Page 1 of 1

Configuring linux as a forwarder to forward another ip

Posted: 2018/10/14 15:19:15
by z080236
I wish to configure my centos 7 as a router using firewall-cmd that act some kind of proxy

incoming traffic (port 80)-> centos 7 (forwarder, check dest ip address in blacklist, if match forward to http server) -> HTTP server(listening port 80)which show access denied page.

In networking point of view, dst ip nat to http server ip

If I wish to configure something like that , does my centos 7 need to listen to port 80?

It might not be just limited to port 80 , could be some other ports , then I will check if dest ip address in blacklist

Re: Configuring linux as a forwarder to forward another ip

Posted: 2018/10/14 16:22:17
by TrevorH
You can do all of that with just iptables (and possibly using firewalld). You can also use nginx or httpd as a proxy to forward http requests in which case they would need to be installed and configured.

Re: Configuring linux as a forwarder to forward another ip

Posted: 2018/10/15 01:01:39
by z080236
I tried to use firewall-cmd but was unsuccessful

Below is the cmd that i tried:


Incoming traffic->VM(192.168.56.101)-> HTTP Server(192.168.56.102)port 80

Code: Select all

firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=80:toaddr=192.168.56.102
firewall-cmd --reload
After I applied, the port is not listening to port 80.

May I know what I have done incorrectly?

Re: Configuring linux as a forwarder to forward another ip

Posted: 2018/10/16 21:50:26
by hunter86_bg
1. You don't need this one:

Code: Select all

firewall-cmd --add-port=80/tcp --permanent
2. As you don't state a zone, you are using the default one, but are your requests on the same zone ? Is it possible that your receiving interface is on another zone ?

Re: Configuring linux as a forwarder to forward another ip

Posted: 2018/10/17 06:18:25
by jlehtone
z080236 wrote:
2018/10/15 01:01:39
VM(192.168.56.101)-> HTTP Server(192.168.56.102)
These addresses are on the same subnet? Where is the client?
For DNAT the IP address of the VM is not important.


Typical "forwarding" has:

Code: Select all

clientX--lanA--YrouterZ--lanB--Wserver
where
* routerZ is the default gateway of lanB
* router does DNAT to-dst W the packets arriving from client to routerY
* router does allow forwarding from lanA to W (and back)
* Wserver sends replies via routerZ
* router's DNAT rule puts routerY as "from" into the replies

The port forwarding in itself does not require masquerade.
Do you have the "typical" setup?
Does the router simply route, or does it have to SNAT (aka masquerade) on its external interface (Y)?

If the latter, then I would start with Y on zone 'external' and Z on zone 'public'.


If client, forwarder, and server are on the same subnet, then server would send replies directly to client, rather than via the forwarder. The client, who did talk to forwarder, would not expect traffic from the server.

There is a way around that (other than routes in the server): the forwarder does SNAT packets that leave towards the server. Thus:
* client thinks that it talks with the forwarder (due to DNAT)
* server thinks that it talks with the forwarder (due to SNAT)