Consider the following scenario in which a 'Client' connects to a 'Server' through a 'Proxy' as follows:
203.0.113.1 198.51.100.1:7777 192.0.2.1:7777 +--------+ +-------+ +--------+ | Client |---------->| Proxy |---------->| Server | +--------+ +-------+ +--------+
As you can imagine, the 'Proxy' acts like a proxy/forwarder of any incoming connection from clients to 'Proxy' 7777 TCP port to this same port on 'Server'. As 'Proxy' is a Linux box, what I've done to get this working as described was setting 'Proxy' firewall as follows:
iptables -t nat -A PREROUTING -p tcp -d 198.51.100.1 --dport 7777 -j DNAT --to 192.0.2.1:7777 iptables -t nat -A POSTROUTING -d 192.0.2.1 -j MASQUERADE
This is essentially a NAT configuration. From a TCP/IP perspective, setting things this way erases any footprint of clients from the 'Server' point of view. That happens in such a way any connection getting to 'Server' will seem to be originated by 'Proxy' (a single IP address). I'm looking for a way to keep this 'Proxy' between clients and 'Server' but, from the 'Server' side and without relying on application layer, preserve accountability of how many clients are comming through the 'Proxy'. Is this even possible? Which kind of technology/wizardry could do this?
No comments:
Post a Comment