HAProxy community

Moving from IPtables to HAProxy for NAT-ing

0

I currently have a solution that works well for doing NAT.

Front end IP:Port (10.238.232.20:443)--------+-------- Back end IP:Port (172.22.0.42:443)
                                             |
                                             | eth0
                                        +---------+
                                        |         |
                                        |   NAT   |
                                        |         |
                                        +---------+

This is what my setup looks like. My NAT box has only one interface eth0 with IP 10.238.232.20 and my objective is to do both IP Masquerading and IP forwarding.

In the above scenario, im accomplishing it using iptables

echo 1 >  /proc/sys/net/ipv4/ip_forward

iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 10.238.232.20 --dport 443 -j DNAT --to-destination 172.22.0.42:443
iptables -t nat -A POSTROUTING -p tcp -d 172.22.0.42 --dport 443 -j SNAT --to-source 10.238.232.20

Now I want to switch from iptables to HAProxy while preserving the above behaviour.

Here is the snippet of what I have till now

frontend k8s_https_frontend
  bind *:443
  mode tcp
  default_backend k8s_https_backend

backend k8s_https_backend
  mode tcp 
  balance roundrobin
  server https_ingress 172.22.0.42:443 check port 443

Now from my browser, when I do a curl 10.238.232.20:443 , I definitely do get a 200 response from my backend. I am just not sure if that is enough to meet both the criteria for IP masquerading and IP forwarding.

Is there something else I need to do in my HAProxy config ?

You can’t compare the two. Haproxy doesn’t do NAT.

Haproxy receives TCP traffic on on socket and opens a new TCP session towards your backend server and forwards the entire payload between the two.

This is not what haproxy does. Not sure why you’d insist on that criteria though, if it doesn’t make sense for you.