Can I forward packages according the domain-ipset and port?

blackantt · Post by **blackantt** » 2017/03/17 11:25:09

Hi,

I have 2 VPSs. one is 40.77.185.129 as middle-vps (if the dst of coming package is in ipset.test then forward to target-vps,or cope with by itself ), another one is 40.77.96.174 as target-vps.

[middle-vps]#iptables -m set -h
iptables v1.4.21
...
set match options:
[!] --match-set name flags [--return-nomatch]
...

[middle-vps]#ipset -v
ipset v6.19

[middle-vps]#dnsmasq -v
Dnsmasq version 2.66 Copyright (c) 2000-2013 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth

[middle-vps]# dig whatismyipaddress.com
;; ANSWER SECTION:
whatismyipaddress.com. 19 IN A 104.66.15.245
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Mar 17 08:26:47 UTC 2017
;; MSG SIZE rcvd: 66

[middle-vps]# ipset list
Name: test
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16560
References: 2
Members:
23.199.152.235
104.66.15.245

[middle-vps]# iptables-save
# Generated by iptables-save v1.4.21 on Fri Mar 17 08:24:48 2017
*nat
-A PREROUTING -p tcp -m set --match-set test dst -m tcp --dport 1989 -j DNAT --to-destination 40.77.96.174
-A PREROUTING -p udp -m set --match-set test dst -m udp --dport 1989 -j DNAT --to-destination 40.77.96.174
-A POSTROUTING -d 40.77.96.174/32 -p udp -m udp --dport 1989 -j SNAT --to-source 40.77.185.129
-A POSTROUTING -d 40.77.96.174/32 -p tcp -m tcp --dport 1989 -j SNAT --to-source 40.77.185.129
*filter
:INPUT ACCEPT [12139:4556698]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13730:5014005]
-A FORWARD -p udp -m udp --dport 1989 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 1989 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 1989 -j ACCEPT
-A FORWARD -p udp -m udp --sport 1989 -j ACCEPT
COMMIT
# Completed on Fri Mar 17 08:24:48 2017

to access whatismyipaddress.com with explorer, ip is 40.77.185.129 (middle-vps), it's not what I need!

---------------------------- then try it without ipset.test

[middle-vps]# iptables -t nat -D PREROUTING -p tcp -m set --match-set test dst -m tcp --dport 1989 -j DNAT --to-destination 40.77.96.174
[middle-vps]# iptables -t nat -D PREROUTING -p udp -m set --match-set test dst -m udp --dport 1989 -j DNAT --to-destination 40.77.96.174
[middle-vps]# iptables -t nat -I PREROUTING -p tcp -m tcp --dport 1989 -j DNAT --to-destination 40.77.96.174
[middle-vps]# iptables -t nat -I PREROUTING -p udp -m udp --dport 1989 -j DNAT --to-destination 40.77.96.174
[middle-vps]# systemctl restart dnsmasq.service

to access whatismyipaddress.com with explorer, ip is 40.77.96.174 (target-vps), but I want apart of package (ipset.test) forward to 174, another (! ipset.test) go to middle-vps

what's the problem?