Forward traffic through a firewall
My question is when adding another Linode instance to A's network, how can I let A assign an IP address to it and redirect all traffic to this IP?
3 Replies
My iptables nat rules:
ip_forward is enabled. But I couldn't reach the server from public ip of the firewall instance.
I can telnet to backend server from the firewall server.
Please note that I use port 4000 so it shows terabase as the service name like ssh for port 22
Here is what I'm trying to do and the issues I've identified. If anyone has overcome these issues or have insight…I'd greatly appreciate it.
I have two Linode instances:
Linode-A - pfSense 2.3.4
Linode-B - CentOS 6.8
I have a similar setup in Azure:
AZ-A - pfSense 2.3.4
AZ-B - CentOS 6.8
I have an IPsec tunnel built between AZ-A and Linode-A. This tunnel is working properly.
I have an internal network defined in Linode and a different internal network defined in Azure. I'd like to have a client (Linode-B) in the Linode private network access a client (AZ-B) in the Azure instance. While I can talk to these private networks directly from AZ-A and Linode-A, I am unable to ping AZ-B and Linode-B. There are two reasons this appears to be an issue:
1) Linode only allows communication to their private network destined for an interface within that private network. If you try to route a different internal network to an interface in the private network, it will fail because the destination is not the interface IP, but rather an IP/network outside the defined private network. When this occurs you will never see L2 or L3 make it's way to the interface you're routing it to.
2) If you try to ping the IP of an internal interface when sourcing from something other the the IP of an internal interface assigned by Linode, it will never route to the interface. The internal interface WILL respond from a different source network if the packet makes it's way to the node containing the private network - so in my instance, I can ping the internal network of Linode-A from AZ-1 over IPsec but if I try to get to Linode-B from AZ-1 it never routes past Lindoe-A.
I desperately need to do internal routing. I can understand why this may be locked down initially for security reasons but I feel a better approach is to firewall the network from other linode accounts rather than a flat policy to prevent this kind of networking between two instances on the same account.
Azure acknowledges this limitation as well but at least provides a documented work-around using UDR and IP Forwarding. Hopefully this is a feature we'll see in the near future.