Help need forwarding ports from one server to another

gigahacker

New Member
Joined
Aug 22, 2024
Messages
5
Reaction score
0
Credits
53
I have two web servers (both port 80). One is on a public IP the other is behind a firewall that is only available via VPN. I need to make both available to the public. The VPN is working as expected. I THINK I have both firewalls disabled for now. I am using IPTABLES and DNAT but it is not working.

[public server]
pubic static IP
VPS
running ALLSTAR with a webserver on port 80
No Firewall installed
Web Server on Port 80
Web DNAT on port 8181
zero tier installed

[private server]
Dynamic IP
Cell MODEM with a CG-NAT system that does NOT allow incoming traffic
running XLX server with a webserver on port 80
zero tier installed
No Firewall installed
Web Server on Port 80 - routed to port 8181 on Public Server


I want to from the internet to use both websites
The Public server will use the default port 80
The Private server is access via the public server on port 8181

This is what I have for code:

[public server]
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -t nat -A PREROUTING -p tcp --dport 8181 -j DNAT --to-destination 172.22.220.231:80

[private server]
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.22.158.218:8181

If I use:
sudo iptables -L -v -n -t nat

I do see traffic on both prerouting rules but it never comes back to my browser.
 


Your DNAT rule on public server is OK, however you don't need it on your private server because private server will respond to the public source IP that's set in IP header in the packet that arrived, therefore there is no need to DNAT it.

If you DNAT it that means the traffic will be sent back to public server and finish it's travel there without reaching the client who initiated connection, it won't go beyond gateway because you erased source IP of the client that initiated connection and replaced it with public server IP, which is what DNAT rule on private server does and so should be removed together with PREROUTING chain.

What you probably need instead on private server is a rule in FORWARD chain which will forward traffic directly to WAN via VPN to reach the client on WAN.

However this is not enough because now the original destination IP was modified on public server and will be used as source IP when traffic goes out, what this means is that traffic will reach VPN which should drop the traffic due to IP that's not configured on VPN, and even if VPN does not drop it it will still not reach destination client on WAN because it's firewall or TCP\IP stack will drop the traffic due to non original IP to which packets were sent (which is public server public IP).

To deal with that you also need POSTROUTING chain on private server that will do SNAT so that outgoing source IP is set to public server public IP and port.

In other words the topology of packets directed to private server via public server are as follows:
  • Client on WAN -> Public server
  • Public server -> Private server (DNAT)
  • Private server -> client on WAN via VPN (Forwarding followed by SNAT)

Note that forward chain (Filter) precedes postrouting (NAT) chain.

This method is based on my understanding how nftables chain priorities work and how I would configure firewall, it's not guaranteed to work because VPN might drop the traffic due to unrecognized source IP set in SNAT step, but that's outside the scope of iptables.

An alternative to this and more standard way would be to make your public server act as a gateway for private server but that's not possible to achieve with iptables alone.
You'll also need to set up routing tables on both servers which can be done with ip route command.
 
Last edited:
This is what I came up with from your comments but still not working. I do see all the rules trigging as expected.

Public Server (172.22.158.218)
sudo sysctl net.ipv4.ip_forward=1

sudo iptables -t nat -A PREROUTING -p tcp --dport 8181 -j DNAT --to-destination 172.22.220.231:80

Private Server (172.22.220.231)
sudo sysctl net.ipv4.ip_forward=1

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.22.158.218:8181

sudo iptables -A FORWARD -p tcp -d 172.22.158.218 --dport 8181 -j ACCEPT

sudo iptables -t nat -A POSTROUTING -p tcp -d 172.22.158.218 --dport 8181 -j SNAT --to-source 155.138.164.49:8181
 
@gigahacker
I'm afraid you did not understand, but no problem, neither did I explain it without errors.
Rule below is the only one you currently need on your private server, delete or comment out FORWARD and PREROUTING chains together with all rules in them.

Bash:
sudo iptables -t nat -A POSTROUTING -p tcp --sport 8181 -j SNAT --to-source 172.22.158.218:80

Basically with this rule private server is imitating public server and keeping destination address set to client IP.
It should go via VPN to WAN but as I said it will probably not work so easily because VPN's exit node also does NAT and will likely not recognize 172.22.158.218 (public server IP) because public server doesn't use VPN, so it will drop it.

If this doesn't work then remove the above POSTROUTING rule so that private server has no routing or forward rules and private server should respond to public server automatically.

However then your public server needs to handle private server reply somehow, probably by setting a routing entry in routing table but for this setup you need secondary NIC which will serve to communicate between public and private server.
Then adding rules to iptables to forward from one NIC to another. (from input NIC to output NIC)

I don't think you can make it work with only one NIC on public server.
 
may I ask a stupid question here? Have you considered routing the port to the web servers at the router? Routers can port forward. I had a setup similar to yours and used the router for all this. It was much easier and cleaner. I used a Cisco 871W for it.
 
I would love to port forward to the private server but we do not have internet in the repeater tower. We are using a cell phone hotspot with ethernet to provide our connection. Cell companies (unless you have a business account) do not allow you to open ANY ports. The work-a-round is zerotier as a VPN.

The sample I posted above triggered all the rules but did not work. @CaffeineAddict answer of just using the POSTROUTING rule never triggers. Still working on a fix.
 
I would love to port forward to the private server but we do not have internet in the repeater tower. We are using a cell phone hotspot with ethernet to provide our connection. Cell companies (unless you have a business account) do not allow you to open ANY ports. The work-a-round is zerotier as a VPN.

The sample I posted above triggered all the rules but did not work. @CaffeineAddict answer of just using the POSTROUTING rule never triggers. Still working on a fix.
this is not making sense to me. how do you not have internet in the tower yet VPN access works? That to me means you do indeed have the connection just a matter of configuring it. Am I misunderstanding something? I understand the cell phone hotspot (not a good solution) I am thinking you may need to rethink the infrastructure.
 
Private server is behind a cell hotspot at a water tower.
Public server is a VPS in ATL at a data farm.
If I wanted to install a PI at my house, I could install zerotier on it and then port forward from my personal internet to it. We as a club have been working very hard to get hardware out of members houses and into the cloud when we can figure it out.
 
ah, now I see the goal. thank you for clearing it up for me. I will follow and learn as this is not something I have done.
 

Members online


Top