I am running Ubuntu Server as a home network router, which works fine otherwise. I also have another server on the network which hosts all of my content and services. So let's say, for example, I'm trying to host an Emby server on port 42069 and forward WAN traffic from that port onto the server at 10.0.0.2:8920.
I have enabled packet forwarding in /etc/sysctl.conf and in /etc/ufw/sysctl.conf, however, I am not changing the default UFW fowarding policy to accept (although this does fix my port forwarding problem...), as some guides on this topic have suggested, for security.
I have enabled incoming traffic on the port by running sudo ufw allow 42069 and also edited /etc/ufw/before.rules to include the following before the *filter section:
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i enp1s0 -p tcp --dport 42069 -j DNAT --to-destination 10.0.0.2:8920
-A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE
COMMIT
I've also run the following command which should accomplish something similar to the above, for the sake of redundancy:
sudo ufw route allow to 10.0.0.2 port 8920 from any port 42069 proto tcp comment emby
However, I still can't access the Emby server remotely. It appears that what's happening is UFW is getting the requests but blocking the forward at port 8920. If I run cat /var/log/ufw.log | grep 8920 I see tons of these entries (but nothing on the remote port):
Jul 28 01:18:15 rubidium kernel: [90442.255467] [UFW BLOCK] IN=enp1s0 OUT=enp3s0 MAC=00:1b:21:3a:ee:71:00:01:5c:8e:56:46:08:00 SRC= my.current.IP DST=10.0.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=30619 DF PROTO=TCP SPT=50462 DPT=8920 WINDOW=64320 RES=0x00 SYN URGP=0
What does work is running the following ufw command:
sudo ufw route allow in on enp1s0 out on enp3s0 to 10.0.0.2 port 8920
Unfortunately, this allows traffic from ANYWHERE, not just on the specified port, to reach the service... so I'm looking for an alternative approach.
Suggestions?
