know that that the theme of Iptables is nothing special, but searching for a solution didn't give the result. Please finish readeing the post before offering VPN's, Squid and etc=)
For my setup I need to deploy a kind of transparent proxy (without any client device settings), but for forwarding not only HTTP, HTTPS, but any remote clients requests to specific TCP/UDP ports (RDP,SIP,etc.) of host's public IP to another external hosts, depending on incoming connection port. If it's possible also to masquerade client's IP, it would be supercool.
|remote client|public ip|> <-SIP, RDP, HTTPS-> <|public ip|proxy|public ip|> <-SIP, RDP, HTTPS-> <|public ip|target servers (RDP, SIP, VPN etc.)|
So, I want to "hide" servers (SIP, RDP, Mail etc.) public IP to make the network more secure, but I can't use a regular NAT from public to private network. My network is decentralized (I'm using VPS's and dedicated servers by different providers from different locations, and some of my own hardware). Thats why I cant use virtual networks offered by hosting providers and just deploy NAT on border of this virtual network.
The second scenario I thought about was creating VPN between all my hosts and to NAT incoming traffic to these hosts. But this is also a bad solution due to my network specific (VPN realisations support, latencies, UDP mode problems in combining with HTTP proxies).
The third scenario is some kind of reverse proxy (but this is for Web servers as I suggest) or Transparent proxies. But all the information I found about these variants made me understand, that this scenario is used for TCP connections.
So, I'm trying to solve this task using a Debian VPS and Iptables. All the ready-to-use solutions I found don't work for me. Most of them offered to use just several rules: 1. Turning on ip_forward 2. PREROUTING DNAT 3. POSTROUTING SNAT
My current Iptables rules allow any incoming, outgoing, forwarded connections. There no other rules. As I defined from Iptables documentation, I need to use these tables and chains:
PREROUTING 1)Connection Tracking - to not forward reply packets 2)DNAT
POSTROUTING change clients IP (with SNAT or mangle?)
I hope somebody can help me. I would be thankful not only for an simple solution, but for any relevant info to google. Should the chosen scenario work with UDP? How fast do you think it is about latencies?
Thanks.
No comments:
Post a Comment