1

How can I route an external ip from one server by first forcing it to go through another internal ip?

In our network setup, the source server is connected to the internet on one network card. The destination server is also connected to the internet.

When I use the destination ip, instead of going directly over the internet to communicate through this server, I wish the packets to be routed first to another internal ip and then forwarded to the external ip of the destination server.

There will be several systems requesting the use of this external ip and all must be routed first through the internal ip.

I have windows servers and I wish to execute the above routing with the least effort while using the least required privileges and permissions.

Andrew
  • 121
  • 4
  • What kind of network topology do you have in place (routers/NAT/proxies/etc.)? What kind of traffic will be passed over this 'proxy' IP, like will the connection need to maintain state or can we just pass the traffic from any internal IP to this proxy and on to the destination IP? Depending on the topo./equipment in place (like if you already have a router/firewall), you 'should' be able to modify the routing/DNS rules to forward any requests from [SRC IP] to [DST IP] (i.e. tell your router to send all traffic bound for SRC to be routed to DST and maintain state) .. ? – txtechhelp Jan 13 '15 at 23:02
  • The traffic will be IP, so any other stateful technologies will be required to build over IP – Andrew Jan 14 '15 at 23:03
  • Is the internal IP you want to route through on the same subnet as the source server? – Catherine MacInnes Jan 15 '15 at 16:39
  • Yes, it's on the same subnet. – Andrew Jan 20 '15 at 10:08

2 Answers2

0

I cannot comment because I don't have the required rep, but from my limited networking knowledge, I suppose this would come down to what kind of router you are using. This would be trivial if you used a Linux box as your router, with the iptablescommand. You could create forwarding rules on the machine and route all traffic through that machine.

Since you are using Windows, you would ostensibly have to configure outbound firewall rules on each machine so that traffic is redirected to the internal network. Depending on your version of Windows, these CLI-based tools are different (i.e. netsh for 2008, Powershell 3.0 cmdlets for 2012, etc...). This would be tedious because you'd have to add the rule on every machine on your network (so that outbound traffic doesn't just get bounced back to the forwarding machine always).

Or you might be able to do it on your conventional hardware router if it has advanced enough port forwarding options.

Personally, I would fire up a simple Linux (Ubuntu 14.10 LTS Server Edition) box as a Hyper-V guest, and forward all traffic through that, configuring the routing using IPTables. It's a bit of hack, and wouldn't be optimal use of system resources, but it would give you absolute control of your local network traffic. If you don't want to waste virtualization resources, use an old physical box, or a dd-wrt router (both would be cheap).

Here's the iptables man page from the dd-wrt website: http://www.dd-wrt.com/wiki/index.php/Iptables_command

Aubrey Robertson
  • 411
  • 4
  • 13
  • Thanks. iptables was one of the strategies I originally had thought of. The administrator has since updated the switches to reflect the change we needed. For a windows environment, a similar result could however be achieved with netsh [http://stackoverflow.com/questions/26593090/can-iptables-be-ported-to-windows-i-need-to-route-traffic-in-windows-netsh-cou] [http://technet.microsoft.com/en-us/library/cc754998(v=ws.10).aspx] or the route command[http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/route.mspx?mfr=true]. – Andrew Jan 20 '15 at 10:21
0

It is also possible to route this through switches and the network infrastructure but this depends on the actual hardware implementation in place.

Andrew
  • 121
  • 4