DigitalOcean

Report this

What is the reason for this report?
Question

Can you configure iptables so that an application single socket can work on both private and public networks

Posted on November 24, 2019
DigitalOcean Cloud Firewalls
Configuration Management
Firewall
visgotti

By visgotti

So I have server a and b in one data center, but server c is in another data center.

Within those servers I have node apps using sockets to communicate with eachother, as of now a listens from b and c on the same socket, and b listens to a and c from the same socket.

The problem is, I want to utilize the private networking between a and b, but I understand I can’t from c.

I was wondering if there’s any iptables magic that can handle this situation- or do I need to refactor my servers to utilize a private and public socket for different server communications?

example -

Server A public ip 168.11.111.111, private ip is 10.11.111.111 Server B public ip is 168.22.222.222, private ip is 10.22.222.222 Server C public ip is 168.33.333.333

I was thinking I could do something maybe like this for communication from A to B

sudo iptables -t nat -A POSTROUTING -s 168.11.111.111 -j SNAT --to-source 10.11.111.111 //IF DESTINATION IS 10.22.222.222 ? is this possible to add to the rule?

then on server b it would be something like

iptables -t nat -A PREROUTING -d 10.22.222.222 -j REDIRECT --to-destination 168.22.222.222

Basically I want to make it so the output will redirect it’s source from the public to private and then the receiving end will redirect the private destination to the public destination - this way all my apps can use the same socket listening on a public address but also utilize the private network of digital ocean.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Bobby
Bobby
May 17, 2023

Hi there,

I believe that the kind of NAT setup you’re suggesting is typically done at the router level, rather than on individual servers.

While it’s technically possible to set up iptables on each server to rewrite IP packets in the way you’re suggesting, it’s quite complex and error-prone, and it may violate best practices in terms of network security and design. Additionally, using iptables in this way might not give you the performance improvement you’re looking for, since every outgoing packet would need to be processed by the iptables rules, which could introduce additional latency.

A simpler approach to this problem would be to use a different socket (i.e., a different IP address and/or port) for private and public communications. This would allow your application to decide which socket to use based on the destination of the communication.

Best,

Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.