Put a CentOS stand before application server as a protector

February 13, 2015 529 views

I have a application server that is running Windows Server 2008 R2. On this server, I have applications (.exe) running and listening ports 10000, 11000, 13000

Client (exe) connect directly to server via these ports above.

Now, for security purpose, I want to build a CentOS stand before (like proxy) Windows server and handles all connections then redirects to Windows server.

On CentOS, I use iptables with rules bellow:

sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport 10000 -j DNAT --to 123.45.67.89:10000
iptables -t nat -A PREROUTING -p tcp --dport 11000 -j DNAT --to 123.45.67.89:11000
iptables -t nat -A PREROUTING -p tcp --dport 12000 -j DNAT --to 123.45.67.89:12000
iptables -t nat -A POSTROUTING -j MASQUERADE

Now, when client is running, I checked log on Windows server and see applications on Windows Server are accept incomming connection from client via CentOS

Client ----- CentOS ----- Windows Server

However, in this step, client app is error and show error : can not received response from server.

I guess I miss some rule in iptables that will allow response packet from WS ?

Hope someone can help me fix it.

Thanks in advanced.

1 comment
  • You are receiving connections from your linux "Firewall" but it looks like your WS can't send any response to the client, so you need to check why is WS unable to response. my guess is maybe you need to route WS traffic to your linux if your app has somehow a restriction about where the server response comes from.

    Typically you hide a server behind a firewall in the same network, as DO has no Windows droplets, I assume you are sending the traffic to your windows provider elsewhere, so the windows server is responding from his completely different network. Which by the way it kill the sense of hiding it behind linux as your traffic will reflect the real source.

    maybe you can try a VPN (WS to Linux) and use the linux server as nat for your windows.

1 Answer

This question was answered by @EpicCDN:

You are receiving connections from your linux "Firewall" but it looks like your WS can't send any response to the client, so you need to check why is WS unable to response. my guess is maybe you need to route WS traffic to your linux if your app has somehow a restriction about where the server response comes from.

Typically you hide a server behind a firewall in the same network, as DO has no Windows droplets, I assume you are sending the traffic to your windows provider elsewhere, so the windows server is responding from his completely different network. Which by the way it kill the sense of hiding it behind linux as your traffic will reflect the real source.

maybe you can try a VPN (WS to Linux) and use the linux server as nat for your windows.

View the original comment

Have another answer? Share your knowledge.