Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have the following rule to forward packets coming externally from server A to external server B.
I have the following rule to do this for me.
iptables -t nat -A PREROUTING -p tcp --dport <server_a_port> -j DNAT --to-destination <server_b_ip>:<server_b_port>
iptables -t nat -A POSTROUTING -j MASQUERADE
It works fine with one exception: the source IP coming into server B is changed to that of server A. Is there a way to do this without changing the external source IP - i.e. I want server B to see the same source IP that comes into server A.
If I remove it completely then the forwarding doesn't work. That is I cannot connect to server B through server A. I have to add the MASQUERADE entry for it to work.
I have tried this without having any other entries in the table.
Actually it does, but on server B it seems like it's trying to return the reply packet directly to the source IP. And since it connected to server A, the client is expecting a reply from server A, not server B.
I guess that's why you need a MASQUERADE (or SNAT) rule.
Am I correct in thinking about this? Can I add some additional rules on server B to return packets via server A back to the client?
Well yes, that's what IP routing is. That's the exact specific precise reason NAT exists!
This presumably IS a routed network with DIFFERENT address ranges? What do you mean by "direct" here? That suggests it's on the local subnet... the return route is usually defined by the stateless routing table on the destination host, so you would usually identify the sub-range of addresses that need to go back via this intermediate devices and put that in the routing table.
Yes, server A and server B are on different networks - both external.
Right, so how do I do that? Let's say server A is 1.1.1.1, server B is 2.2.2.2. What is happening with the packet at the moment is:
Incoming packet:
1.2.3.4 (source IP) >>> 1.1.1.1 (server A) >>> 1.2.3.4 source is changed to 1.1.1.1 >>> 2.2.2.2 (server B)
Reply back:
2.2.2.2 (server B) >>> 1.1.1.1 (server A) >>> 1.2.3.4
Without SNAT - incoming packet
1.2.3.4 (source IP) >>> 1.1.1.1 (server A) >>> 1.2.3.4 source IP is not changed >>> 2.2.2.2 (server B)
Reply back:
2.2.2.2 (server B) >>> 1.2.3.4 ...bypassing server A. Therefore the packet never reaches the initiating client.
And I want it like so - incoming packet:
1.2.3.4 (source IP) >>> 1.1.1.1 (server A) >>> 1.2.3.4 source IP is not changed >>> 2.2.2.2 (server B)
Reply back:
2.2.2.2 (server B) >>> 1.1.1.1 (server A) >>> 1.2.3.4
If I was to set up a route, then that means ALL packets going out of server B would go via server A. I don't want that - I only want packets going out via server A if they came in via server A. Is there a way to do that using IP tables?
You should stick with MASQUERADE. There are ways to do it, using iptables to force packets to use alternative routing tables, but those solutions just end up hacky and obscure. This might be of interest to you though... http://parkersamp.com/2010/02/howto-...vlan-in-linux/ Again, I would try to avoid this kind of meddling though.
Last edited by acid_kewpie; 06-18-2012 at 09:29 AM.
Just been reading about it. Looks like I can mark forwarded packets and using the marks route them back using different routing tables (like you said). Seems a little complicated for my little brain though.
See, now I spend all day working with F5 BigIP load balancers and they just have a lovely tick box in the config called "auto last hop" which ensures that all traffic coming in to a given service goes back on the network with the MAC of the device it came from, totally ignoring the routing tables, which is clearly exactly what you want. Not sure what's actually going on under the hood for that. I think it's probably bespoke code, not iptables or anything not generically Linux. So if you want to spend $100,000 on a pair of BigIP's it's a doddle!
Hah, I am not that desperate to see the source IP - as nice as it would have been. For $100,000 I will learn ip routes and iptables - but again, it's not essential.
But yes, it looks like exactly the thing I would need.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.