Re: Redirecting ports in a bridge

["Javier Prieto Martínez" <javier.prieto.ext@juntadeandalucia.es>]

Grant Taylor escribió:

 > Ok, forgive me for asking. Is this appliance multi-purpose in such 
that it is suppose to log and redirect traffic?

Yes, It's multi-purpose: 
http://www.eneotecnologia.com/products_en.html?TB_iframe=true&height=510&width=800

    * *Firewall & QoS.-* High performance statefull firewall and quality
      of service.
    * *Web cache & content filter.-* Black and white list mode with LDAP
      or AD authentication.
    * *VPN.-*L2TP / IPSEC – X.509, NAT Traversal and high availability.
    * *IPS / IDS.-* Snort 2.6 based with hardware acceleration.
    * *Load balancing.-* LVS based – L3/4 classification, different
      algorithms.
    * *High availability.-* VRRP (Router mode) and STP (Bridge mode).
    * *Malware.-* Antivirus (ClamAV, Kaspersky), antispam (DSPAM,
      Mailshell), antispyware (Kaspersky, PCTools or Sunbelt) with
      hardware acceleration.
    * *NetFlow probe.-* NetFlow v5/9 Probe.


We use it in bridge mode, mainly for traffic logging, and sometimes for 
packet filtering.


 > As Jan Engelhardt has pointed out so well, you are very likely 
dealing with (what I call)
 > a "TCP Triangle". If there is not something else in the mix doing 
source NATing, you will
 > need to do something else to avoid the "TCP Triangle". There are many 
different options
 > available, one of which is the SNATing like you are referring to 
(though I would be careful
 > on selecting the packets to SNAT). Another would be to have your 
clients connect to IPs on
 > LAN 1 that are bound to the router that is DNATing traffic to LAN 2 
and then unDNATing the
 > replies. You could also have duplicate IPs bound on server 1 and 
server 2 and use some
 > clustering techniques to alter which MAC address / server the 
packet(s) go to, thus
 > allowing both servers to answer with the proper IP.

I still want the bridge to be totally transparent, and I don't want to 
mess with the real IPs, as I don't want the probe to be a single point 
of failure. In fact, it's network cards still work as a bridge when the 
machine is down.

I suppose I should use SNAT, then, as you've stated, but it doesn't seem 
to work properly. I'm trying that:

# iptables -t nat -A PREROUTING -p tcp -d 192.168.2.1 --dport 80 --to-destination 192.168.2.2:80 -j DNAT
# iptables -t nat -A POSTROUTING -p tcp --sport 80 -s 192.168.2.2 -d 192.168.1.0/24 -j SNAT --to-source 192.168.2.1