Ubuntu / iptables: Using a server as middle-man to talk to firewalled server

Question

I have a situation where I need to communicate with an API that only allows connections from one particular IP.

So api.example.com accepts connections on port 443 from whitelisted-ip

I want to be able to connect from anywhere to whitelisted-ip port 443, and have it forward the packets to api.example.com on port 443, and send responses back to the connecting machine.

I assume there's some way of doing this similar to a transparent squid proxy, but I can't figure it out.

I tried following the examples here (http://www.tldp.org/HOWTO/TransparentProxy-6.html) using the statements below, but no success.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to api.example.com:443
iptables -t nat -A POSTROUTING -o eth1 -d api.example.com -j SNAT --to whitelisted-ip

Any help would be appreciated.

Update:

I also tried the below, to no avail:

iptables -t nat -A PREROUTING  -p tcp -d whitelisted-ip  --dport 443 -j DNAT --to api.example.com:443
iptables -t nat -A POSTROUTING -p tcp -s api.example.com --sport 443 -j SNAT --to whitelisted-ip:443

Thanks

Wissam Roujoulah · Answer 1 · 2015-05-29T12:47:24.933

0

From what i understand You want to reach the server from any where with one ip (whitelisted-ip) which is not the client ip that you are using. You can't do that cause you may be able to reach the server with the whitelisted-ip but the server won't be able to response cause simply its not your ip address in the network

edited May 29 '15 at 12:47

answered May 29 '15 at 12:02

Wissam Roujoulah

401
2
9

score 0 · Answer 2 · answered May 29 '15 at 13:28

0

On whitelisted-ip shell, you can try using netcat for such tasks.

By issuing the command below on whitelisted-ip shell, you are going to bind port 4443 and forward the connection to api.example.com:443.

nc -l -p 4443 -c "nc api.example.com 443"

So you can connect to whitelisted-ip:4443 from any other endpoints.

Reminder: i dont recommend this to be bound on any publicly reachable interface without any protection, you could rather bind the port to loopback interface adding -s 127.0.0.1 argument.

answered May 29 '15 at 13:28

kayess

111
4

I'm looking for an iptables solution so it's faster and does not rely on any running servers. Thanks – Asfand Qazi May 29 '15 at 13:37
That werent clear on first sight, sorry. Did you check if "/proc/sys/net/ipv4/ip_forward" has value 1 set? – kayess May 29 '15 at 13:44

score 0 · Accepted Answer · edited Apr 13 '17 at 12:14

I just realised this is a duplicate of another question:

How to do the port forwarding from one ip to another ip in same network?

I made it work with:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination api.example.com:443
iptables -t nat -A POSTROUTING -p tcp -d api.example.com --dport 443 -j SNAT --to-source whitelisted-ip

Along with the ip forwarding sysctl:

echo 1 > /proc/sys/net/ipv4/ip_forward

Ubuntu / iptables: Using a server as middle-man to talk to firewalled server

3 Answers3