forward/proxy/something one external IP to an other

Linux Netfilter discussions
 help / color / mirror / Atom feed

* forward/proxy/something one external IP to an other
@ 2008-09-26 16:50 Jan Agermose
  2008-09-26 18:42 ` Grant Taylor
  0 siblings, 1 reply; 4+ messages in thread
From: Jan Agermose @ 2008-09-26 16:50 UTC (permalink / raw)
  To: netfilter

hi

we are going to move some servers from one datacenter to an other and
not all DNS are under our direct control so Im want to place a linux box
in the old center to forward trafic for the old IPs to the new IPs - or
Im hoping this is possible :) So that traffic going to the old IPs will
still work until all DNS is updated. 

The servers are on a NAT 1-1 network and are moved to a new 1-1 NAT
network - if this matters? 

Can someone explain if its possible and how to do it? 

regards
Jan

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: forward/proxy/something one external IP to an other
  2008-09-26 16:50 forward/proxy/something one external IP to an other Jan Agermose
@ 2008-09-26 18:42 ` Grant Taylor
  2008-09-26 23:25   ` Brian Austin - Standard Universal
  0 siblings, 1 reply; 4+ messages in thread
From: Grant Taylor @ 2008-09-26 18:42 UTC (permalink / raw)
  To: Mail List - Netfilter

On 09/26/08 11:50, Jan Agermose wrote:
> we are going to move some servers from one datacenter to an other and 
> not all DNS are under our direct control so Im want to place a linux 
> box in the old center to forward trafic for the old IPs to the new 
> IPs - or Im hoping this is possible :) So that traffic going to the 
> old IPs will still work until all DNS is updated.

Ok...

> The servers are on a NAT 1-1 network and are moved to a new 1-1 NAT 
> network - if this matters?

Should not matter.

> Can someone explain if its possible and how to do it?

Yes it is possible.  You will need to DNAT the traffic as it comes in to 
the nat:PREROUTING chain to redirect it over to the real server as well 
as SNAT the traffic as it leaves the nat:POSTROUTING chain so that the 
traffic appears to the real server as if it is coming from the NATing 
server.  By making the traffic appear as being from the NATing server 
the real server will reply back to the NATing server which can then 
unNAT the traffic and reply directly back to the real client.

Or, you could run something like rinetd which will accept the 
connections and then proxy them to the real server.  This is extremely 
easy to set up too.

Grant. . . .

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: forward/proxy/something one external IP to an other
  2008-09-26 18:42 ` Grant Taylor
@ 2008-09-26 23:25   ` Brian Austin - Standard Universal
  2008-09-28 18:09     ` Grant Taylor
  0 siblings, 1 reply; 4+ messages in thread
From: Brian Austin - Standard Universal @ 2008-09-26 23:25 UTC (permalink / raw)
  To: Grant Taylor; +Cc: Mail List - Netfilter



Grant Taylor wrote:
> On 09/26/08 11:50, Jan Agermose wrote:
>> we are going to move some servers from one datacenter to an other and 
>> not all DNS are under our direct control so Im want to place a linux 
>> box in the old center to forward trafic for the old IPs to the new 
>> IPs - or Im hoping this is possible :) So that traffic going to the 
>> old IPs will still work until all DNS is updated.
>
> Ok...
>
>> The servers are on a NAT 1-1 network and are moved to a new 1-1 NAT 
>> network - if this matters?
>
> Should not matter.
>
>> Can someone explain if its possible and how to do it?
>
> Yes it is possible.  You will need to DNAT the traffic as it comes in 
> to the nat:PREROUTING chain to redirect it over to the real server as 
> well as SNAT the traffic as it leaves the nat:POSTROUTING chain so 
> that the traffic appears to the real server as if it is coming from 
> the NATing server.  By making the traffic appear as being from the 
> NATing server the real server will reply back to the NATing server 
> which can then unNAT the traffic and reply directly back to the real 
> client.
>
> Or, you could run something like rinetd which will accept the 
> connections and then proxy them to the real server.  This is extremely 
> easy to set up too.
>
>
>
> Grant. . . .
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
I think like this...

       iptables -t nat    -A PREROUTING -d 192.168.19.253 -i eth19 -p 
tcp  --dport 993 -j DNAT --to-destination 192.168.41.5:993

       iptables -t nat -A  POSTROUTING -d 192.168.41.5 -j MASQUERADE


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: forward/proxy/something one external IP to an other
  2008-09-26 23:25   ` Brian Austin - Standard Universal
@ 2008-09-28 18:09     ` Grant Taylor
  0 siblings, 0 replies; 4+ messages in thread
From: Grant Taylor @ 2008-09-28 18:09 UTC (permalink / raw)
  To: Mail List - Netfilter

On 9/26/2008 6:25 PM, Brian Austin - Standard Universal wrote:
> I think like this...
> 
> iptables -t nat    -A PREROUTING -d 192.168.19.253 -i eth19 -p tcp 
> --dport 993 -j DNAT --to-destination 192.168.41.5:993
> 
> iptables -t nat -A  POSTROUTING -d 192.168.41.5 -j MASQUERADE

Yep, that's the idea.

You may also need to allow for the forwarded traffic in your 
filter:FORWARD chain, depending on how secure you have it.



Grant. . . .

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2008-09-28 18:09 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-26 16:50 forward/proxy/something one external IP to an other Jan Agermose
2008-09-26 18:42 ` Grant Taylor
2008-09-26 23:25   ` Brian Austin - Standard Universal
2008-09-28 18:09     ` Grant Taylor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox