0

I am trying to forward traffic from one server to another, while keeping the origin requestor IP. Therefor I cannot use SNAT or MASQUERADE.

SERVER A:
Public IP: 111.111.111.111
Private IP: 10.0.0.1

SERVER B:
Public IP: 222.222.222.222
Private IP: 10.0.0.2

I want to forward traffic från Server A (111.111.111.111) to Server B (10.0.0.2).

This works fine:

iptables -t nat -A PREROUTING -d 111.111.111.111 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A POSTROUTING -j MASQUERADE

However, because I am using MASQUERADE in this case, the destination server (10.0.0.2) sees all traffic as it would be comming from 111.111.111.111, i.e apache-logs and others are showing all requests as they are comming from 111.111.111.111

How can I setup this instead, so that the origin source IP-address is kept, like a home-router is doing it when using port forwarding.

I assume I need to setup a "route" somehow, so that the outgoing traffic from 10.0.0.2 goes out through Server A and not trying to respond on Server B's public IP?

Daniele Testa
  • 680

3 Answers3

2

It seems you are confused about networking.

What you want at the NAT level makes no sense at all.
The address MUST be rewritten in the Layer3 network packets for NAT to work at all.
And private IP space is NOT routable (over the internet, intrAnets may behave differently) in the first place.

The place where you want to see the original ip-addresses is in Layer 4: The application layer. (Logs, etc.) The information there is NOT affected by the NAT at all. You may see the ip-address of the NAT router, but the Apache logs should still indicate which machine/hostname/user from behind the NAT requested the info on basis of the HTPP header information.

You are mixing up different things that are not related.

Tonny
  • 6,360
  • 1
  • 20
  • 31
0

Your DNAT rule alone should be sufficient for the address translation without any need to add MASQUERADE in POSTROUTING, you just need to tell the firewall to then accept the translated packet.

For instance on of my incoming routes:

/sbin/iptables -t nat -A PREROUTING -p tcp -d $EXTERNALIP  --dport 22 -j DNAT --to $INTERNALTARGET:22
/sbin/iptables -A FORWARD -p tcp -d $INTERNALTARGET --dport 22 -j ACCEPT

From the wording of your question you seem to be trying to route public requests into on private subnet then on to another - if that is the case then you may need to make routing tweaks so that the return packets know where to go. In my example above I'm passing requests on a public interface ($EXTERNALIP) to a machine ($INTERNALTARGET) connected to the one private network leg the router is connected directly to, and that router is the default route out so return packets know where to go without extra help.

David Spillett
  • 23,059
0

Iptables are wonderful, but if you keep everything in nginx, then it can do the job it was designed for. It's possible to do other advanced tricks with iptables like logging and packet marking, but if you don't have a reason to do it outside of nginx, you should go through nginx. That way if you move to a different system like (Ugly)windows server or FreeBSD, then the configuration is done in nginx and not at a system dependent level. If you're worried about speed, that is what nginx was designed for, so if you use some of the premade or develop your own log monitors, it is the same on every system you work with. Linux rocks, and there shouldn't be a reason to move off of it, but incase you have to implement more servers with other environments, all of your configs are Environment independent.

sean
  • 1