0

I have a remote server (B) that forwards certain incoming traffic to another port of a different server (A, dest).
With "masquerade" I only see traffic coming from the forward server (B), is it possible to see traffic coming from the original sources (C)? If I replace "masquerade" with "accept" I can't reach anymore port 8080 of destination (A).

Sketch:

C -> B:25 -> A:8080
# A receives C requests as if B made them
# Unfortunately this breaks some implementations like SPF

NFTables configuration:

# define destination address
define dest = 10.0.0.2

# table for smtp forwarding
table ip smtp {
 chain pre {
  type nat hook prerouting priority -100
  tcp dport 25 dnat to $dest:8080
 }
 chain post {
  type nat hook postrouting priority 100
  ip daddr $dest masquerade
 }
}
Polizi8
  • 15
  • 6
  • That's just "routing", not forwarding. A firewall only needs to allow such traffic. – Michael Hampton Sep 20 '20 at 00:14
  • @MichaelHampton can you please provide a minimal working example? – Polizi8 Sep 20 '20 at 09:55
  • If the server is a *router in the path* between source and destination it's possible. The fact that it doesn't work probably tells it's no such router. – A.B Sep 20 '20 at 10:05
  • Next time it would be easier if you name your server like Server A and Server B or something ;-) In gernal think about rephrasing your question, I am not 100% if I understood your problem correctly. – Kound Sep 28 '20 at 20:54
  • @Kound I added a little sketch and server names – Polizi8 Sep 29 '20 at 21:33
  • hmm okay, looks like my suggested solution could be an answer. Have you tried? – Kound Oct 02 '20 at 17:44

1 Answers1

0

As Tero Kilkanen was so nice to answer my question, i can provide you hopefully with an minimal working example.

Preconditions:

  1. IP forward has to be activated (check with sysctl -a | grep forward) on remote server
  2. both server must be in the same network
  3. Your different server must have the remote server as default gateway (Is this possible in your case?)
  4. Kernel should be 4.18 otherwise you need to also define a postrouting rule (see nftables wiki)
  5. Your External interface of the remote server is enp35s0 otherwise replace accordingly

Given this you can use the following NFTables rules

table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
                iif "enp35s0" tcp dport 25 dnat to 10.0.0.2:8080
        }
}
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}

To debug check tcpdump on the different server

Kound
  • 118
  • 2