On 11/28/07 10:09, Jason Hawthorne wrote:
I need to temporarily forward all traffic from one public IP address
(a.b.c.d) to another public IP address (e.f.g.h). I have tried
setting up iptables with the following rule
-t nat -A PREROUTING -d a.b.c.d -j DNAT --to-destination e.f.g.h
but it doesn't seem to be working. As far as I can tell the traffic
is getting forwarded to the final ip (e.f.g.h) but when the return
traffic comes back it doesn't come back through the debian box, it
goes straight to the source and fails. Basically it skips the debian
box on its return like this
SOURCE ---> DEBIAN (iptables with nat) ---> DESTINATION ---> SOURCE
Ah, yes. This is what I like to refer as a "TCP Triangle". You see the
problems with it.
Is there a way to get this working with iptables?
Yes there is a way to get around this. You need to SNAT the traffic as
it's leaving DEBIAN on its way to DESTINATION so that it will follow the
same path in reverse back to the original client. Thus you end up with
this:
SOURCE ---> DEBIAN ---> DESTINATION ---> DEBIAN ---> SOURCE
The main problem with this is that your DESTINATION system will not see
the real source IP of the traffic. If this is important, you may want
to consider some sort of reverse proxy that will add a header with the
original IP address in it (I think that is how this can work???) or you
may want to look in to something like Linux Virtual Server's Direct
Routing solution if the DESTINATION is on the same network as DEBIAN and
can thus use the same return path. (Refer to LVS DR approach for more
details on how this actually works.)
Grant. . . .
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
