I have two servers. Windows has 1 NIC, Ubuntu has 2 NICs:
Server NIC Service Listening Ports
------- --- ------- ---------------
Windows 1 IIS 80, 443
mySvc 300 <--------------------------------\
Ubuntu 1 nginx 80,443 |
2 80,443,300 forward w/ port translation to --/
My users need to connect to Windows port 300 to run my app. Many companies only allow outbound traffic on ports 80 and 443, so some users cannot connect using any other port. I cannot configure mySvc
to listen on port 80 or 443 unless I spin up another Windows server, which I do not want to do.
In added NIC2 to a Ubuntu server, setup DNS to point to NIC2, and forward ports 80, 443, and 300 to Windows port 300. Now all users can connect through any company firewall.
Problem: Windows sees the inbound IP of the forwarded traffic as the Ubuntu NIC1 IP address, instead of the user's IP address.
Question: How can I change my configuration files to pass the user's IP through in the port forwarding/port translation, so Windows see the user's public IP?
My Configuration: (IP addresses changed for privacy)
Server NIC Public IP Private IP Interface Listening Ports
------- --- --------- -------------- ---------------------- ---------------
Windows 1 1.2.3.4 192.168.23.112 Local Area Connection 80,443,300
Ubuntu 1 1.2.4.5 192.168.24.112 eth0 80,443
Ubuntu 2 1.2.5.6 192.168.20.164 eth0:0 80,443,300
On the Ubuntu server:
$less /etc/network/interfaces.d/eth0.cfg
auto eth0 eth0:0
allow-hotplug eth0 eth0:0
iface eth0 inet dhcp
netmask 255.255.240.0
gateway 192.168.16.1
When we assign an IP address to eth0:0
in the above eth0.cfg
, the server takes several minutes to boot, and port forwarding doesn't work. So, only eth0
shows as configured in ifconfig
:
$ifconfig
eth0 Link encap:Ethernet HWaddr **:**:**:**:**:**
inet addr:192.168.24.112 Bcast:192.168.31.255 Mask:255.255.240.0
The port forwarding is done using a boot-cron bash script:
$less /etc/init.d/ipforwarding
#!/bin/bash
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.20.164 --dport 300 -j DNAT --to-destination 192.168.23.112:300
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.20.164 --dport 443 -j DNAT --to-destination 192.168.23.112:300
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.20.164 --dport 80 -j DNAT --to-destination 192.168.23.112:300
iptables -t nat -A POSTROUTING -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp --dport 300 -j SNAT --to-source 192.168.20.164
When the forwarded traffic arrives on port 300 of the Windows box, the inbound IP address is 192.168.24.112
, which is Ubuntu NIC1, even though DNS points users to Ubuntu NIC2. If I add #
to the MASQUERADE
line and remove #
from the following line, then the traffic that arrives on the Windows server has the IP address 192.168.20.164
. So the difference between MASQUERADE
and SNAT
makes sense. But both of these change the IP address during the NAT
operation.
I want the user's public IP address to be forwarded to Windows port 300, whenever traffic hits Ubuntu NIC2 on ports 80, 443, or 300. Any advise would be helpful!