behind server (A) ? It's been a while but last
time I checked you couldn't do forwarding to a system unless that
system was behind the system that was doing the forwarding using
normal iptables.

What I do is use a specialized utility, there are two such utilities
that I know of that handle tcp forwarding in this manor:
rinetd and redir.

The only downside is the destination system will not see any of
the original IP addresses connecting, it will only see IPs of the
system doing the forwarding.

I don't think either rinetd or redir are available in the default
CentOS installation you probably have to find them elsewhere on
the net.

As for non-TCP stuff, I don't know off the top of my head.

nate

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-03-2008, 09:05 PM
Morten SundstrÝm
 
Default Forward all traffic from public IP A to public IP B?

nate skrev:

Morten SundstrÝm wrote:


Need help.

Im trying to forward all traffic to a public server(A) to another public
server(B) except traffic to port 22. Found this on google but cant get
it to work. Could someone help me please.



Is server (B) behind server (A) ? It's been a while but last
time I checked you couldn't do forwarding to a system unless that
system was behind the system that was doing the forwarding using
normal iptables.

What I do is use a specialized utility, there are two such utilities
that I know of that handle tcp forwarding in this manor:
rinetd and redir.

The only downside is the destination system will not see any of
the original IP addresses connecting, it will only see IPs of the
system doing the forwarding.

I don't think either rinetd or redir are available in the default
CentOS installation you probably have to find them elsewhere on
the net.

As for non-TCP stuff, I don't know off the top of my head.

nate

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Server B is not behind server A, two different machines on different
public networks.



/Morten



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-03-2008, 09:29 PM
John R Pierce
 
Default Forward all traffic from public IP A to public IP B?

Morten SundstrÝm wrote:

Im trying to forward all traffic to a public server(A) to another
public server(B) except traffic to port 22. Found this on google but
cant get it to work. Could someone help me please.
Server A has one NIC server B has one NIC. Do i need 2 NICS in server A.


Server B is not behind server A, two different machines on different
public networks.






Offhand, I'd suggest setting up a VPN between the two servers, perhaps
using OpenVPN, configured so server "A" is masquerading the VPN's
private addresses, and use ip masquerade style port forwarding to server
B's private VPN address.

this still leaves some questionable scenarios... for instance, assuming
server B has its own default gateway (which, indeed, it needs for
various reasons), if a FTP connection request comes in via server A's
port forwarding and NAT, the handling of the FTP dynamic 'data' port
will get messy. the same applies to any other protocol that
genereates dynamic requests.


for that matter, server "B" generated outbound traffic, like for
instance, email... is that to be forwarded out through A ?







_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-03-2008, 09:54 PM
Morten SundstrÝm
 
Default Forward all traffic from public IP A to public IP B?

John R Pierce skrev:

Morten SundstrÝm wrote:

Im trying to forward all traffic to a public server(A) to another
public server(B) except traffic to port 22. Found this on google but
cant get it to work. Could someone help me please.
Server A has one NIC server B has one NIC. Do i need 2 NICS in server A.
Server B is not behind server A, two different machines on different
public networks.


Offhand, I'd suggest setting up a VPN between the two servers, perhaps
using OpenVPN, configured so server "A" is masquerading the VPN's
private addresses, and use ip masquerade style port forwarding to
server B's private VPN address.
this still leaves some questionable scenarios... for instance,
assuming server B has its own default gateway (which, indeed, it needs
for various reasons), if a FTP connection request comes in via server
A's port forwarding and NAT, the handling of the FTP dynamic 'data'
port will get messy. the same applies to any other protocol that
genereates dynamic requests.


for that matter, server "B" generated outbound traffic, like for
instance, email... is that to be forwarded out through A ?
No nothing will go back from B through A, traffic from B vil go directly
to the quering host. Sort of like manipulate the header of every packet
changing destination IP to New destination IP and let the new
destination host answer the query. Maybe im way of here and if I am
then somone just say it and i will forget the whole ting.


/Morten
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-03-2008, 10:40 PM
Les Mikesell
 
Default Forward all traffic from public IP A to public IP B?

Morten SundstrÝm wrote:


No nothing will go back from B through A, traffic from B vil go directly
to the quering host. Sort of like manipulate the header of every packet
changing destination IP to New destination IP and let the new
destination host answer the query. Maybe im way of here and if I am
then somone just say it and i will forget the whole ting.


I think it is the wrong answer to any possible problem (compared to
changing DNS or whatever it takes to make the connection request go to
the right place on its own). Your iptables DNAT line would work to get
the packet to the other host - and you should be able to see that with
tcpdump. However, when host B responds back to the original source
address it won't complete a connection to the socket waiting for
something from host A.



--
Les Mikesell
lesmikesell@gmail.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-03-2008, 10:48 PM
John R Pierce
 
Default Forward all traffic from public IP A to public IP B?

Morten SundstrÝm wrote:
No nothing will go back from B through A, traffic from B vil go
directly to the quering host. Sort of like manipulate the header of
every packet changing destination IP to New destination IP and let the
new destination host answer the query. Maybe im way of here and if
I am then somone just say it and i will forget the whole ting.



yeah, that flat won't work.

client C sends packet with source address:C, destination address A,
port P

A forwards packet to B with src: C, dest: B, port P
B replies to C with src: B, dest C

C goes 'wtf is this packet? I don't have any open socket like this' and
rejects it.



rather...

client C sends packet with source address:C, destination address A,
port P

A forwards packet to B with src: C, dest: B, port P
B replies to A with src: B, dest C
A forwards response to C with src:A dest C,

and this response packet matches C's open outbound socket and is accepted





_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-22-2008, 08:00 AM
"Amos Shapira"
 
Default Forward all traffic from public IP A to public IP B?

2008/11/4 Morten SundstrÝm <morten@coretek.no>:
> No nothing will go back from B through A, traffic from B vil go directly to
> the quering host. Sort of like manipulate the header of every packet

Sounds like what LVS (Linux Virtual Server) ldirectord does in "DR"
setup - host "A" publishes virtual IP, receives packets from the
world, redirects them at the ethernet-level to host B (which is on the
same ethernet segment) which then generates IP packets with the
virtual IP as the source address and the initial client as the
destination - allowing host B to send the reply directly to the client
through its router without bothering the ldirectord.

Is this what you are trying to achieve?

--Amos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-22-2008, 09:07 AM
John R Pierce
 
Default Forward all traffic from public IP A to public IP B?

Amos Shapira wrote:

2008/11/4 Morten SundstrÝm <morten@coretek.no>:


No nothing will go back from B through A, traffic from B vil go directly to
the quering host. Sort of like manipulate the header of every packet



Sounds like what LVS (Linux Virtual Server) ldirectord does in "DR"
setup - host "A" publishes virtual IP, receives packets from the
world, redirects them at the ethernet-level to host B (which is on the
same ethernet segment) which then generates IP packets with the
virtual IP as the source address and the initial client as the
destination - allowing host B to send the reply directly to the client
through its router without bothering the ldirectord.

Is this what you are trying to achieve?



um, about 3 weeks ago, when this discussion was active, the original
poster stated that Servers A and B were... "two different machines on
different public networks."


I think that precludes a direct Ethernet connection.



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:04 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org