L
L
louvremaster2016-10-05 18:58:14
linux
louvremaster, 2016-10-05 18:58:14

How to set up PREROUTING correctly?

There are two servers A (XXX.XXX.XXX.XXX) and B (YYY.YYY.YYY.YYY), on each of them by external IP, for example, as described in the article . We need traffic to get from A(XXX.XXX.XXX.XXX) to B(YYY.YYY.YYY.YYY), for example, because A-server is filtered by security. A tunnel is created between them, on server A (tunnel IP 192.168.168.1) on server B (192.168.168.2). Next, using DNAT on server A, we redirect:
iptables -t nat -A PREROUTING -p tcp -d XXX.XXX.XXX.XXX -j DNAT --to-destination 192.168.168.2
iptables -A FORWARD -d 192.168.168.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
On server B, write the routing rules:
ip rule add from 192.168.168.0/30 table 5
ip route add default via 192.168.168.1 table 5
Traffic successfully gets to server B, but on IP 192.168.168.2, but now we need traffic to get to IP YYY.YYY.YYY.YYY, because all the entries we need in the web server configs hang there.
I'm trying to do:
iptables -t nat -A PREROUTING -d 192.168.168.2 -p tcp -m tcp --dport 80 -j DNAT --to-destination YYY.YYY.YYY.YYY:80
But the packets don't go back. If you do on server A:
ipables -t nat -A POSTROUTING -j MASQUERADE
Then the packets will leave and arrive, but the visitor's src will naturally be replaced by 192.168.168.1, which we do not need.
There is another option on server B to do:
ip rule add from YYY.YYY.YYY.YYY/32 table 5
So it will work, but the direct connection with YYY.YYY.YYY.YYY will naturally disappear, in general this is also a bad option.
In general, it is necessary that when entering IP A (XXX.XXX.XXX.XXX) get to B (YYY.YYY.YYY.YYY)
Anyone who has encountered this, push for a more rational solution, thanks.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
L
littleguga, 2016-10-06
@littleguga

Please reformulate the question, because it is very difficult to understand what is and what is needed.
For example:
there is a server, you need to redirect traffic from its eth1 interface to ip xxx.xx.xx.xx/other interface, how to do it?

S
sharikoff, 2016-10-13
@sharikoff

Put on B rinetd and wrap it on YYY: PORT or the same using iptables

A
alegzz, 2016-10-17
@alegzz

Dig in the direction of labeling incoming connections, restoring labeling and routing by labeling. Don't forget to masquerade to b so that a doesn't drop invalid packets, and outbound masquerading to a

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question