Join Log in
Score:2
Admia avatar Ubuntu

Port Forwarding with iptables is not working

vn flag
Admia

I have two servers:

server 1 with IP address 10.8.0.1

server 2 with IP address 10.8.0.6

I want server 2 work as a proxy for a website that is hosted on server 1. So I use the following commands:

sudo iptables -t nat -A PREROUTING  -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443

sudo iptables -t nat -A POSTROUTING -p tcp -d 10.8.0.1 --dport 443 -j SNAT --to-source 10.8.0.6

However, the above setup is not working as I cannot browse the website. Also, telnet 10.8.0.6 443 does not produce output.

108
0 + 0
Doug Smythies avatar
gn flag
Doug Smythies
did you enable forwarding? `echo "1" > /proc/sys/net/ipv4/ip_forward` as sudo. I have an example of what you want working on my LAN, and can write an answer in about 8 hours from now.
2
Reply
Admia avatar
vn flag
Admia
port forwarding is enabled on server 2, because when I type `sysctl net.ipv4.ip_forward` I receive `net.ipv4.ip_forward = 1`. Also, `sudo cat /proc/sys/net/ipv4/ip_forward` results in `1`
0
Reply
Admia avatar
vn flag
Admia
I should note that the ip address `10.8.0.6` for server 2 is setup by openvpn. Server 2 has a public address and people are supposed to browse my website using the public address of server 2.
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
Oh! That is rather important information. I doubt if my answer will help then, because it is similar to what you are already doing, just adds interface specification.
1
Reply
Score:1
Doug Smythies avatar Ubuntu
gn flag
Doug Smythies

I have an example of this working on my LAN, but based on the comments it might not solve your issue.:

Web traffic coming from 192.168.111.122 for 192.168.111.136 gets forwarded to 192.168.111.1. Replies from 192.168.111.1 traverse the path in reverse, back to 192.168.111.122. who thinks the packets came from 192.168.111.136.

doug@s19:~/iptables/misc$ sudo tcpdump -n -tttt -i br0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
2021-12-19 15:57:47.389745 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.389760 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.390055 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390062 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390301 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.390306 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.396847 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.396852 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.397080 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.397085 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.400934 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [P.], seq 1:1629, ack 518, win 501, length 1628
2021-12-19 15:57:47.400941 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], seq 1:1461, ack 518, win 501, length 1460
2021-12-19 15:57:47.400942 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [P.], seq 1461:1629, ack 518, win 501, length 168

The iptables rules are loaded via script on my test computer:

doug@s19:~/iptables/misc$ cat ask1382639
#!/bin/sh
FWVER=0.01
#
# ask1382639 Smythies 2021.12.18 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1382639
#
#       run as sudo on s19.
#
#       Note: These rules might need to be merged with
#       any existing iptables rules set.

echo "Loading ask1382639 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Smythies (for testing)

EXTIF="br0"
EXTIP="192.168.111.136"
REDIRECTIP="192.168.111.1"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"

#
# For the actual servers of the question
#
#EXTIF="UNKNOWN"
#EXTIP="10.8.0.6"
#REDIRECTIP="10.8.0.1"
#NETWORK="10.8.0.0/24" ASSUMED, ACTUALLY UNKNOWN
#UNIVERSE="0.0.0.0/0"


#CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about Admia's servers.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# First: redirect port 443 traffic to the other server.
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 443 -j DNAT --to $REDIRECTIP

# Second: The desination needs to know what IP address to reply to.
$IPTABLES  -t nat -A POSTROUTING -p tcp -o $EXTIF --dport 443 -d $REDIRECTIP -j SNAT --to $EXTIP

echo ask1382639 rule set version $FWVER done.

and:

doug@s19:~/iptables/misc$ sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 177 packets, 13129 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       6      312 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.111.1

Chain INPUT (policy ACCEPT 177 packets, 13129 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 3 packets, 252 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       6      312 SNAT       tcp  --  *      br0     0.0.0.0/0            192.168.111.1        tcp dpt:443 to:192.168.111.136

Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
    pkts      bytes target     prot opt in     out     source               destination
0 + 0
Score:0
therealak12 avatar Ubuntu
jp flag
therealak12

In my case the router server (server 2 in your case) was delivering the packets in a different IP address. (something other than 10.8.0.1 for example).

I found the IP by tcpdump -i eth0 -p 443 and substituted it in the iptables rule.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.