Port Forwarding WITHOUT Masquerading ?

[erasor]

Hello everyone,

I'm trying to forward (iptables way) a certain port from a Server A to a Server B both on the internet without masquerading but no luck yet...let me explain

I have two servers hosted in two different datacenters and I would like to do something like this:

Client -----> Server A:1234 -----> Server B:1234 -----> Client

I would like Server B to answer directly to the Client (so I guess the client really being forwarded to Server B) instead of having server B answer to server A and then answer to the Client.

Is this technically possible ??

Thanks for your time!
Bruce

[Kieren]

This is not how TCP works. In your scenario a connection would be established between client and server A to transfer data. Then server A would set up another connection to server B.

server B cannot now send a message to client as there is not a direct connection set up and so client will ignore any packets that server B sends to it.

[erasor]

Thx for answering...I know it doesn't work that way but isn't there anyway to modify the TCP datagram & maybe modify the source IP & port..??

I mean how do hardware load balancers do it?

Thanks !

[HROAdmin26]

I mean how do hardware load balancers do it?

They:

A) masquerade.
B) are bridges that are transparent to the IP layer.
C) have multiple interfaces that "trade" a MAC address around that redirects connections by round-robin ARP requests.

The client knows it sent a request to ServerA, if a response comes from ServerB, it will reject it unless the client application has been coded that way - or is ServerB going to forge the "from" address when it responds to the client and keep the circle going? That would again require coding of the application on ServerB.

** Load balancers do not create a "circle" - a request comes in, it is routed through a connection that may have multiple branches (load balancing) to back end servers and then a response is routed back out to the client.

[erasor]

I see...so there is absolutely no way to do this by software ?

Thanks

[HROAdmin26]

Anything you can do in hardware, you can do in software - it just may take too much CPU/processing time.

You ask about routing/forwarding, but then you bring up load balancing - they are not the same thing. Load balancers can be transparent to the IP layer (or not.)

Here is one TCP/HTTP proxy/load balancer along with some docs on design considerations.

You need to consider how TCP/IP works, what application you're working with, and what you're trying to achieve.

[erasor]

Ok let's see here

I have two servers:
-Server A (XX.XX.XX.XX)
-Server B (WW.WW.WW.WW)

And a third IP address that my host gave me (YY.YY.YY.YY) that is Load balanced (random) on their routers.

So I've been able to bind that same IP (YY.YY.YY.YY) on both servers on new virtual interfaces (eth0:0).

So let's say I would like to open port 8282 on Server B using the Load balanced IP:

YY.YY.YY.YY:8282

But let's say that the Load balancer redirects my request to Server A and that's where port forwarding comes into play...So I forward (using iptables) to server B, that works BUT if I look into the logs on server B, connection was made from Server A and not from the client...

So I know this can't be done straight forward BUT knowing that I have that shared IP address, isn't there anyway I can forward the port without masquerading or something ?

Thanks for your help guys !

[HROAdmin26]

No, you should be working *with* your load balancer, not against it.

You can work with your ISP to design your solution *in conjunction with* your load balancing system, or you can accept that connections bounced from ServerA > ServerB will return back through A to get back to the client.

We have already covered what would be necessary for what you described:

The client knows it sent a request to ServerA, if a response comes from ServerB, it will reject it unless the client application has been coded that way - or is ServerB going to forge the "from" address when it responds to the client and keep the circle going? That would again require coding of the application on ServerB.

[erasor]

Okay...my host won't let me configure the port side on the Load balancing system ...so I guess I'll have to think about coding a software layer or something !

Thanks again