From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Forwarding traffic from public IP to public IP.
Date: Wed, 28 Nov 2007 10:38:41 -0600 [thread overview]
Message-ID: <474D9991.5000009@riverviewtech.net> (raw)
In-Reply-To: <AFB1C16E164D73439741623EBFEA771C4DB039@lex-exch1.lexionmedical.com>
On 11/28/07 10:09, Jason Hawthorne wrote:
> I need to temporarily forward all traffic from one public IP address
> (a.b.c.d) to another public IP address (e.f.g.h). I have tried
> setting up iptables with the following rule
>
> -t nat -A PREROUTING -d a.b.c.d -j DNAT --to-destination e.f.g.h
>
> but it doesn't seem to be working. As far as I can tell the traffic
> is getting forwarded to the final ip (e.f.g.h) but when the return
> traffic comes back it doesn't come back through the debian box, it
> goes straight to the source and fails. Basically it skips the debian
> box on its return like this
>
> SOURCE ---> DEBIAN (iptables with nat) ---> DESTINATION ---> SOURCE
Ah, yes. This is what I like to refer as a "TCP Triangle". You see the
problems with it.
> Is there a way to get this working with iptables?
Yes there is a way to get around this. You need to SNAT the traffic as
it's leaving DEBIAN on its way to DESTINATION so that it will follow the
same path in reverse back to the original client. Thus you end up with
this:
SOURCE ---> DEBIAN ---> DESTINATION ---> DEBIAN ---> SOURCE
The main problem with this is that your DESTINATION system will not see
the real source IP of the traffic. If this is important, you may want
to consider some sort of reverse proxy that will add a header with the
original IP address in it (I think that is how this can work???) or you
may want to look in to something like Linux Virtual Server's Direct
Routing solution if the DESTINATION is on the same network as DEBIAN and
can thus use the same return path. (Refer to LVS DR approach for more
details on how this actually works.)
Grant. . . .
next prev parent reply other threads:[~2007-11-28 16:38 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-28 16:09 Forwarding traffic from public IP to public IP Jason Hawthorne
2007-11-28 16:38 ` Grant Taylor [this message]
2007-11-28 17:45 ` Jason Hawthorne
2007-11-28 17:56 ` Blocking web-based proxy traffic James Lay
2007-11-28 19:20 ` Grant Taylor
2007-11-28 20:01 ` James Lay
2007-11-28 20:07 ` Grant Taylor
2007-11-28 20:16 ` James Lay
2007-11-28 20:35 ` Grant Taylor
2007-11-29 10:55 ` Benny Amorsen
2007-11-29 14:24 ` James Lay
2007-11-29 19:21 ` Grant Taylor
2007-11-28 21:41 ` Tagg McDonald
2007-11-29 1:53 ` dhottinger
2007-11-28 19:17 ` Forwarding traffic from public IP to public IP Grant Taylor
2007-11-28 20:11 ` Jason Hawthorne
2007-11-28 20:42 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=474D9991.5000009@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox