What is the best way to forward all requests to a specific port to another computer on the network?
I have two dedicated servers and no hardware firewall. I would like to redirect all requests coming to the main server on port 1008 in order to execute another dedicated server on the same network. I know I need to set up some kind of TCP proxy, but I first heard about IPTables yesterday. Any quick tips?
source to share
Carson is right: bridging the servers and clients. Shorewall (IP tables) can forward traffic to different ports and different machines.
When the firewall is bridged, you do not need to change the network settings, but the bridge interface must be assigned one IP address for each network client and server. Otherwise, the redirection won't work.
Caveat: the machine that the connection was pointed to must be on the network (means: its IP address must be used), otherwise the redirection will not work.
If redirection is meant as a failover for high availability, I would consider load balancing (cluster) instead of firewall, which results in a Linux virtual server (for a general approach) or load balancing software such as Apache (with mod proxy_balancer), balance or account (if you only need to balance the http request). There's also hardware devices like f5 for load balancing.
The easiest way is to use something that is just a TCP proxy. This can be done with iptables, but not easily.
It is easy to forward requests from A destined for B to C (using DNAT), but harder to get C's responses to return to A through B (since DNAT does not change the sender's address). A then ignores the answers as they will come from C and not B.
Basically, the way to do this is to set B as the default gateway of C, and using forwarding, however, adds an additional point of failure to B; if B fails, C outbound traffic (including replies to requests sent directly to C) will end up dropping a black hole.
Using IPtables is possible without this routing trick I think, but you need to have the same SNAT'd and DNAT'd connection, which is more complicated at best.
Usually in such situations, most people put another host (firewall) in front of two machines and make DNAT decisions - of course, this also indicates a point of failure, so in critical settings the firewall usually has a backup (syncing its configuration and sometimes its connection tracking table)
source to share