Forward ports from serverA to serverC via server B but allow serverB to communicate as a separated server

Question

The following case:

ServerA has no open ports. IP 1.1.1.1. It can see ServerB.

ServerB has open ports 1000, 2000. IP 2.2.2.2. It can only see ServerC.

ServerC has open ports 1000, 2000. IP 3.3.3.3. It can't see the other servers.

Here ServerA doesn't see ServerC.

It can be illustrated at this scheme.

What I need is to allow ServerA to communicate with ServerC via ports 1000 and 2000. It is possible to do via ServerB using iptables (port forwarding, like here https://serverfault.com/a/838865/518609). However, the problem is ServerB should also communicate to ServerC using the same ports.

So ServerA and ServerB both should communicate with ServerC and ServerC should differentiate which server (A or B) sent a packet, but only ServerB can connect to ServerC.

Opening other ports is not possible (well, technically possible, but our security department doesn't like this idea and even as an exception it would take up to 3 weeks).

OS is SLES (SUSE Linux Enterprise Server).

Is it possible at all?

score 1 · Answer 1 · answered Nov 16 '19 at 15:22

iptables is not a router.

You have a use case for these flows, allow them. Route such that A and B have paths to C. Allow the relevant ports in any firewall, and follow any other relevant security policy of your organization.

A non-router node only needs to be in the path if it provides some service, middlebox style. Like a proxy or firewall.

Forward ports from serverA to serverC via server B but allow serverB to communicate as a separated server

1 Answers1