HAProxy community

Single TCP port forward with haproxy


#1

Due to network configuration I need to re-create the TCP connection with specific port, say, 5555, like:
source NIC 192.168.10.70 -> NAT server with proxy 192.168.10.1 - haproxy - 213.100.60.20 -> WAN destination server 213.100.70.30

So, haproxy must listen port 5555 on eth0 192.168.10.1 and automatically redirect this TCP flow to 213.100.70.30:5555 over eth1 213.100.60.20.
The remaining traffic should be routed via typical NAT (shorewall) to be able to access the internet (this is optional, but desirable).

To do this I was trying to make such haproxy.cfg
cat /etc/haproxy/haproxy.cfg
global

daemon

maxconn 10

defaults
mode tcp
timeout connect 5000ms
timeout client 10000ms
timeout server 10000ms

frontend tcp-in
bind 192.168.10.0:14550
default_backend servers

backend servers
server server1 213.100.70.30:5555 maxconn 32

The haproxy has been started with such options:

haproxy -f /etc/haproxy/haproxy.cfg -V

The TCP connection nas been made from the source NIC 192.168.10.70 to 192.168.10.1:5555 , but the connection was not espablished wit the destination 213.100.70.30

Since I’m new, I’m asking for help. Thank you.


#2

Looks like you put the wrong IP in the bind declaration: 192.168.10.0 instead of 192.168.10.1.


#3

Unfortunately, I was testing it with 192.168.10.0, 192.168.10.1, 192.168.10.70, 192.168.1.255.
Of course, I can recheck it.

Maybe the problem is that I have NAT server (shorewall) working in parallel?


#4

Did you share the actual configuration you used in your tests here, or is this a modified configuration? You said you want to use 5555, yet you configured port 14550.

I’m not quite sure what it is that you configured, and neither do I understand what you are trying to do with your NAT device, where this NAT device is (or is it the same box) and how this NAT is configured.


#5

Hey Orion,

Because you are doing TCP only and you wish to do NAT for Internet access, why don’t you do it all with your firewall ? Just forward the socket using a simple firewall rule like :

iptables -A PREROUTING -t nat -i eth0 --source 192.168.10.70/32 --destination 192.168.10.1 --destination-port 5555 -j DNAT --to-destination 213.100.70.30

If your firewall is not iptables, basically every packet filter can do what you need.

For sure HAProxy can forward a single TCP socket. The thing is, I am more familiar with packet filters and still at the baby steps with HAProxy, using a GUI to configure it.


#6

Good evening!
My task is to re-create a TCP connection for the specific port (5555). That’s why I try to use proxy, because NAT server will not recreate tcp connection, but only will route existing connection. So: the final TCP connection should be done between my server and destination, instead of my windows machnine and destination. I suppose that I have to use something like sock5 proxy to do such TCP session splitting.

So, the setup should be as follows:
from source windows NIC 192.168.10.70 to NAT192.168.10.1:5555 -> NAT server 192.168.10.1 (with PROXY listening on port 5555) -
haproxy - wan NIC 213.100.60.20 to 213.100.70.30:5555 -> WAN server with IP 213.100.70.30

The haproxy config is here:

cat /etc/haproxy/haproxy.cfg

global

daemon

maxconn 10

defaults
mode tcp
timeout connect 5000ms
timeout client 10000ms
timeout server 10000ms

frontend tcp-in
bind 192.168.10.1:5555
default_backend servers

backend servers
server server1 213.100.70.30:5555 maxconn 32

haproxy -f /etc/haproxy/haproxy.cfg -V

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
Using epoll() as the polling mechanism.
^C


Finally, I was trying to replace bind 192.168.10.1:5555 with 192.168.10.0 or 192.168.10.255, but also gets no results.
The NAT server was created by using shorewall and this howto https://wiki.gentoo.org/wiki/Ethernet_plus_WiFi_Bridge_Router_and_Firewall#Configure_shorewall and it works for all web traffic. I’m also able to access 213.100.70.30:5555 directly from the windows by calling destination 213.100.70.30:5555 instead of 192.168.10.1:5555 when haproxy is running.


#7

Hi again,

Honestly, I do not see how / why a port translation would be that different… Anyway…

Another simple tool you can look for is RINETD. That one will do just what you are looking for : listen on one tcp port and forward whatever crap it receives to a specific destination port.

As for your HAProxy config, I would at least add a line in your backend :
mode tcp

As of now, what happens when you telnet from your workstation to port 5555 on your firewall ?
Also, are you sure you opened the outgoing rules for HAProxy to open the socket you need ?

Good luck,


#8

Why I need this?
My “server” has MPTCP implementation. https://www.multipath-tcp.org/
The MPTCP allows to use multiple interfaces as TCP subflows to split single TCP flow in order to achieve higher throughput, redundancy, etc.
The MPTCP works as follows: when the TCP connection is initiated, it sends MP_CAPABLE request. If the destination returns that Yes, I’m MP_CAPABLE, then it will use multiple subflows; otherwise regular TCP connection will be established. This, by itself, means that the destination also should have implemented MPTCP.
Both my "server’ with two NICs 92.168.10.1 and 213.100.70.30 as well “WAN destination server” 213.100.70.30 has MPTCP implementation. However, I have to make connection from the windows machine (it is impossible to implement MPTCP in the windows). That’s why connection is done over “server” with two NICs. BUT, in this case TCP connection (as I understand) is created between Windows and Destination. Since Windows can’t send MP_CAPABLE request, the MPTCP functions are not initiated. That’s why I wish to split TCP connections in to. The idea is that the proxy will RE-CREATE TCP connection and since proxy is running on the linux machine with MPTCP implementation, then I hope that this new TCP flow will use MPTCP benefits.
I hope, but I’m not sure.

Also, are you sure you opened the outgoing rules for HAProxy to open the socket you need ?
No, I don’t know how to do this because I’m not a linux experienced guru user :frowning_face:
The only one thing what I know is that when the shorewall (NAT server) is enabled, then TCP connection from the windows to 192.168.10.1:5555 fails momentarily, but if the shorewall is stopped - then it takes a long time to try to connect and fails with timeout.

Maybe I will try to destroy the NAT server and will try to build sock5 proxy server for all connections.

No, I don’t know how to do this because I’m not a linux experienced guru user :frowning_face:
The only one thing what I know is that when the shorewall (NAT server) is enabled, then TCP connection from the windows to 192.168.10.1:5555 fails momentarily, but if the shorewall is stopped - then it takes a long time to try to connect and fails with timeout.

Maybe I will try to destroy the NAT server and will try to build sock5 proxy server for all connections.


#9

Hi again Orion,

I doubt what you are after is possible… HAProxy, Rinetd or any packet filtering firewall will handle each socket for itself and by itself. Here, you are talking about TCP multiplexing : take one TCP socket and split it over many TCP sockets before re-assembling these many sockets to a single one.

For you to do that, your mux - de-mux must use the same logic. On one side, it is your MPTCP app that is doing it. As such, you need an actual MPTCP client to re-create that logic. Is there a generic MPTCP client that can receive a single socket and split it ? I don’t know and not interested to know because what you are doing goes straight against the standard of TCP. Whenever you break from standard, you just ask for trouble.

Have fun with your setup,