# Intermediate IP address



## FlorinMarian (Aug 5, 2018)

Hi devs !
I had an idea about how can I reduce my costings but now I need someone who help me translating my idea into PF/IPFW rules.
I would like to buy a cheap dedicated server unprotected against DDoS and a VPS protected anti-DDoS.
I would like to host on dedicated server few games (udp, tcp).

It is possible to hide permanently dedicated IP address and giving to players only protected IP(from VPS) ?
I tried the same in CentOS but after establishing connection client get the real IP address of server, not keeping VPS IP address.

Many thanks !


----------



## ShelLuser (Aug 5, 2018)

Think about these things for a moment first please. How would anyone be able to reach your server without knowing the dedicated, public, IP address?

Address ranges such as 192.168.*, 10.* and 172... something (I don't know the 172 range from mind) are so called _private_ address ranges, meaning that they only exist within (private) LAN's (networks) and such but not on the Internet itself.

Your best option to keep your public IP hidden would be to use a VPN (which would seriously add to the lag, probably not a good idea) or get yourself external hosting and then use that server to do stuff on.


----------



## FlorinMarian (Aug 5, 2018)

ShelLuser said:


> Think about these things for a moment first please. How would anyone be able to reach your server without knowing the dedicated, public, IP address?
> 
> Address ranges such as 192.168.*, 10.* and 172... something (I don't know the 172 range from mind) are so called _private_ address ranges, meaning that they only exist within (private) LAN's (networks) and such but not on the Internet itself.
> 
> Your best option to keep your public IP hidden would be to use a VPN (which would seriously add to the lag, probably not a good idea) or get yourself external hosting and then use that server to do stuff on.


Thank you for reply but I solved this problem 50% on CentOS using iptables. The single problem it's that when someone get ESTABLiSHED connection, there it's shown original IP not that VPS ip anymore like at first packet sent.
Look here at those rules which doing what i just said;

```
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -F
iptables -F -t nat
iptables -X
iptables -X -t nat

iptables -t nat -A PREROUTING -p tcp --dport 30001 -j DNAT --to-destination 188.212.100.112:30001
iptables -t nat -A POSTROUTING -p tcp -d 188.212.100.112 --dport 30001 -j SNAT --to-source 188.212.100.109
iptables -t nat -A PREROUTING -p tcp --dport 30003 -j DNAT --to-destination 188.212.100.112:30003
iptables -t nat -A POSTROUTING -p tcp -d 188.212.100.112 --dport 30003 -j SNAT --to-source 188.212.100.109
iptables -t nat -A PREROUTING -p tcp --dport 30005 -j DNAT --to-destination 188.212.100.112:30005
iptables -t nat -A POSTROUTING -p tcp -d 188.212.100.112 --dport 30005 -j SNAT --to-source 188.212.100.109
iptables -t nat -A PREROUTING -p tcp --dport 30011 -j DNAT --to-destination 188.212.100.112:30011
iptables -t nat -A POSTROUTING -p tcp -d 188.212.100.112 --dport 30011 -j SNAT --to-source 188.212.100.109

# Masquerade outgoing traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Allow return traffic
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Forward everything
iptables -A FORWARD -j ACCEPT
sysctl -w net.ipv4.ip_forward=1
```


----------



## ShelLuser (Aug 5, 2018)

Applying a NAT setup does not hide your public IP address.

Not on FreeBSD, not on Linux, not on Windows, never. It simply doesn't work that way.


----------



## FlorinMarian (Aug 5, 2018)

ShelLuser said:


> Applying a NAT setup does not hide your public IP address.
> 
> Not on FreeBSD, not on Linux, not on Windows, never. It simply doesn't work that way.


Maybe a tunneling will solve the problem.
But i'm interested in that, can I create a private connection between two environments in different datacenters?
Best regards.


----------



## ShelLuser (Aug 5, 2018)

Sure thing. That's why I mentioned a VPN up there. A good start for that could be security/openvpn.


----------

