Iptables : forward port from another server than the gateway

Here is the situation. We have multiple server on our intranet 192.168.1.0/24 One of them is the default gateway for all of them and have two interfaces ($GATEWAY_INTERNAL_IP and $GATEWAY_EXTERNAL_IP).

We have also another server PUBLICHOST2 which has two IP as well $PUBLICHOST_EXTERNAL_IP and $PUBLICHOST_INTERNAL_IP.

We have a third server SERVER which have only one IP $PRIVIP and bind on port $PORT.

What we want is to be able to forward port $PORT on $PUBLICHOST_EXTERNAL_IP to host SERVER on $PRIVIP.

But when we do the port forwarding using iptables on PUBLICHOST2, SERVER receive the request but the response goes through the gateway and the connection is not successfull.

How can we properly do the setup so that the response can go back through PUBLICHOST2 ?

Tha开发者_如何学运维nks

You may need to set forwarding on for the interface. Try tne command.

sysctl -w net.ipv4.conf.eth0.forwarding=1

If you need additional help look for documentation on routeback or the Shorewall FAQ.

Well here what happens:

• Client1 sends a request to PublicHost
• The requests arrives and the iptables rules redirects the traffic (PAT) to the Server on the correct AppPort
• Server sends back a reply to Client1 which will be routed by Gateway
• Gateway is doing NAT and replaces the source IP with it's own
• Client1 or Client1sGateway receives the IP packet with Gateway as the source but it expected PublicHost's IP in the source field of the IP packet.
• Eventually Client1 resends the SYN/ACK (except if you're using a synproxy) to PublicHost and then drops the connection when whatever network related timer expires.

Now if you want to fix this, you should route all TCP traffic going OUT of Server and with a source port of AppPort to PublicHost.

If this doesn't work, PublicHost is not properly configured. Be sure to test the configuration with tcpdump.

I've been trying to do something similar. After running through a bunch of tutorials that never seemed to work until I Wiresharked the connection to discover that the destination address was still set to the external IP address, (exactly like you've described), I tried using the POSTROUTING chain to change the source IP address to that of the server:

iptables -t nat -A POSTROUTING -p <tcp/udp> --dport <destination_port> -j SNAT --to <$PUBLICHOST_INTERNAL_IP>

After I added that rule, the connection was forwarded into the private network and the response packets retraced the same path back to the client, rather than through the network gateway. I'm not positive what allowed the response packets back out through the firewall server, but I think it was because of the rule I already had on the INPUT chain to allow established connections:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

The thing to be sure to keep in mind with this solution is: if you ever change the firewall server's internal IP address, then you will need to update the above POSTROUTING rule. (Needless to say, it's probably best if the firewall server has a statically assigned internal IP address).