0

The following case:

ServerA has no open ports. IP 1.1.1.1. It can see ServerB.

ServerB has open ports 1000, 2000. IP 2.2.2.2. It can only see ServerC.

ServerC has open ports 1000, 2000. IP 3.3.3.3. It can't see the other servers.

Here ServerA doesn't see ServerC.

It can be illustrated at this scheme.

What I need is to allow ServerA to communicate with ServerC via ports 1000 and 2000. It is possible to do via ServerB using iptables (port forwarding, like here https://serverfault.com/a/838865/518609). However, the problem is ServerB should also communicate to ServerC using the same ports.

So ServerA and ServerB both should communicate with ServerC and ServerC should differentiate which server (A or B) sent a packet, but only ServerB can connect to ServerC.

Opening other ports is not possible (well, technically possible, but our security department doesn't like this idea and even as an exception it would take up to 3 weeks).

OS is SLES (SUSE Linux Enterprise Server).

Is it possible at all?

Fogus
  • 101
  • Your question shows a fundamental lack of understanding if IP, and is impossible to answer. Importantly connectikns have source and destination ports associated with them, and to communicate, both servers need to see each other. You need to advise if and if so, how the machines connect. – davidgo Nov 16 '19 at 22:36
  • Its possible for server c to differentiate between connection from server a and b if server a and b can be configured to use different source ports (even if they both use the same destination ports). It might also be possible to set QoS bits on server b to mark packets so server c can differentiate on that. – davidgo Nov 16 '19 at 22:39

1 Answers1

1

iptables is not a router.

You have a use case for these flows, allow them. Route such that A and B have paths to C. Allow the relevant ports in any firewall, and follow any other relevant security policy of your organization.

A non-router node only needs to be in the path if it provides some service, middlebox style. Like a proxy or firewall.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32