Configuring linux as a forwarder to forward another ip

Support for security such as Firewalls and securing linux
Post Reply
z080236
Posts: 7
Joined: 2015/06/08 10:32:46

Configuring linux as a forwarder to forward another ip

Post by z080236 » 2018/10/14 15:19:15

I wish to configure my centos 7 as a router using firewall-cmd that act some kind of proxy

incoming traffic (port 80)-> centos 7 (forwarder, check dest ip address in blacklist, if match forward to http server) -> HTTP server(listening port 80)which show access denied page.

In networking point of view, dst ip nat to http server ip

If I wish to configure something like that , does my centos 7 need to listen to port 80?

It might not be just limited to port 80 , could be some other ports , then I will check if dest ip address in blacklist

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Configuring linux as a forwarder to forward another ip

Post by TrevorH » 2018/10/14 16:22:17

You can do all of that with just iptables (and possibly using firewalld). You can also use nginx or httpd as a proxy to forward http requests in which case they would need to be installed and configured.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

z080236
Posts: 7
Joined: 2015/06/08 10:32:46

Re: Configuring linux as a forwarder to forward another ip

Post by z080236 » 2018/10/15 01:01:39

I tried to use firewall-cmd but was unsuccessful

Below is the cmd that i tried:


Incoming traffic->VM(192.168.56.101)-> HTTP Server(192.168.56.102)port 80

Code: Select all

firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=80:toaddr=192.168.56.102
firewall-cmd --reload
After I applied, the port is not listening to port 80.

May I know what I have done incorrectly?

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Configuring linux as a forwarder to forward another ip

Post by hunter86_bg » 2018/10/16 21:50:26

1. You don't need this one:

Code: Select all

firewall-cmd --add-port=80/tcp --permanent
2. As you don't state a zone, you are using the default one, but are your requests on the same zone ? Is it possible that your receiving interface is on another zone ?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Configuring linux as a forwarder to forward another ip

Post by jlehtone » 2018/10/17 06:18:25

z080236 wrote:
2018/10/15 01:01:39
VM(192.168.56.101)-> HTTP Server(192.168.56.102)
These addresses are on the same subnet? Where is the client?
For DNAT the IP address of the VM is not important.


Typical "forwarding" has:

Code: Select all

clientX--lanA--YrouterZ--lanB--Wserver
where
* routerZ is the default gateway of lanB
* router does DNAT to-dst W the packets arriving from client to routerY
* router does allow forwarding from lanA to W (and back)
* Wserver sends replies via routerZ
* router's DNAT rule puts routerY as "from" into the replies

The port forwarding in itself does not require masquerade.
Do you have the "typical" setup?
Does the router simply route, or does it have to SNAT (aka masquerade) on its external interface (Y)?

If the latter, then I would start with Y on zone 'external' and Z on zone 'public'.


If client, forwarder, and server are on the same subnet, then server would send replies directly to client, rather than via the forwarder. The client, who did talk to forwarder, would not expect traffic from the server.

There is a way around that (other than routes in the server): the forwarder does SNAT packets that leave towards the server. Thus:
* client thinks that it talks with the forwarder (due to DNAT)
* server thinks that it talks with the forwarder (due to SNAT)

Post Reply