3

I'm trying to use an OVH node as a reverse proxy for several minecraft servers(mostly for DDoS protection and firewall customisation). The minecraft hosts are also running ubuntu, either 12.04 or 14.04, and the OVH has ubuntu on it. Currently I've tried doing this:

sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport port -j DNAT --to-destination ip:port
iptables -t nat -A POSTROUTING -j MASQUERADE

This mostly works fine, with the exception of the obvious, that all the clients have the same IP as the server i've done this on. Is there any way i can set any of these devices up so that it preserves the original source IP? I've read that tcpproxy (http://www.quietsche-entchen.de/cgi-bin/wiki.cgi/proxies/TcpProxy) is a good solution to this, but i see no reason this problem would not continue.

I also wonder if using this would cause replies from the minecraft server to bypass the proxy, leaking the real IP's, which i would like to avoid.

muru
  • 207,228
user3407675
  • 145

1 Answers1

2

Preserving the IP address of the proxied server wouldn't work in your situation. If the client originally connects to the proxy (we'll say proxy:1111) and gets a response from minecraft1:2525, what does the client do with it. There's no way for the client to map this response to the original request.

Keep doing it the way you're doing it.

Instead, you could use multiple rule sets on a range of ports. So, for example, minecraft1 is proxy:1111, minecraft2 is proxy:1112, mincraft3 is proxy:1113, etc.

Then you could set up your rules like this:

iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination ip:port
iptables -t nat -A PREROUTING -p tcp --dport 1112 -j DNAT --to-destination ip:port
iptables -t nat -A PREROUTING -p tcp --dport 1113 -j DNAT --to-destination ip:port
iptables -t nat -A POSTROUTING -j MASQUERADE

Then, to connect to minecraft1, you'd use proxy:1111. For minecraft2, proxy:1112, etc. The port that the actual Minecraft servers are running on doesn't matter since the rules will relay to the correct port.

Chuck R
  • 5,038