0

We have three sets of computers: clients, a single proxy and multiple servers.

The clients (many) want to connect to the servers (many) using TCP on a specific and consistent port. Currently they do this directly. The connections always originate from the clients. And everything is happy and the world is good.

However, we would like to introduce a proxy / gateway / router to the equation. The goal is to bind a static IP address to the "proxy" so that the servers see all traffic as originating from a static IP address.

The clients make requests to multiple servers using multiple protocols (for example, they also make http requests). We only want to "proxy" a single protocol. All other protocols should be allowed to route as usual.

I think that this problem could be re-framed for any protocol. As it happens, the protocol (port) is LDAP. But I think this is pretty irrelevant (unless there's a nice, convenient little piece of LDAP-proxy software out there).

I don't believe it matters, but our environment is AWS. We are not running a VPC. Why it might matter is that the machines only have a single network interface.

We have tried several approaches, but haven't managed to get this to work. I would welcome your input - even if it is to tell us that what we want to do is impossible!

Thanks.

renen.

renen
  • 1
  • 1
    why do you need to do this, what are you trying to achieve? – The Unix Janitor Feb 03 '12 at 15:48
  • +1 on "why?" -- I've given an answer, but this does sound a bit... interesting. – Jeff Ferland Feb 03 '12 at 16:31
  • our webservers need to authenticate against our client's ldap servers. In turn, our client's want our requests to originate from a static IP so that can avoid opening their LDAP server to the entire world. We could change our code, but I feel that this should be do'able using IP tables. Thanks for taking the time to apply your mind. – renen Feb 03 '12 at 22:02

2 Answers2

1

It would be helpful to know what methods you have tried. Assuming you don't want to run a proxy client on your client machines, I suggest source NAT at your boundary router.

In Linux with iptables:

iptables -t nat -A PREROUTING -i $outside_interface -d $your_servers/netblock \
         -p tcp --dport $ldap -j SNAT --to $source_address

Most non-toy firewall systems should be able to emulate that behavior.

Jeff Ferland
  • 20,547
  • 2
  • 62
  • 85
  • Jeff, thanks for your answer. I should have included what we had tried - this was one of them. – renen Feb 07 '12 at 09:25
  • :-) that escaped. That was **not** one of them... we'll play with it and revert. Again, thanks. – renen Feb 07 '12 at 09:28
  • Hi Jeff what proxy client could one sue on the client? –  Feb 07 '12 at 09:30
  • we are currently playing with standard routing - but, you need to mark the packets first (which you can do using IP tables). Take a look at the second example here: http://www.linuxhorizon.ro/iproute2.html – renen Feb 08 '12 at 09:27
  • doesn't look promising - falls over on the lack of dual interfaces – renen Feb 08 '12 at 10:11
1

I'm not entirely sure I understand exactly what you're trying to do. However:

A simple network proxy should work for what I think you're describing. There are lots of them out there, including balance and xinetd, the latter of which may already be installed on your system. These are both TCP proxies (they won't work with UDP-based services), but that covers HTTP, LDAP, and probably most other protocols you're going to care about.

It's possible to accomplish something similar by putting a "masquerading" router (possibly a Linux system) in between your clients and the server. More information about this can be found here.

larsks
  • 43,623
  • 14
  • 121
  • 180