LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables: forward traffic through server (http://www.linuxquestions.org/questions/linux-networking-3/iptables-forward-traffic-through-server-631196/)

Swakoo 03-28-2008 03:56 AM

iptables: forward traffic through server
 
hi guys,

i have an infrastructure like this:

Router -> Firewall -> Load Balancer -> WebServer -> Backup Server

the infrastructure here is at a minimal. only the servers involved are shown
the router, firewall and load balancer are on one same subnet. (1.x)
The loadBalancer, WebServer are on another subnet. (2.x)
The webServer and Backup Server are on the last subnet, also a private subnet (3.x)


All subnets are using private addressing.

The webserver is able to route out and serve pages because it is routable via the load balancer, which goes to the router. this is done via NAT on the router end.

Now, I have a need to allow my backup server to connect out to the internet to access another off-site backup server.

Rather than just pull a cable to connect to the router, I was wondering if it is possible to make use of iptables on the webserver to route traffic out. I just need to rely on rsync, scp and ssh protocols, but for now i am just testing with all traffic.

I followed this page: http://howtoforge.com/nat_iptables
And I manage to allow 3.x from backupserver to ping 2.x, but not beyond. and strangely i am not able to ping the 2.x interface on the load balancer.

Is it technically even possible to do this?

thanks!

blackhole54 03-29-2008 12:41 AM

I don't think you should need iptables at all if all you want to do is initiate connections from the backup server to the Internet and allow return traffic. (As opposed to port forwarding traffic originating from the Internet. You may wish to add rules to the FORWARD chain to restrict traffic, but that is not necessary.) The first thing to do is make sure your web server can initiate connections to the Internet. Maybe this is already true. If not, I probably can't advise since I am not familiar with load balancers and what impact that might have on routing tables.

Once the webserver has the ability to initiate traffic to the Internet, all that should be required is to enable ip_forwarding (adding the line (w/o quotes) "net.ipv4.ip_forward = 1" in /etc/sysctl.conf is one way to enable it for IPv4) on the webserver, and to make the webserver the default route for the backup server.

Swakoo 03-30-2008 02:02 PM

Quote:

Originally Posted by blackhole54 (Post 3103764)
I don't think you should need iptables at all if all you want to do is initiate connections from the backup server to the Internet and allow return traffic. (As opposed to port forwarding traffic originating from the Internet. You may wish to add rules to the FORWARD chain to restrict traffic, but that is not necessary.) The first thing to do is make sure your web server can initiate connections to the Internet. Maybe this is already true. If not, I probably can't advise since I am not familiar with load balancers and what impact that might have on routing tables.

Once the webserver has the ability to initiate traffic to the Internet, all that should be required is to enable ip_forwarding (adding the line (w/o quotes) "net.ipv4.ip_forward = 1" in /etc/sysctl.conf is one way to enable it for IPv4) on the webserver, and to make the webserver the default route for the backup server.

My webserver is already web-routable :)

So setting the gateway on my backup as the webserver, will solve the issue? will the return connection know which is the initiating machine? considering i am trying to scp/ssh to other servers...

thanks!

blackhole54 03-30-2008 11:59 PM

Quote:

Originally Posted by Swakoo (Post 3105117)
So setting the gateway on my backup as the webserver, will solve the issue? will the return connection know which is the initiating machine? considering i am trying to scp/ssh to other servers...

Now you're making me self-conscious, wondering if I am forgetting anything. :-/

But yes, everything along the path should be keeping track of what is happening and route the return packets properly. Scp/ssh should be easy since it just uses the single port (no additional port like FTP, for example). You do have to enable ip_forwarding on your web server. I have only done this for IPv4, but I am sure there is an analogous method for IPv6 if you need it. The way I enable ip_forwarding for IPv4 is to add the line

Code:

net.ipv4.ip_forward = 1
to /etc/sysctl.conf

Alternatively, you can (as root):

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
One or the other; you don't need both.

Since you're router is doing NAT, the remote machine will, of course, see the NATted address instead of the local address of the backup server.


All times are GMT -5. The time now is 10:25 AM.