Find the answer to your Linux question:
Results 1 to 8 of 8
Hello Forum, I have 2 amazon servers. Each have an external assigned IP address, which are called elastic IP addresses. Amazon only gives you 5 of them. I am looking ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2012
    Posts
    4

    Redirect all TCP traffic to another server


    Hello Forum,

    I have 2 amazon servers. Each have an external assigned IP address, which are called elastic IP addresses. Amazon only gives you 5 of them. I am looking to save an IP address and have one server route all outbound tcp traffic through another server. No specific traffic, I just need all outbound tcp traffic.

    My setup:
    I have a proxy server (1.1.1.1) and a backend server (2.2.2.2). The proxy server accepts all traffic from client servers and will redirect it to the backend server using mod_proxy (apache).

    So now the issue is outbounding traffic from the backend server.

    Once the backend server gets request from the proxy, it sends the info back to the client servers. These client servers require all traffic to come from a statically assigned ip address, which I have to tell them.

    In order to save an IP address, I would like to have the backend server forward all tcp traffic to the Proxy server (the server who handles the inbound traffic) and then out the Proxy server's nic, so it will be looked at as coming from 1.1.1.1 instead of 2.2.2.2

    Then I will only need to tell the client to allow incoming requests for 1.1.1.1 (their firewall rules)

    My main requirement is to have any (ALL) tcp outbound requests to outbound through the proxy server.

    I am not sure which direction to go with this.

    Thanks in Advance!

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    The easiest way would be with the firewall;

    Code:
    iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 1.1.1.1
    The above will change all packets to ip address 1.1.1.1 but be careful as all packets are changed to this address which will make managing the box a problem remotely.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jun 2012
    Posts
    4
    Thanks for the reply, I will have to try the IPTABLES out. Is there any packages I can use like TCP/IP Proxy?

    What if I wanted to specify the type of traffic leaving such as random oubound ports like 9080, 3306,80 etc? ( just as an alternative)

    I am also worried about the proxy server accepting the traffic from my back end server. I have apache mod_proxy installed, should that work for my situation?

    I would hate loosing the remote connectivity and really screw up my server.

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    The biggest question here is why do you want to do this/what do you expect to accomplish by doing this?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Jun 2012
    Posts
    4
    I want to save an external IP address.

    The backend server connects to other networks (externally) and those networks have to make a firewall changes to accept traffic from the backend server.

    If I can just have the backend server forward traffic to the front end proxy server and the front end proxy server can do all the outbounding, then I will not have to ask those networks to accept traffic from another IP address.

    Let me know if you need a scenario or more detail.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    One option would be to change the default gateway for the back end servers to be the proxy. On the proxy then setup SNAT or MASQ.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Jun 2012
    Posts
    4
    I like this option

    iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 1.1.1.1

    I know im going back on my original need... but how can I just have traffic FROM the proxy be sent back to the proxy when the back end server returns the traffic?

    Scenario: the back end server accepts port 9080 traffic from the proxy, I would like to have the back end server send that 9080 traffic back to the proxy. So basically all traffic from the proxy should go back through the proxy outbound. All other traffic, like me managing it via a direct SSH connection or any other direct connections to that box (not going through the proxy) would not get routed back to the proxy server.

    Traffic from proxy to back end goes back outbound through the proxy. All other direct traffic is left normal outbound regularly (not going through the proxy)

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by neeper67 View Post
    I know im going back on my original need... but how can I just have traffic FROM the proxy be sent back to the proxy when the back end server returns the traffic?
    Have the proxy SNAT all traffic that leaves itself.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •