Score:0

can i able to ip forward and keep original client ip from server A to B?

mp flag

im web developer and i have not good knowledge about devOps and server config, i use this code for forwarding data from server a to b from client my mean is:

client---------->serverA--------->serverB

now how can i keep original client ip when i use ip forward to server B? is there any way? i used following commands before but i don't know it work for my new concept or not?

sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination serverA_IP
iptables -t nat -A PREROUTING -j DNAT --to-destination serverB_IP
iptables -t nat -A POSTROUTING -j MASQUERADE
Score:0
ru flag

If the 'client' is connecting directly to 'Server A' then you shouldn't need to have any NAT rules for SSH as you are connecting directly to it. However, if what you want is that the Client connects to Server A's IP Address over SSH but ends up at Server B using port 22 then what you want is:

-A PREROUTING -s x.x.x.x/32 -d x.x.x.x/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination x.x.x.x:22

Replace the first 'x.x.x.x/32' with the IP address that the client is expected to connect from (this one can be removed fully if not know or wanted) Replace the second 'x.x.x.x/32' with the IP Address you expect the client to access (the IP address of Server A). Finally change the --to-destination x.x.x.x:22 to the IP address of Server B.

Now if you want to us this same process for different servers this can be done also by changing the --dport to 2201 (for example) and giving this port to client 1 and having --dport 2202 for client 2 but going to different servers.

Hope that helps.

~Regards, Scott

Ezioadf2 avatar
mp flag
no, client id is dynamic so maybe i have to delete "-d" too?and whats mean "/32"?
Scott McKeown avatar
ru flag
The '-d' is for the destination address (the address that you expect the client to connect too) the '/32' is the CIDR block for the address so you are saying this IP Address only
Score:0
us flag

When you are performing DNAT / SNAT like in your example, you cannot preserve the client IP address, since that address is changed in the NAT on ServerA.

Depending on the application protocol, you can get attach client IP to request, for example in HTTP request headers. This requires setting up a reverse proxy on ServerA.

However, there is no such mechanism for SSH for example.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.