Redirect/reflect IP/port range from one address to another remote address

V

varda

Gentlemen, hello.

There is an ancient dosen years old service which I will not have access several monthes to change something but it is important for some my collegues and for some reason it becomes not accesible for them at their geolocations. So the idea is to point subdomain name for it on another accessible public IP which will just performs address or port range reflection on original service IP.

Please advise me the easiest and fastest solution or software on this issue.
 
varda said:
There is an ancient dosen years old service which I will not have access several monthes to change something but it is important for some my collegues and for some reason it becomes not accesible for them at their geolocations. So the idea is to point subdomain name for it on another accessible public IP which will just performs address or port range reflection on original service IP.
Click to expand...
So are you looking for httpd settings to do that? Is your service listening for connections at a certain IP address: port number? Or, are you looking for firewall settings to do the redirection?
 
Thanks for reply.

I would prefer to completely redirect/reflect entire IP address with firewall or some 3rdparty software in order not to think and research what exactly works on old IP.

Basically, I want to consult and take advantage of other's experience not to spend a lot of time researching ways to implement it. Of course, it is possible simply to redirect individual ports with ssh or use specific software like different portfwd/rinetd. But I would like other people's experience and minimal/lightweight interference to system.
 
Ok. You actually mean something like "if you DON'T understand my clear message it means for me that you DON'T have the experience I need", right? ;);)
 
You are a very dangerous and powerful person, a telepath, easily read other people's thoughts :-D Thank you for the pleasure of chatting with you.
 
No expert here, sorry :) But I do have one very useful redirect working in one of my setups.
A certain service runs on a machine behind PF firewall, so I redirect the traffic from the outside coming to the UDP port 23458 to that machine (the same port):
Code: 
(comment: nat for the outgoing traffic, placed first)
match out on egress inet proto udp from $my_other_IP to any nat-to egress:0 static-port
match out on egress inet from !egress:network to any nat-to egress:0
(comment: redirect itself:)
pass in quick on $outer_interface inet proto udp from any to any port 23458 rdr-to $my_other_IP_address
OK, this working example is from the OpenBSD PF. The nat option static-port makes sure PF doesn't modify source port. You may need this for some services, like SIP.
For FreeBSD version of PF it looks slightly different, but since I'm not using it I can't give you a working example for that. The basic idea, however, is the same: traffic is coming on the outside interface of the firewall machine you have access to. You use PF redirect rule to redirect it to the host you want + nat rules to make sure the address translation is done correctly. In FreeBSD PF it looks like this:
Code: 
nat on $out_if from 192.168.26.0/24 to any -> ($out_if)
Of course, for your particular setup you'll need to read man to make sure you include ALL the stuff you need for your setup (for which you're not giving details).
 
Adapting to FreeBSD, the description titled "RDR-TO and NAT-TO Combination" at https://www.openbsd.org/faq/pf/rdr.html#reflect, you could do the following, for example:

rdr pass on $int_if inet proto tcp from $int_net to ($ext_if) port $your_port -> $your_server
nat pass on $int_if proto tcp from $int_net to $your_server port $your_port -> $int_if

Replace your_server and your_port with your appropriate values.
 
You must log in or register to reply here.
Back
Top