LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-04-2002, 09:55 AM   #1
RyanT2k
LQ Newbie
 
Registered: Dec 2002
Posts: 4

Rep: Reputation: 0
Port forwarding (moving datacenter) ipfw/iptables/ipportfw


Hello!

I have a couple of Web servers, one running Linux, the other FreeBSD. Two new machines are going to replace those at another physical location (new IPs and all).

Once the systems are synched up (after web and db shutdown, of course), DNS will be switched to point the TCP traffic over to the new machines. Obviously there will be some DNS caching, so I'm looking for a TCP rerouting solution.

I believe I'd be wrong to assume this could be done with just iptables for Linux and ipfw for FreeBSD, would I not? I had to do this before with a Windows machine and used Winroute Pro (htttp://www.kerio.com/us/wrp_home.html). Check out the port mapping.

Basically, any web requests coming into the old Web servers need to be redirected to the new machines. I'd want to listen from specific IPs on the old machines on TCP ports 80 and 443, and then route them to the new machines' addresses on the same ports (all are public addresses, no private NAT). And then of course flawlessly get the data back to the client requesting the data -- this must be completely transparent.

Are these the right tools? All I can find for port mapping is internal NAT stuff, and that's slightly different than what I'm doing.

Just remember,

I need the traffic to do this:

request out:
[client] -> [old web] -> [new web]
and back:
[client] <- [old web] <- [new web]


and not this:

request out:
[client] -> [old web] -> [new web]
and back:
[client] <-------------- [new web]


This is because the machines are not on the same network.

If there are any gurus out there that have any solutions to this, I'd not only be impressed, but truly grateful!

Thanks,
Ryan
 
Old 12-04-2002, 10:43 AM   #2
KevinJ
Member
 
Registered: Feb 2001
Location: Colorado Springs, CO
Distribution: Redhat v8.0 (soon to be Fedora? or maybe I will just go back to Slackware)
Posts: 857

Rep: Reputation: 30
I take it these machines are servicing requests from the outside world? And you probably have a firewall/router connecting you to the outside world?

Couldn't you put these redirection "rules" for the old IP/port numbers on that device connecting you to the outside world?


-kevinj
 
Old 12-04-2002, 11:07 AM   #3
RyanT2k
LQ Newbie
 
Registered: Dec 2002
Posts: 4

Original Poster
Rep: Reputation: 0
Both these sets of machines will be on public addresses with no firewalls other than using software firewalls on the machines themselves (ipchains or whatever's applicable). As soon as the budget allows, a firewall will be added later, of course.

I don't quite understand what you mean by:
(snip)
Couldn't you put these redirection "rules" for the old IP/port numbers on that device connecting you to the outside world?
(snip)

Another thing someone suggested to me was doing an Apache proxy of some sort for certain hosts requests. This would mess up log files somewhat, too. I have no experience with this, so I'm not sure if it's what I'm looking for.. any ideas there?

Thanks,
Ryan

P.S. If I can do this with just TCP, it would help with moving other services as well.
 
Old 12-04-2002, 11:55 AM   #4
KevinJ
Member
 
Registered: Feb 2001
Location: Colorado Springs, CO
Distribution: Redhat v8.0 (soon to be Fedora? or maybe I will just go back to Slackware)
Posts: 857

Rep: Reputation: 30
well... I think ... you can do this without issue. If the old machines are up and running, you just port redirect all requests for the corresponding ports to the new IP addy's. Not a problem. Works just like on a firewall. That is done with iptables in Linux.

You don't have a firewall between these machines and the outside world? But you must have a router of some kind don't you? Some routers support port redirection. When a client wants to connect to you, he is gonna go to his DNS nameserver and ask for the IP addy that goes with the hostname he provided.
If he gets a cached, incorrect IP addy, then he will be sent to the router that used to handle the traffic to these servers. If that router supports port forwarding.... you can have it "redirect" the request to the correct address.

You can also do that with iptables in Linux. But the issue is that the machine that is doing the redirecting has to get the request in the first place. That would mean that either something inbetween you and the client must intercept it..... or the old machine must get it and send it somewhere else.


Now... I don't know what your network setup looks like. You said differnet phyical location and different network. But I don't know how "different". If it would be possible to put another NIC in the new machine to connect to the old network... no problem. Or if the networks are cabled in such a way that both of them go through the same switch, you could use a virtual adapter.

You have options, but it depends on really what the physical and logical networks look like before and after your changes.

-KevinJ
 
Old 12-04-2002, 11:59 AM   #5
KevinJ
Member
 
Registered: Feb 2001
Location: Colorado Springs, CO
Distribution: Redhat v8.0 (soon to be Fedora? or maybe I will just go back to Slackware)
Posts: 857

Rep: Reputation: 30
Quote:
I need the traffic to do this:

request out:
[client] -> [old web] -> [new web]
and back:
[client] <- [old web] <- [new web]


and not this:

request out:
[client] -> [old web] -> [new web]
and back:
[client] <-------------- [new web]


This is because the machines are not on the same network.

I must be confused about something because I really don't understand what you mean by the above.

-KevinJ
 
Old 12-04-2002, 01:12 PM   #6
RyanT2k
LQ Newbie
 
Registered: Dec 2002
Posts: 4

Original Poster
Rep: Reputation: 0
I appreciate your kindness in taking time to help me...

I'm still unsure if this will solve the problem.

Here's my setup --

Two web servers.. one running FreeBSD and the other Linux. There is a router in front of it.

Two new web servers (duplicate of the old).. they are in a different hosting facility miles away, so the networks cannot be connected the way you meant.

The way WinRoute works is this:

the client uses his Web browser to load www.whatever.com
www.whatever.com would route to say the IP address: 216.148.209.1 (for illustrative purposes)

The machine at 216.148.209.1 would accept the user's http request, but instead of giving back the Web site, the server would go ahead and duplicate the request to the NEW Web server at the 2nd location. Once the data packets are grabbed back to the 216.148.209.1 server, it hands them back to the client's Web browser as if it came from the old Web server itself. It's all transparent to the user. I've tested this myself by rerouting from an IP address to say one of www.microsoft.com's IP addresses and it'll pull up Microsoft's Web site as if it were being loaded from my own server. EVERYTHING works, because it's just a redirect (actually extension) of packets. WinRoute allows you to do this on a service level (tcp, udp, icmp, etc), port number or range, and will redirect it to another port if that's needed. The cool thing is that this will work for just about any service... telnet, etc.

Anyway, that's how this works. I'm just looking for a similar solution in Linux/BSD. I don't think that ipchains is quite the thing, but I could be wrong. I suppose I could just try it?

Here's another diagram of what's happening:

client sends get request for Web site, since dns is cached to the old site, it tries to grab from the IP address of the old machine:

[client request] --> [old server]

at this point, instead of the old server serving the pages, it sends back the new server's data, but first has to get it from the new servers.. so it will send the exact same packets to the new server, but with a return address of the old server's IP.

[old server request to new server] --> [new server]

The new server sends back the data to the old server:

[old server address] <-- [new server sends back data]

and now the old server sends those packets back to the client and the client has no idea that they really came from the new server:

[client waiting for return of data] <---- [old server sends data from new server]


---

and that's the gist of what happens. WinRoute Pro does this very effectively, but I don't really want to spend $999 on something that could be free, and installable on a *nix machine rather than Windows.

Hope that clears up what I'm looking for..

Ryan
 
Old 12-04-2002, 01:25 PM   #7
KevinJ
Member
 
Registered: Feb 2001
Location: Colorado Springs, CO
Distribution: Redhat v8.0 (soon to be Fedora? or maybe I will just go back to Slackware)
Posts: 857

Rep: Reputation: 30
Well... my first question is why does the return traffic have to go back through the old server? As long as the requests make it to the new server... why can't they go back directly to the client?

In any event, it sounds like what you are talking about is sort of like IP masquerading. Traditionally that is used on a firewall or router to connect public and private networks. Its set up using rules in IPTABLES. Now I am not an expert on it... so I am hoping someone else will jump in.. but I am pretty sure you can do something like MASQ all requests coming into a server out to another server and then back. I think that is pretty much what IPTABLES does when it does a port redirect.

Take this short firewall script for example:

#-------------------------------------------------------------------------
#!/bin/sh

insmod ip_tables
echo " Enabling SNAT (MASQUERADE) on eth0 ... "
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo " Enabling IPFORWARDING ... "
echo "1" > /proc/sys/net/ipv4/ip_forward

echo " Enabling ports for NWN server ... "
iptables -t nat -A PREROUTING -p udp --dport 5121 -i eth0 -j DNAT --to 192.168.0.26

iptables -I FORWARD -i eth0 -o eth1 -p udp --dport 5121 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#----------------------------------------------------------------------

What that does is any time my server gets a request for something on port 5121, it sends it on to 192.168.0.26. But I don't see why it wouldn't work sending it to another public address as well. The return info would then come BACK to my server and then be sent back to the requester from there.

Can any of you firewall gurus out there check my work??

--KevinJ
 
Old 12-04-2002, 02:03 PM   #8
RyanT2k
LQ Newbie
 
Registered: Dec 2002
Posts: 4

Original Poster
Rep: Reputation: 0
Kevin,

That's basically how I envisioned it, but it's like spoofing an IP address. If the client is expecting a packet from a different IP than the new server, will the client accept it.. and will firewalls block/drop it?

This is why it has to be routed back through the old server afaik.

However, thanks for the iptables configuration.. I'll have to test it out somewhere and see if it works.

Thanks,
Ryan

P.S. I hope that configuration is correct if I were to test it.. I'll find out.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables port forwarding geoff3425 Slackware 13 12-20-2011 10:50 AM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
iptables port forwarding berrance Linux - Networking 5 02-26-2005 07:03 AM
Iptables - Port Forwarding luivm Linux - Networking 3 05-19-2003 02:30 PM
iptables port forwarding hawk4eye Linux - Security 2 02-07-2003 04:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration