Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


iptables question
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

iptables question

wlambrechtswlambrechts Member
edited April 2017 in Help

Hi,

Is it possible for to use iptables for port forward to another server (other datacenter) AND keep the senders IP ?

Assume:

VPS 1 has IP y.y.y.y

VPS 2 has IP z.z.z.z

A client (IP: x.x.x.x) makes a connection to y.y.y.y which directs the request to z.z.z.z

The commands below will do this. But the VPS 2 will recognize the sender's IP as y.y.y.y instead of z.z.z.z (which I would like). I found this article, but can't seem to get it working - if it would be possible in my scenario anyway ...(see: http://alturl.com/xyugn)

These are the commands I use on VPS 1 (IPforwarding has been enabled in /etc/sysctl.conf on both servers):

iptables -t nat -A PREROUTING --dst y.y.y.y -p tcp --dport 80 --j DNAT --to-destination z.z.z.z:80

iptables –t nat –A POSTROUTING –j MASQUERADE

Thanks !

Comments

  • TheLinuxBugTheLinuxBug Member
    edited April 2017

    No, because IP x.x.x.x is not making the connection, y.y.y.y is and therefore you can't tell server z.z.z.z that its really getting a connection from x.x.x.x because it is not.

    What you are wanting sounds more like you want to use Nginx as a reverse proxy and have it include a header which shows the real ip that is connecting (assuming you are trying to use this for a website). If not, then there is not really a way to accomplish what you are wanting because it would be the equivalent of spoofing your IP which most networks/network stacks won't allow (unless very insecure).

    my 2 cents.

    Cheers!

  • @TheLinuxBug said:
    No, because IP x.x.x.x is not making the connection, y.y.y.y is and therefore you can't tell server z.z.z.z that its really getting a connection from x.x.x.x because it is not.

    What you are wanting sounds more like you want to use Nginx as a reverse proxy and have it include a header which shows the real ip that is connecting (assuming you are trying to use this for a website). If not, then there is not really a way to accomplish what you are wanting because it would be the equivalent of spoofing your IP which most networks/network stacks won't allow (unless very insecure).

    my 2 cents.

    Cheers!

    Thanks, that's exactly what I thought. Unfortunately a reverse proxyis not an option because the server app would not be a webserver (but a mail server for example)

  • Nginx can proxy mail. In fact, the Debian install of it ships with a sample config.

  • @JustAMacUser said:
    Nginx can proxy mail. In fact, the Debian install of it ships with a sample config.

    Thanks. I did not known NGINX could do this.

Sign In or Register to comment.