I have two RHEL servers, one frontend and one backend. The connection of which is like this:
----eth0---frotnend---eth0 -------- eth0 ----- backend
Also, I've set port forwarding between two servers for certain ports via iptables:
# Generated by iptables-save v1.4.21 on Fri Oct 28 08:11:16 2022
*filter
:INPUT ACCEPT [1596477:1248637845]
:FORWARD ACCEPT [1430638:1055355293]
:OUTPUT ACCEPT [1280144:1191615292]
COMMIT
# Completed on Fri Oct 28 08:11:16 2022
# Generated by iptables-save v1.4.21 on Fri Oct 28 08:11:16 2022
*nat
:PREROUTING ACCEPT [37977:3175775]
:INPUT ACCEPT [5252:797745]
:OUTPUT ACCEPT [558:37756]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 220 -j DNAT --to-destination BACKEND_IP:22
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Oct 28 08:11:16 2022
# Generated by iptables-save v1.4.21 on Fri Oct 28 08:11:16 2022
*mangle
:PREROUTING ACCEPT [3046033:2305065083]
:INPUT ACCEPT [1596477:1248637845]
:FORWARD ACCEPT [1430638:1055355293]
:OUTPUT ACCEPT [1280144:1191615292]
:POSTROUTING ACCEPT [2710782:2246970585]
COMMIT
# Completed on Fri Oct 28 08:11:16 2022
# Generated by iptables-save v1.4.21 on Fri Oct 28 08:11:16 2022
*raw
:PREROUTING ACCEPT [3046033:2305065083]
:OUTPUT ACCEPT [1280144:1191615292]
COMMIT
port forwarding worked perfetcly fine.
Now, I've decided to connect both servers via openvpn, with backend server being the default gateway for the frontend. New routing table looks like this:
---eth0---frontend --- tun0 === tun0 ---- backend ---- eth0
0.0.0.0 10.8.0.1 0.0.0.0 UG 0 0 0 tun0
also, in order for frontned server to be accessible via eth0, I've added a small routing table for them like this:
echo 200 reth0 >> /etc/iproute2/rt_tables
echo 201 rtun0 >> /etc/iproute2/rt_tables
ip rule add from FRONTEND_IP table reth0
ip route add default via FRONTEND_GW dev eth0 table reth0
ip rule add from 10.8.0.2 table rtun0
ip route add default via 10.8.0.1 dev tun0 table rtun0
And edited iptables to look like this:
-A PREROUTING -p tcp -m tcp --dport 220 -j DNAT --to-destination 10.8.0.1:22
adding this, everything planned work fine, except that the port forwarding does not work anymore, getting the error "connection refused".
I'm sure I'm making a mistake somewhere, but as much as I searched the web, I couldn't find any solution.
I'd appreciate it if I can be guided to fix the issue.
Thanks