Home / server / Questions / 1080060
Accepted
blacksoul
Asked: 2021-10-10 01:19:52 +0800 CST

Forward specific external traffic to LAN server

  • 772

I want to redirect the incoming traffic to my server, in which iptables is working, to another server in LAN. However, I only want this to work if the incoming traffic is coming from a specific external IP address. Otherwise, the traffic should be dropped.

Let me put an example to clarify it:

  • External client IP: 88.88.88.88
  • Server IP (in same LAN): 172.26.0.99
  • Destination IP (in same LAN): 172.26.0.11

Redirection example

  1. Client (88.88.88.88) connects to SERVER IP (172.26.0.99)
  2. Traffic is tunnelled to Destination IP (172.26.0.11).

Drop example

  1. Stranger client (66.66.66.66) tries to connect to SERVER IP (172.26.0.99)
  2. Traffic is DROPPED
linux routing port-forwarding iptables

2 Answers

  1. Best Answer

    If I understood correctly, you want to forward all traffic from 88.88.88.88 to the protected server 172.26.0.11. Here's an example using NAT:

    sysctl net.ipv4.ip_forward=1

iptables -t nat -A PREROUTING -i <wan-if> -s 88.88.88.88 -j DNAT --to-destination 172.26.0.11
iptables -t nat -A POSTROUTING -s 88.88.88.88 -d 172.26.0.11 -j SNAT --to-source 172.26.0.99
iptables -A FORWARD -s 88.88.88.88 -d 172.26.0.11 -j ACCEPT

    Alternatively, forwarding on a per port basis, use ipvs or SystemD sockets or iptables -j REDIRECT to set up the forwarding and firewall the port. Example with ipvs and iptables:

    sysctl net.ipv4.vs.conntrack=1

ipvsadm -A -t "172.26.0.99:<port>" -s rr
ipvsadm -a -t "172.26.0.99:<port>" -r "172.26.0.11:<port>" -m

iptables -A INPUT -s 88.88.88.88 -j ACCEPT -m comment --comment "Allow 88.88.88.88"
iptables -A INPUT -j DROP -m comment --comment "Catch-all drop"
    • 2

  2. it worked for me as well. Thank you for the idea.

    • 1