-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Alec, : My TCP clients connect to box A. I need to forward those : connections to a server on box B, such that the original client : IPs are visible to the server on B. : : Each box has two Ethernet ports. One port on each box is : connected to WAN, and they are cross-connected in a LAN via : remaining ports: : : ------------------- ------------------- : WAN -- |eth0 Box A eth1|---LAN---|eth1 Box B eth0| -- WAN : ------------------- ------------------- : : : Is there a way to do this with iproute2 and iptables tools ONLY? : Can you provide an example? Nothing in Google after more than a : week of searching. An additional requirement is to reduce the : load on box A as much as possible (I guess the server on B would : still have to reply to the client via A, not using B's own WAN : interface however..) You need to provide us a bit more information to help you figure out the right way to solve this problem. Why is DNAT not sufficient? Given your description, you should simply be able to: iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 If it were that simple, though, you shouldn't have spent a week looking for the answer. Do you have a TCP service on Box A which is providing services to the client across the WAN? If so, then you are looking for something called transparent proxying in the Linux networking world. You will want to examine the tproxy patches to iptables [0]. If you go with the transparent proxying method, it's helpful to remember: * the client thinks it's connected to Box A * Box A knows its connected to the client * Box A uses client's source address to initiate traffic to Box B * Box B thinks it's connected to client In either case, you are correct about routing. Box B must send its traffic back to Box A to forward back across the LAN. Good luck, - -Martin [0] http://www.balabit.com/products/oss/tproxy/ http://www.balabit.com/downloads/tproxy/linux-2.4/ - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFF74/JHEoZD1iZ+YcRAlRaAJ4wf2fIc3oBJnGstjUBdpKWn1wOsQCbB2Ee 5Q7zrssGkA02Pq+298i9tEA= =O3sf -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
