LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-28-2008, 03:56 AM   #1
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Rep: Reputation: 30
iptables: forward traffic through server


hi guys,

i have an infrastructure like this:

Router -> Firewall -> Load Balancer -> WebServer -> Backup Server

the infrastructure here is at a minimal. only the servers involved are shown
the router, firewall and load balancer are on one same subnet. (1.x)
The loadBalancer, WebServer are on another subnet. (2.x)
The webServer and Backup Server are on the last subnet, also a private subnet (3.x)


All subnets are using private addressing.

The webserver is able to route out and serve pages because it is routable via the load balancer, which goes to the router. this is done via NAT on the router end.

Now, I have a need to allow my backup server to connect out to the internet to access another off-site backup server.

Rather than just pull a cable to connect to the router, I was wondering if it is possible to make use of iptables on the webserver to route traffic out. I just need to rely on rsync, scp and ssh protocols, but for now i am just testing with all traffic.

I followed this page: http://howtoforge.com/nat_iptables
And I manage to allow 3.x from backupserver to ping 2.x, but not beyond. and strangely i am not able to ping the 2.x interface on the load balancer.

Is it technically even possible to do this?

thanks!
 
Old 03-29-2008, 12:41 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I don't think you should need iptables at all if all you want to do is initiate connections from the backup server to the Internet and allow return traffic. (As opposed to port forwarding traffic originating from the Internet. You may wish to add rules to the FORWARD chain to restrict traffic, but that is not necessary.) The first thing to do is make sure your web server can initiate connections to the Internet. Maybe this is already true. If not, I probably can't advise since I am not familiar with load balancers and what impact that might have on routing tables.

Once the webserver has the ability to initiate traffic to the Internet, all that should be required is to enable ip_forwarding (adding the line (w/o quotes) "net.ipv4.ip_forward = 1" in /etc/sysctl.conf is one way to enable it for IPv4) on the webserver, and to make the webserver the default route for the backup server.
 
Old 03-30-2008, 02:02 PM   #3
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by blackhole54 View Post
I don't think you should need iptables at all if all you want to do is initiate connections from the backup server to the Internet and allow return traffic. (As opposed to port forwarding traffic originating from the Internet. You may wish to add rules to the FORWARD chain to restrict traffic, but that is not necessary.) The first thing to do is make sure your web server can initiate connections to the Internet. Maybe this is already true. If not, I probably can't advise since I am not familiar with load balancers and what impact that might have on routing tables.

Once the webserver has the ability to initiate traffic to the Internet, all that should be required is to enable ip_forwarding (adding the line (w/o quotes) "net.ipv4.ip_forward = 1" in /etc/sysctl.conf is one way to enable it for IPv4) on the webserver, and to make the webserver the default route for the backup server.
My webserver is already web-routable

So setting the gateway on my backup as the webserver, will solve the issue? will the return connection know which is the initiating machine? considering i am trying to scp/ssh to other servers...

thanks!
 
Old 03-30-2008, 11:59 PM   #4
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by Swakoo View Post
So setting the gateway on my backup as the webserver, will solve the issue? will the return connection know which is the initiating machine? considering i am trying to scp/ssh to other servers...
Now you're making me self-conscious, wondering if I am forgetting anything. :-/

But yes, everything along the path should be keeping track of what is happening and route the return packets properly. Scp/ssh should be easy since it just uses the single port (no additional port like FTP, for example). You do have to enable ip_forwarding on your web server. I have only done this for IPv4, but I am sure there is an analogous method for IPv6 if you need it. The way I enable ip_forwarding for IPv4 is to add the line

Code:
net.ipv4.ip_forward = 1
to /etc/sysctl.conf

Alternatively, you can (as root):

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
One or the other; you don't need both.

Since you're router is doing NAT, the remote machine will, of course, see the NATted address instead of the local address of the backup server.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how does IPTABLES -A FORWARD two way traffic without using connection tracking? farhan Linux - Security 4 09-05-2007 12:31 PM
Forward SMTP to another server (SuSE with iptables) baetmaen Linux - Security 2 02-11-2006 02:05 PM
How can I forward all traffic to 10.10.0.10:80 to 10.10.0.20:8080 using IPtables? abefroman Linux - Networking 1 10-06-2005 03:19 PM
iptables forward traffic alaios Linux - Networking 1 09-28-2005 04:43 AM
Trying to forward web traffic through firewall w/ IPTABLES ShinySteelRobot Linux - Networking 6 08-17-2003 05:43 PM


All times are GMT -5. The time now is 04:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration