iptables: forward traffic through server
i have an infrastructure like this:
Router -> Firewall -> Load Balancer -> WebServer -> Backup Server
the infrastructure here is at a minimal. only the servers involved are shown
the router, firewall and load balancer are on one same subnet. (1.x)
The loadBalancer, WebServer are on another subnet. (2.x)
The webServer and Backup Server are on the last subnet, also a private subnet (3.x)
All subnets are using private addressing.
The webserver is able to route out and serve pages because it is routable via the load balancer, which goes to the router. this is done via NAT on the router end.
Now, I have a need to allow my backup server to connect out to the internet to access another off-site backup server.
Rather than just pull a cable to connect to the router, I was wondering if it is possible to make use of iptables on the webserver to route traffic out. I just need to rely on rsync, scp and ssh protocols, but for now i am just testing with all traffic.
I followed this page: http://howtoforge.com/nat_iptables
And I manage to allow 3.x from backupserver to ping 2.x, but not beyond. and strangely i am not able to ping the 2.x interface on the load balancer.
Is it technically even possible to do this?
I don't think you should need iptables at all if all you want to do is initiate connections from the backup server to the Internet and allow return traffic. (As opposed to port forwarding traffic originating from the Internet. You may wish to add rules to the FORWARD chain to restrict traffic, but that is not necessary.) The first thing to do is make sure your web server can initiate connections to the Internet. Maybe this is already true. If not, I probably can't advise since I am not familiar with load balancers and what impact that might have on routing tables.
Once the webserver has the ability to initiate traffic to the Internet, all that should be required is to enable ip_forwarding (adding the line (w/o quotes) "net.ipv4.ip_forward = 1" in /etc/sysctl.conf is one way to enable it for IPv4) on the webserver, and to make the webserver the default route for the backup server.
So setting the gateway on my backup as the webserver, will solve the issue? will the return connection know which is the initiating machine? considering i am trying to scp/ssh to other servers...
But yes, everything along the path should be keeping track of what is happening and route the return packets properly. Scp/ssh should be easy since it just uses the single port (no additional port like FTP, for example). You do have to enable ip_forwarding on your web server. I have only done this for IPv4, but I am sure there is an analogous method for IPv6 if you need it. The way I enable ip_forwarding for IPv4 is to add the line
Alternatively, you can (as root):
Since you're router is doing NAT, the remote machine will, of course, see the NATted address instead of the local address of the backup server.
|All times are GMT -5. The time now is 10:11 PM.|