[GTALUG] Routing and/or Proxying
D. Hugh Redelmeier
hugh at mimosa.com
Sat Sep 3 17:51:37 EDT 2016
I don't understand all the parameters of your problem.
If the application servers are all on a secure LAN, and the "proxy"
machine is on that LAN, and it also has access to the internet, then it
sounds like NAPTing ("masquerading" is the old Linux name) would do what
you want. The "proxy" would then be the LAN's gateway (in a routing
sense).
If the application servers are not on a LAN, it isn't clear what you want.
In particular, why would you want *all their traffic* to go through the
"proxy". Or do you mean *all their traffic that reaches the proxy* to go
through the proxy?
If the application servers are not on a LAN, how would the traffic be
authenticated by the "proxy"? Without authentication, you are just
destroying the (admittedly weak) security mechanism of the firewall and
the servers behind it.
BTW, VPNs and routing are not opposites. FreeS/WAN IPSec actually used
Linux routing to select packets for VPN processing. It turned out to be a
reasonable choice.
Note: NAPTing is generally limited to protocols with ports: UDP and TCP
essentially. It doesn't really handle "all traffic". You probably only
care about those protocols.
More information about the talk
mailing list