Join Log in
Score:0
blacksoul avatar Server

Forward specific external traffic to LAN server

cn flag
blacksoul

I want to redirect the incoming traffic to my server, in which iptables is working, to another server in LAN. However, I only want this to work if the incoming traffic is coming from a specific external IP address. Otherwise, the traffic should be dropped.

Let me put an example to clarify it:

  • External client IP: 88.88.88.88
  • Server IP (in same LAN): 172.26.0.99
  • Destination IP (in same LAN): 172.26.0.11

Redirection example

  1. Client (88.88.88.88) connects to SERVER IP (172.26.0.99)
  2. Traffic is tunnelled to Destination IP (172.26.0.11).

Drop example

  1. Stranger client (66.66.66.66) tries to connect to SERVER IP (172.26.0.99)
  2. Traffic is DROPPED
193
0 + 0
A.B avatar
cl flag
A.B
Is *server* the gateway of *destination* ? If no, does *destination* need to keep seeing 88.88.88.88 as source?
0
Reply
blacksoul avatar
cn flag
blacksoul
It’s not the gateway, as the gateway would be the ISP router. Destination doesn’t need to keep seeing the 88.88.88.88 source, it just need to be reached through the tunnel I described.
0
Reply
djdomi avatar
za flag
djdomi
is there a reason why we speak about lan and hides the ips? 10/8 172.16/16 and 192.168/16 is not routed to the internet
0
Reply
blacksoul avatar
cn flag
blacksoul
Sorry, I thought it was easier to read that way. I will update the question using my real LAN IPs
0
Reply
Score:1
avatar Server
cm flag
fuero

If I understood correctly, you want to forward all traffic from 88.88.88.88 to the protected server 172.26.0.11. Here's an example using NAT:

sysctl net.ipv4.ip_forward=1

iptables -t nat -A PREROUTING -i <wan-if> -s 88.88.88.88 -j DNAT --to-destination 172.26.0.11
iptables -t nat -A POSTROUTING -s 88.88.88.88 -d 172.26.0.11 -j SNAT --to-source 172.26.0.99
iptables -A FORWARD -s 88.88.88.88 -d 172.26.0.11 -j ACCEPT

Alternatively, forwarding on a per port basis, use ipvs or SystemD sockets or iptables -j REDIRECT to set up the forwarding and firewall the port. Example with ipvs and iptables:

sysctl net.ipv4.vs.conntrack=1

ipvsadm -A -t "172.26.0.99:<port>" -s rr
ipvsadm -a -t "172.26.0.99:<port>" -r "172.26.0.11:<port>" -m

iptables -A INPUT -s 88.88.88.88 -j ACCEPT -m comment --comment "Allow 88.88.88.88"
iptables -A INPUT -j DROP -m comment --comment "Catch-all drop"
0 + 0
Martin avatar
kz flag
Martin
I was thinking about writing my own reply, but decided against it. Add a SNAT to the POSTROUTING chain and your example will work: ```iptables -t nat -A POSTROUTING -s 88.88.88.88 -d 172.26.0.11 -j SNAT --to-source 172.26.0.99``` otherwise, the reply from the "protected" server will take a different route than the initial packet took! And, do not forget to turn on ```ip_forwarding```...
2
Reply
cm flag
fuero
Thanks - updated the answer.
0
Reply
blacksoul avatar
cn flag
blacksoul
It worked thanks! I tried with your first example.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.