This guide explains how to keep traffic arriving at an existing public IPv4 address and proxy it to another BinaryLane server using Ubuntu and nftables.
BinaryLane does not currently support migrating a public IPv4 address directly from one server to another. If you need to keep using an existing IP address after moving a service to a new server, you can leave the original IP address assigned to a small proxy server and forward traffic to the replacement server.
Important: This is a proxy/forwarding workaround, not an IP migration. The original server or proxy server must stay online for traffic to continue reaching the new server.
Prerequisites:
- Root or sudo access to the server that currently has the IP address you want to keep.
- Root or sudo access to the destination server that should receive the traffic.
- Both servers running the latest Ubuntu version available from BinaryLane.
- The public IPv4 address on the existing/proxy server.
- The public IPv4 address of the destination server.
- A plan for how you will continue accessing the proxy server over SSH after forwarding is enabled.
TABLE OF CONTENTS
- When to use this method
- Decide what to keep running
- How the proxy works
- Configure the proxy server
- Test the forwarding
- Forward only selected ports
- Limitations and notes
- Remove the proxy later
When to use this method:
Use this method when customers, DNS records, allowlists, or remote systems still connect to an existing public IPv4 address, but the service itself has moved to a different BinaryLane server.
Common examples include:
- A website or application has been rebuilt on a new VPS, but DNS or customer allowlists still point to the old IP address.
- A service was moved to a better-sized server, but changing the public IP immediately would cause downtime.
- You want to keep an additional IP address from an existing server and forward only that IP to another server.
Decide what to keep running:
Before configuring the proxy, decide whether the existing server still needs to perform other work.
- If the server has multiple IP addresses and you want to keep using the server for other services, configure a thin proxy only for the additional IP address you want to forward.
- If the server has a single IP address and you no longer need the server for anything except retaining that IP address, resize the server down to a small plan, such as a 1 vCPU / 2 GB RAM plan, and use it only as the proxy.
The proxy server does not usually need much CPU or memory, but it does need enough network transfer allowance for the traffic it forwards.
How the proxy works:
The proxy server receives traffic on the old public IP address, rewrites the destination to the new server, and rewrites the return path so replies pass back through the proxy.
The traffic path is:
Client -> old/proxy IP -> destination server Client <- old/proxy IP <- destination server
This guide uses nftables destination NAT (DNAT) and source NAT (masquerade) for IPv4 traffic.
Configure the proxy server:
Run these commands on the server that currently has the IP address you want to keep.
First, set variables for the existing/proxy IP address and the destination server IP address:
PROXY_IP="203.0.113.10" DESTINATION_IP="198.51.100.20"
Replace these example IP addresses with your own values.
Install nftables and enable IPv4 forwarding:
sudo apt update sudo apt install -y nftables echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-ip-proxy.conf sudo sysctl --system sudo systemctl enable --now nftables
Create an nftables configuration that forwards TCP and UDP traffic to the destination server. This example excludes TCP port 22 so SSH access to the proxy server remains available:
sudo tee /etc/nftables.conf >/dev/null <<EOF
#!/usr/sbin/nft -f
flush ruleset
table ip proxy {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip daddr $PROXY_IP tcp dport != 22 dnat to $DESTINATION_IP
ip daddr $PROXY_IP udp dnat to $DESTINATION_IP
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip daddr $DESTINATION_IP masquerade
}
}
EOF
sudo nft -f /etc/nftables.conf
sudo nft list ruleset
After this is applied, new TCP traffic to the proxy IP address, except SSH on port 22, is forwarded to the destination server. UDP traffic to the proxy IP address is also forwarded.
Important: If SSH on the proxy server is not on port 22, change the exclusion in the nftables rule before applying it. Otherwise you may forward your own management access to the destination server.
Test the forwarding:
Start with one service that is already listening on the destination server, such as HTTP or HTTPS.
From a third machine, test the destination server directly:
curl -I http://DESTINATION_IP/
Then test the proxy IP address:
curl -I http://PROXY_IP/
If the proxy is working, the request to the proxy IP address should return a response from the service running on the destination server.
On the destination server, you can also watch connection attempts while testing:
sudo ss -tn state established
Forward only selected ports:
If you only need to forward specific services, use explicit port rules instead of forwarding almost everything.
For example, to forward only HTTP and HTTPS:
sudo tee /etc/nftables.conf >/dev/null <<EOF
#!/usr/sbin/nft -f
flush ruleset
table ip proxy {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip daddr $PROXY_IP tcp dport { 80, 443 } dnat to $DESTINATION_IP
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip daddr $DESTINATION_IP tcp dport { 80, 443 } masquerade
}
}
EOF
sudo nft -f /etc/nftables.conf
sudo nft list ruleset
This is often easier to maintain when only web traffic needs to keep using the old IP address.
Limitations and notes:
- The destination server will usually see the proxy server's IP address as the source of the connection. If your application needs the real client IP address, use an application-level proxy such as Nginx, HAProxy, or a PROXY protocol setup where the destination service supports it.
- The proxy server must remain online. If it is powered off, cancelled, or misconfigured, traffic to the old IP address will stop reaching the destination server.
- Traffic passes through both servers, so bandwidth and latency can be affected.
- Firewall rules on both the proxy server and destination server must allow the forwarded traffic.
- This example covers IPv4. IPv6 forwarding requires separate IPv6-specific planning and rules.
- If you use the BinaryLane External Firewall, make sure the rules for the proxy server and destination server match the traffic path you want to allow.
Remove the proxy later:
When the old IP address is no longer needed, remove the forwarding rules and disable IP forwarding on the proxy server:
sudo nft flush ruleset sudo tee /etc/nftables.conf >/dev/null <<EOF #!/usr/sbin/nft -f flush ruleset EOF sudo rm -f /etc/sysctl.d/99-ip-proxy.conf sudo sysctl -w net.ipv4.ip_forward=0
You can then cancel, resize, or repurpose the proxy server as needed.
If you require assistance, feel free to submit a support ticket at our helpdesk here: Submit a ticket | BinaryLane
