Linux Iptables and forwarding all traffic from one IP to another IP

[adreamer]

Ok..I've googled my brains out on this one and so far nothing has worked. Here is what I want to do.

I have Server A which has access to Server B. Server B has access to Servers 1-10 which are behind a firewall.

I am doing snmpwalks for performance information. I have a snmp proxy setup on Server B. So if I provide the proxy community string of Server 1-10 to Server B it will return the snmp information of Server1

What I need is from Server A.. if I run snmpwalk -v2c -cpublic1 server1 system

I want it to actually connect to snmpwalk -v2c -cpublic1 ServerB system

So I want to try and setup Iptables so that from Server A any requests for Server 1-10 IP will actually be directed to Server B's IP.

I am using redhat 6.2.

Any help is appreciated.

 

[bobross419]

If Server A has no other reason to connect to Server 1-10, you could just add some entries to the hosts file with those hostname associated with the IP for Server B.

I should say, if Server A has no reason to connect to Server 1-10 that doesn't need to go through Server B first.

 

[adreamer]

So maybe if I write it in these terms with IPaddresses..


Server A 115.1.30.1

Server B 115.1.40.1 has 2 nics.. so it also has a 115.1.30.2 address.

Server 1 - 10.. 115.1.40.2-11

Server B is essentially the access point/server to get into the firewall Servers 1-10 are behind. I have to go through ServerB to get to any of the other servers. Server 1-10's IPs although exist in DNS..the IP will not resolve.

 

[mv2devnull]

First, AFAIK, RHEL 6 is now on update 4, not 2.

In traditional networking a server process listens somewhere, say 1.2.3.4:80, and the client process connects to that address.

Now, your network sounds like it would be:

(srvA *.30.1) --lanX-- (*.30.2 srvB *.40.1) --lanY-- (*.40.2 srv1)

If the server is *.40.2:Z and the srvA is the client, then first option is routing:

srvA# ip route add *.40.0/24 via *.30.2
srvB# enable routing and permit in FORWARD

If that is not possible, then tell srvA that the server is at *.30.2:K and

srvB# enable routing, permit in FORWARD and add a DNAT rule
iptables -t nat -A PREROUTING -d *.30.2 -p tcp --dport K -j DNAT --to-destination *.40.2:Z

In both cases the srv[1-10] must have a route to *.30.1 via *.40.1.

If the server is actually running in srvB, then there is almost nothing to do. Client (srvA) will talk to server in srvB. That server will be a client that contacts srv[1-10]. Two independent network connections. No routing.


The base rule of network security: If you don't know for sure, then you will mess up. Don't.

 

[adreamer]

Thanks for the response..

Yes the client on Server B handles all of the connections to Server 1-10.

So (as an example..I am not using telnet but) if I am on Server A and I say type telnet 10.1.40.7...I want it to actually telnet to 10.1.30.2. So server A thinks it is connecting to one of the other Server1-10 but in reality is going to Server B.

Part of my problem is my Client on Server A that wants to connect to Server 1-10 has to use unique IPs. The older version used to let you have duplicate IPS (So I would make them all point to ServerB and ServerB client took care of it.) Now I have have to sort of trick the client on A to go to Sever B.

I'll poke around with some of what you put but if you can think of anything else .much obliged.

 

[mv2devnull]

Ok.

Q: What should happen, when one does:

ssh Server1

A:
1. String "Server1" is resolved into an IP address 10.1.40.7 by DNS or /etc/hosts.
2. Routing decision. Destination is one of
a. localhost
b. local LAN
c. behind gateway, and IP of gateway is on local LAN
3. ARP broadcasts to LAN: Who has IP X? (in b X is destination, in c X is gateway)
4. X responds with MAC address Y.
5. Packet is sent to Y.
In case b the "Server1" does whatever it does for incoming ssh connections.
In case c the gateway does a routing decision. Repeat from 2.

Thus, things are easy for the Server A: just

ip route add 10.1.40.0/24 via 10.1.30.2

now Server A thinks that Server B is the gateway to 10.1.40.0/24.

You want that route added during boot. Add it to configuration file. Which file? Depends on whether you use the "NetworkManager" service or the "network" initscript.


What you do in Server B is then not a concern of Server A.

 

[adreamer]

going on vacation ..I'll give it try when I get back in a week. thanks again. Let you know what I find then.

 

[adreamer]

Well. I tried those solutions and so far nothing. I even tried to setup an ip tunnel to no avail. Including adding a 2nd nic to my Server A on the same subnet as serverB. I'm sure I am doing something wrong...however I was able to get my problem solved by another means.

I essentially setup a SNMP proxy on Server B and my Application running on A I found a way to force it to use Server B's IP address for all of the servers behind server B..Originally the application wouldn't allow duplicate IPs for devices..however I changed the IPs manually in the database the application uses.

Thanks for the help though.