I have one "server A" that has multiple IPs attached to it, like so:
eth0:0 1.1.1.1
eth0:1 1.1.1.2
eth0:2 1.1.1.3
I have another "server B" that also has multiple IPs attached to it, like so:
eth0:0 2.2.2.1
eth0:1 2.2.2.2
eth0:2 2.2.2.3
Now, I want to setup iptables on "Server A" to forward/NAT all incomming traffic on "eth0:2" to IP 2.2.2.3 on "Server B".
I have verified that "Server A" is able to "talk" to "Server B" on IP 2.2.2.3. Ping and telnet to open ports works just fine and I have the forward-flag turned on (net.ipv4.ip_forward=1)
I have tried multiple different ways, DNAT, SNAT, MASQUERADE etc, but I cannot get anything to work.
This line works fine if I try to forward traffic between IPs on the SAME server:
iptables -t nat -A PREROUTING -d 1.1.1.3 -j DNAT --to-destination 1.1.1.2
But if I switch out the "1.1.1.2" for "2.2.2.3", it does not work.
I assume that I need a second iptable rule to solve it. I have tried with the following POSTROUTING rules without any luck (not at the same time):
iptables -t nat -A POSTROUTING -d 2.2.2.3 -j MASQUERADE
iptables -t nat -A POSTROUTING -d 2.2.2.3 -j SNAT --to 1.1.1.3
iptables -t nat -A POSTROUTING -j MASQUERADE
What am I missing?
EDIT 1:
I finally got it to work by using the following:
net.bridge.bridge-nf-call-iptables=0
iptables -t nat -A PREROUTING -d 1.1.1.3 -j DNAT --to-destination 2.2.2.3
iptables -t nat -A POSTROUTING -d 2.2.2.3 -j SNAT --to 1.1.1.3
However, now another problem appeared. All logs etc on server 2.2.2.3 shows that ALL traffic now comes from 1.1.1.3, like apache logs, mail logs etc. I assume this is the nature of NAT.
However, when I do standard port forwarding on my home-router to my laptop that is running apache, I see the original "requester IP" in the logs. So, how does the router do this? And how can I do the same on my server setup?
Bottom line, I want to forward all traffic from Server A (1.1.1.3) to Server B (2.2.2.3), BUT I also want to be able to see where the traffic came from on Server B (2.2.2.3), i.e the apache logs should show the original IP of the requester.
I assume I should use some other way than NAT to make this happen, and it should be possible, as even my simple home-router is able to do this.
One extra thing, the IPs attached to Server A and Server B is LOCKED to each respective server. Thus, Server A is NOT able to send out traffic FROM IP 2.2.2.3. It is locked by my provider in the router.