I've included a drawing so you get an idea how it would work. (Red = LDAP connections , Blue = HTTP / AJP in the backend)
Problem: We want to connect our customer application server to an LDAP of the customer (or let them do it).
Now this would be easy if we would do this with the public interface of the application server BUT we would like to disable this interface over time. We want to route all the traffic that is needed to go out to the proxy and he would deliver the packets to the destination.
Now this will also be for other services but the main one is LDAP (configuring extra ones aren't so hard if we have LDAP in order). We don't want to redirect ALL traffic because we still need traffic to go to our backend services (databases etc...).
Solution would be :
- Start LDAP request from Application server.
- Send all LDAP request + traffic to eth1 from the Application server to the Proxy eth1
- Redirect all LDAP traffic from eth1 to eth0 (Proxy) to be able to reach the internet.
I would like to know how to solve this in the most secured and scalable way (to automate this) with IPTABLES.
So I'm looking for the best IPTABLES solution to implement on our Application server and Proxy
EDIT :
Testing with 2 vagrant boxes : Host0 = Application server Host1 = Proxy
Still strugeling with this. But I'm getting a step closer.
All of my LDAP traffic is being send to the proxy and back but I'm only getting [S] and [S.] back and no connection.
Here is what I did.
Application server :
iptables -t mangle -A OUTPUT -p tcp --dport 389 -j MARK --set-mark 0x1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
$echo 1 LDAP >> /etc/iproute2/rt_tables
$ip rule add fwmark 0x1 lookup LDAP
$ip route add default via 192.168.1.2 table LDAP
[root@host0 ~]# sysctl -A | grep rp_filter
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth1.rp_filter = 1
net.ipv4.conf.eth1.arp_filter = 0
[root@host0 ~]# sysctl -A | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Proxy :
iptables -t nat -A POSTROUTING -p tcp -o eth0 --dport 389 -j SNAT --to 10.0.2.15
[root@host1 ~]# sysctl -A | grep rp_filter
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth1.rp_filter = 1
net.ipv4.conf.eth1.arp_filter = 0
[root@host1 ~]# sysctl -A | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
This is the tcpdump on the eth1 (private) of the application server
13:31:51.629687 IP 192.168.56.10.59528 > ec2-23-20-46-132.compute-1.amazonaws.com.ldap: Flags [S], seq 1571039960, win 14600, options [mss 1460,sackOK,TS val 18491218 ecr 0,nop,wscale 3], length 0
13:31:51.749145 IP ec2-23-20-46-132.compute-1.amazonaws.com.ldap > 192.168.56.10.59528: Flags [S.], seq 1604232705, ack 1571039961, win 65535, options [mss 1460], length 0
13:31:52.630908 IP 192.168.56.10.59528 > ec2-23-20-46-132.compute-1.amazonaws.com.ldap: Flags [S], seq 1571039960, win 14600, options [mss 1460,sackOK,TS val 18492219 ecr 0,nop,wscale 3], length 0
13:31:54.633277 IP 192.168.56.10.59528 > ec2-23-20-46-132.compute-1.amazonaws.com.ldap: Flags [S], seq 1571039960, win 14600, options [mss 1460,sackOK,TS val 18494222 ecr 0,nop,wscale 3], length 0
