View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Forward traffic through a firewall
Log in to Ask a Question

Forward traffic through a firewall

networking

Hello everyone, I want to have a dedicated VPS for router/firewall, like pfSense or ClearOS, let's calll it the A machine.

My question is when adding another Linode instance to A's network, how can I let A assign an IP address to it and redirect all traffic to this IP?

3 Replies

Here is my iptables rules: http://pastebin.com/zFSU6YjL

My iptables nat rules: http://pastebin.com/Uy0Y3Qdt

ip_forward is enabled. But I couldn't reach the server from public ip of the firewall instance.

I can telnet to backend server from the firewall server.

Please note that I use port 4000 so it shows terabase as the service name like ssh for port 22

I'm running into a similar issue. I reached out to support and their response hints that it may not be possible to do this in Linode.

Here is what I'm trying to do and the issues I've identified. If anyone has overcome these issues or have insight…I'd greatly appreciate it.

I have two Linode instances:

Linode-A - pfSense 2.3.4

Linode-B - CentOS 6.8

I have a similar setup in Azure:

AZ-A - pfSense 2.3.4

AZ-B - CentOS 6.8

I have an IPsec tunnel built between AZ-A and Linode-A. This tunnel is working properly.

I have an internal network defined in Linode and a different internal network defined in Azure. I'd like to have a client (Linode-B) in the Linode private network access a client (AZ-B) in the Azure instance. While I can talk to these private networks directly from AZ-A and Linode-A, I am unable to ping AZ-B and Linode-B. There are two reasons this appears to be an issue:

1) Linode only allows communication to their private network destined for an interface within that private network. If you try to route a different internal network to an interface in the private network, it will fail because the destination is not the interface IP, but rather an IP/network outside the defined private network. When this occurs you will never see L2 or L3 make it's way to the interface you're routing it to.

2) If you try to ping the IP of an internal interface when sourcing from something other the the IP of an internal interface assigned by Linode, it will never route to the interface. The internal interface WILL respond from a different source network if the packet makes it's way to the node containing the private network - so in my instance, I can ping the internal network of Linode-A from AZ-1 over IPsec but if I try to get to Linode-B from AZ-1 it never routes past Lindoe-A.

I desperately need to do internal routing. I can understand why this may be locked down initially for security reasons but I feel a better approach is to firewall the network from other linode accounts rather than a flat policy to prevent this kind of networking between two instances on the same account.

Linode support confirmed my suspicions outlined above. I'm a little disappointed this feature isn't accessible. It would certainly hinder other customers from migrating their internal infrastructure to Linode.

Azure acknowledges this limitation as well but at least provides a documented work-around using UDR and IP Forwarding. Hopefully this is a feature we'll see in the near future.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct