Re: routing TCP to another box preserving ORIGINAL client IPs

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings Alec,

 : My TCP clients connect to box A. I need to forward those 
 : connections to a server on box B, such that the original client 
 : IPs are visible to the server on B.
 : 
 : Each box has two Ethernet ports. One port on each box is 
 : connected to WAN, and they are cross-connected in a LAN via 
 : remaining ports:
 : 
 :         -------------------           -------------------
 : WAN -- |eth0   Box A   eth1|---LAN---|eth1   Box B   eth0| -- WAN
 :         -------------------           -------------------
 : 
 : 
 : Is there a way to do this with iproute2 and iptables tools ONLY? 
 : Can you provide an example? Nothing in Google after more than a 
 : week of searching. An additional requirement is to reduce the 
 : load on box A as much as possible (I guess the server on B would 
 : still have to reply to the client via A, not using B's own WAN 
 : interface however..)

You need to provide us a bit more information to help you figure out 
the right way to solve this problem.  Why is DNAT not sufficient?  
Given your description, you should simply be able to:

  iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1

If it were that simple, though, you shouldn't have spent a week 
looking for the answer.

Do you have a TCP service on Box A which is providing services to 
the client across the WAN?  If so, then you are looking for 
something called transparent proxying in the Linux networking world.  
You will want to examine the tproxy patches to iptables [0].

If you go with the transparent proxying method, it's helpful to 
remember:

  * the client thinks it's connected to Box A
  * Box A knows its connected to the client
  * Box A uses client's source address to initiate traffic to Box B
  * Box B thinks it's connected to client

In either case, you are correct about routing.  Box B must send its 
traffic back to Box A to forward back across the LAN.

Good luck,

- -Martin

 [0] http://www.balabit.com/products/oss/tproxy/
     http://www.balabit.com/downloads/tproxy/linux-2.4/

- -- 
Martin A. Brown
http://linux-ip.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/)

iD8DBQFF74/JHEoZD1iZ+YcRAlRaAJ4wf2fIc3oBJnGstjUBdpKWn1wOsQCbB2Ee
5Q7zrssGkA02Pq+298i9tEA=
=O3sf
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux