Answer the question
In order to leave comments, you need to log in
Make transparent tunneling of traffic (preserving ip) in Linux?
There is a need to make a separate filtering server in front of the main frontend. However, you cannot lose ip addresses at the exit, you need them to transparently come to the frontend and log in there.
What are the best tools to solve this problem?
The goal is to filter various garbage at the iptables level, perhaps some small anti-ddos protection. The load will be small.
Answer the question
In order to leave comments, you need to log in
I think, if I understand correctly, and the machines will be physically nearby, or they are virtual machines, then:
1. Tunneling is clearly unnecessary here, I think you can get by with a virtual bridge on the proxying machine. (It will physically stand in the context of the backend and the provider.)
2. In the proposed version, you do not have to reconfigure anything on the backend, since the IP addresses will remain on it.
3. filtering will be completely possible with iptables. (although I could be wrong, ibtables is more likely to be needed, correct it)
4. The solution is universal and will support any type of IP traffic
Why didn't anyone suggest HAProxy?
It works for me like this
Client -> iptables -> haproxy -> backend
Depending on your needs, you can configure haproxy to work from l3 to l7
Filter server with one interface . Redirects traffic to a processing server without SNAT.
The client must contact the filtering server and receive a response through it.
Those. for client, processing server IP = filter IP. With the corresponding records in DNS (if we are talking about a web server).
Redirecting traffic from the client to processing is just DNAT. But in order for the response to go through the filter, the processing server must have a main route to the filter. This means that the filter and the server itself must be on the same subnet.
It's probably best to do a VPN from the front end to the filter (or vice versa, whichever is easier) and set up routes on both sides.
Well, for protection, block unnecessary (almost everything) on the normal interface of the processing server.
If only web traffic is expected, then nginx + X-Forwarded-For. At the same time, any filtering in nginx can be done. Or you can try to get by with Squid. You will also receive caching as a gift.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question