[PLUG] Setting up a proxy via iptables?...

[Fred Stluka <fred@bristle.com>]

PLUG folks,

Do any of you have experience with setting up a proxy via
iptables.  Should be just 3 simple iptables commands, but I
tried and couldn't make it work.

Situation (skip to Details, if you like):

    I have access to a client's DB server from one of my Linux servers at
    AWS.  The client has opened a port in their firewall so I can access
    their DB server.  Works fine.  Been using it for months, as I develop
    software for them.  However, they have a very slow bureaucratic
    process for getting approval to do things like opening ports.  It
    took weeks to get them to do it.

    Now, I'm getting close to a major release of the software, and
    I want to set up a couple of other servers at AWS for testing
    various configs of the software, and they'll need access to the
    DB server also.

    Instead of asking them to open a port each time I spin up a new
    temporary test server, I thought I'd create a lightweight proxy,
    so that all of the new servers connected to my existing server, and
    it proxied the TCP/IP traffic to/from the DB server.

    I found this article:
        http://www.debian-administration.org/articles/595
    which made it look like it's just 3 iptable commands to set up
    the proxy.  So I tried it, but no luck.

Details:

The DB server at IP address 199.7.212.168 uses port 49175.
That port is open in their firewall, but only from my server at
IP address 174.129.10.250.
I need access from one of my new servers at IP address
54.226.118.41.

What I did on my existing server to make it a proxy:

        set YourIP=174.129.10.250
        set YourPort=49175
        set TargetIP=199.7.212.168
        set TargetPort=49175

        iptables -t nat -A PREROUTING --dst $YourIP -p tcp --dport 
$YourPort -j DNAT \
        --to-destination ${TargetIP}:${TargetPort}

        iptables -t nat -A POSTROUTING -p tcp --dst $TargetIP --dport 
$TargetPort -j SNAT \
        --to-source $YourIP

        iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport 
$YourPort -j DNAT \
        --to-destination ${TargetIP}:${TargetPort}

        echo 1 > /proc/sys/net/ipv4/ip_forward   (as root)

And of course, I locked down incoming traffic on that port to
be only from my new server, so it's not an open proxy for
anyone to use.

No luck!  Can't connect.  Any ideas for me?

Thanks!
--Fred
------------------------------------------------------------------------
Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.
------------------------------------------------------------------------

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug