Hiding one server after another using portmapping.
There is often a need to redirect from the IP of one server to the IP of another server, so that when connecting to the first server, the connection is redirected to another. Why would it be necessary? Let's say, as it often happens these days, your server has been blocked by IP. Then you will most likely have to raise the server with a different IP, and move the site to it. Since the current server is banned and you will not be able to use it.
But if each of your new IP addresses is constantly blocked, then the server will have to be constantly upgraded, which is a big headache for the system administrator. Therefore, the idea arises to make a main server with all the necessary content and services (which has a permanent IP and does not need to be reinstalled), and a second "small" server on a VPS, which quickly rises and simply installs, and redirect from the second server to the first. It is often said that the second server is a gasket for the first one. There are many ways to do this. In this article, we will look at the simplest way: creating a gasket using iptables.
The IP of the main server can not be "shone", and it will be unknown to the blocking "authorities". Only the IP of the gasket is "lit", which can be quickly changed if necessary. The location of the main server is also unknown. Therefore, a "mask show" with the arrest of the server is also less likely. It can be in a safe and secure place. Only a temporary "gasket" is under attack.
This topic is relevant today not only to scammers and spammers, but also to all kinds of activists, oppositionists and simply objectionable bloggers and site administrators. Because nowadays censorship goes beyond all limits, and the account of blocked sites has long gone over tens of millions. Any administrator today may face website blockages, without trial. And in order to quickly restore your site in this case, this material will be useful.
Let's say we have a server with IP: 1.1.1.1 and gasket 2.2.2.2. The http server is running on the server (ports 8080 and 8081), and we need to redirect ports 80 and 443 of the gasket to them, respectively.
It's easy to do this. You only need three rules for iptables:
iptables -t nat -A PREROUTING -p tcp -d 2.2.2.2 --dport 80 -j DNAT --to-destination 1.1.1.1:8080
iptables -t nat -A PREROUTING -p tcp -d 2.2.2.2 --dport 443 -j DNAT --to-destination 1.1.1.1:8081
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
These rules must be entered in the command line of the installation under root. The first rule in the incoming packet on 2.2.2.2: 80 replaces IP with 1.1.1.1 and port with 8080 (DNAT — destination NAT operation). The second rule is the same for ports 443 and 8081. The third rule does the masquerading on the eth0 interface (the external interface of the gasket). If you have a different interface name, for example eno 3, change eth0 to no3. Masquerading will change the IP of the server back to the IP of the gasket in the sender's address for outgoing packets from the eth0 interface, and external users will see the gasket address in the packet instead of the server address.
The redirection should work now. You can check the telnet for the 80th and 443rd ports of the gasket:
$ telnet 2.2.2.2 80
Trying 2.2.2.2...
Connected to 2.2.2.2.
Escape character is '^]'.
We see that the connection is working. Otherwise, telnet would have hung up or given an error.
Now, the gasket will work until the first reboot. After the reboot, the iptables rules will be reset. In order for the rules to be preserved between reboots, you need to install the iptables-persistent package:
# apt-get install iptables-persistent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
libboost-date-time1.67.0 libboost-filesystem1.67.0
libboost-program-options1.67.0 libboost-system1.67.0
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
netfilter-persistent
The following NEW packages will be installed:
iptables-persistent netfilter-persistent
0 upgraded, 2 newly installed, 0 to remove and 8 not upgraded.
Need to get 23.4 kB of archives.
After this operation, 91.1 kB of additional disk space will be used.
Do you want to continue? [Y/n]
After that, the iptables-save and iptables-restore commands will be installed and the current firewall rules will be saved in /etc/iptables in two rules files.v4 and rules.v6, for ipv4 and ipv6, respectively. If you want to add new portmapping, then enter additional iptables rules in the console, and then save them with the command:
# iptables-save >/etc/iptables/rules.v4
# ip6tables-save >/etc/iptables/rules.v6
Congratulations, your first gasket has been created. 😉