To do transparent tunneling traffic (saving ip) on Linux?

There is a need to make a separate filtering server before the frontend. However, the output of not losing ip addresses, they need to transparently come to the frontend and kalogeropoulos there.

What are the correct tools to solve this problem?

The goal is filtering debris on the iptables level, maybe some minor DDoS protection. The load will be small.
October 3rd 19 at 04:05
6 answers
October 3rd 19 at 04:07
In this scheme, as I understand it, is present 2 eth interface, I have the same on input and output. - daren_Mitchell69 commented on October 3rd 19 at 04:10
October 3rd 19 at 04:09
If the traffic to the website — X-Forwarded-For:
October 3rd 19 at 04:11
I think, if I understand correctly, and the machines are physically close, or is it a new path, then:
1. Tunneling is clearly unnecessary, think you can do a virtual proxy bridge for the car. (She will be standing physically in the context of backend and provider. )
2. In the proposed variant you don't have to reconfigure the backend, since the IP address will remain on it.
3. the filter is thus completely possible with iptables. (although I could be wrong, most still need ibtables, correct )
4. The solution is universal and will support any type of IP traffic
No, the machines are removed by the DC, not the path. The front-end exactly a dedicated server (win 2008), tunnel — linux vps. Task — basic clean-up traffic (possible restrictions on connections, ipset lists... ), in General, a standard problem for iptables.In fact, no matter what will happen to the traffic on the filter. It is important that the package came on the SP filter 1.1.1.1. and transparently aired on the frontend 2.2.2.2 (following the chain of iptables). What not frontend nor the client is (relatively) not have to guess about the presence of the filter. For them it needs to be completely transparent. - daren_Mitchell69 commented on October 3rd 19 at 04:14
A simple PPP will not work? Directly on the ppp interface of the backend to specify the real IP. I kind of did that with cisco + linux. With a real DHCP address on Cisco - daren_Mitchell69 commented on October 3rd 19 at 04:17
Honestly, have not had to deal with this problem. Once used by third-party services antiddos, we had a client script that raised the ipip tunnel on the frontend, and the external IP was antiddos. All ip address filtering remained.
As I understand it, I need to dig in the direction of the ipip. - Brycen commented on October 3rd 19 at 04:20
ppp or ipip — Yes! Although I generally don't like doing that. Better still proxying is fine - daren_Mitchell69 commented on October 3rd 19 at 04:23
stavinsky, and normally it's like (in relation to my reality where 2 cars one on each interface)? - Brycen commented on October 3rd 19 at 04:26
The problem is not the number of interfaces and the fact that you need real IP to the backend. What if not a secret? - daren_Mitchell69 commented on October 3rd 19 at 04:29
On the frontend you want to say. Well, if to consider the task for ease of understanding, rejecting all wishlist. For example Win2008 machine is quite sensitive to incoming traffic and excess loads. Here I want to it, put some filter with ball and traffic loads, which would take the brunt of the attack, for example to filter by geo, number of connections, other junk traffic... to output a clean feed. There are also additional terms of security. No one knows the real address of the frontend. And the IPS need for statistics, logs... - Brycen commented on October 3rd 19 at 04:32
October 3rd 19 at 04:13
Why no one suggested HAProxy?
Works for me so
Client -> iptables -> haproxy -> backend

Depending on Your needs, you can configure haproxy to work from l3 to l7
Because man that would have real IP was on the backend - daren_Mitchell69 commented on October 3rd 19 at 04:16
And what prevents to do it with haproxy?
read docks to haproxy ;) - daren_Mitchell69 commented on October 3rd 19 at 04:19
October 3rd 19 at 04:15
Filter server with one interface. Forwards the traffic to the processing server without SNAT.
The client must contact the server and filter the answer to get through it.
I.e. for the client, a processing server IP = IP filter. With appropriate DNS records (in the case of a web server).
To redirect traffic from the client to the processing — it's just DNAT. But that response went through the filter, on the processing server must be the main route to the filter. So, the filter and the server must be on the same subnet.
Probably easier just to do VPN from the frontend to the filter (or Vice versa, whichever is easier) and configure routes on both sides.
Oh, and for the protection to block the extra (almost all) on a normal interface, a processing server.

If you intend to only web traffic, then nginx + X-Forwarded-For. At the same time filtering any in nginx can be done. And it is possible and Squid(ω) to try to do. Still caching will get a gift.
October 3rd 19 at 04:17
PS.
No, the machines are removed by the DC, not the path. The front-end exactly a dedicated server (win 2008), the tunnel — linux vps

Why not raise on win 2008 virtual machine with Linux, and all traffic to drive through the V-world?
In this case, the traffic will go to use the car, and would not want this. He's just there very expensive, and filtering on winserver will not have any sense. Therefore, we need still a separate filtering server.
While a working version of the ipip, will also try in the test to do with haproxy.
Can anyone have any more bright ideas about a topic, I would be very grateful for them.
And intelligent manual, how to do it in ipip, also I would be grateful. - daren_Mitchell69 commented on October 3rd 19 at 04:20

Find more questions by tags TunnelingComputer networksIptablesLinux