Moving from IPtables to HAProxy for NAT-ing

Help!
1

0

I currently have a solution that works well for doing NAT.

Front end IP:Port (10.238.232.20:443)--------+-------- Back end IP:Port (172.22.0.42:443)
                                             |
                                             | eth0
                                        +---------+
                                        |         |
                                        |   NAT   |
                                        |         |
                                        +---------+

This is what my setup looks like. My NAT box has only one interface eth0 with IP 10.238.232.20 and my objective is to do both IP Masquerading and IP forwarding.

In the above scenario, im accomplishing it using iptables

echo 1 >  /proc/sys/net/ipv4/ip_forward

iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 10.238.232.20 --dport 443 -j DNAT --to-destination 172.22.0.42:443
iptables -t nat -A POSTROUTING -p tcp -d 172.22.0.42 --dport 443 -j SNAT --to-source 10.238.232.20

Now I want to switch from iptables to HAProxy while preserving the above behaviour.

Here is the snippet of what I have till now

frontend k8s_https_frontend
  bind *:443
  mode tcp
  default_backend k8s_https_backend

backend k8s_https_backend
  mode tcp 
  balance roundrobin
  server https_ingress 172.22.0.42:443 check port 443

Now from my browser, when I do a curl 10.238.232.20:443 , I definitely do get a 200 response from my backend. I am just not sure if that is enough to meet both the criteria for IP masquerading and IP forwarding.

Is there something else I need to do in my HAProxy config ?

2

You can’t compare the two. Haproxy doesn’t do NAT.

Haproxy receives TCP traffic on on socket and opens a new TCP session towards your backend server and forwards the entire payload between the two.

This is not what haproxy does. Not sure why you’d insist on that criteria though, if it doesn’t make sense for you.

3

You can’t compare the two. Haproxy doesn’t do NAT.

That page suggest that Haproxy can do NAT https://www.haproxy.com/blog/layer-4-load-balancing-nat-mode/

But won’t say how :frowning:
It would be very cool because when we have stupid TCP/UDP services that don’t understand proxy protocol but we need a original source IP address, we can easily add active-passive functionality

4

And yet, it does not.

This isn’t solved by NAT. It is solved by putting haproxy in a gateway position in transparent mode, where it will spoof the source IP.

It’s called “transparent proxying” in this article: