(Solved) forward port to another computer?

Nemesis

Member
Credits
46
I've got one Linux server (Ubuntu) that has a public IP.

I want by connecting to it, on a specified port, be routed to another Linux computer on the same local network.

is this possible?
found this online;

Bash:
iptables -t nat -A PREROUTING -p tcp --dport 49620 -j DNAT --to-destination 192.168.0.4:22


iptables -t nat -A POSTROUTING -j MASQUERADE


service iptables save
but that only caused my server to loose dns? (it couldn't find the Linux archive to update a file, but can still connect to it remotely..)
 


Nemesis

Member
Credits
46
You either use DNAT or Maquerading. DNAT and Masquerading are setup a bit differently, see the links I posted.
after a lot of trial and errors, it suddenly worked.
But as a newbie, I'm not sure if all this is necessary, and how do I get it to stick?
Bash:
sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
sudo iptables -A FORWARD -o enp0s3 -j ACCEPT
sudo sysctl -w net.ipv4.ip_forward=1

sudo iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 49620  -j DNAT --to 192.168.0.4:22222
sudo iptables -A FORWARD -i enp0s3 -p tcp --dport 22222 -d 192.168.0.4 -j ACCEPT
 

f33dm3bits

Gold Member
Gold Supporter
Credits
3,384
Install iptables-persistent, then add them to that file. But since that file exists you probably already have that package installed.
 

Nemesis

Member
Credits
46
Install iptables-persistent, then add them to that file. But since that file exists you probably already have that package installed.
yep, I got that one installed, but something about the line -A FORWARD -o enp0s3 -j ACCEPT is wrong, at least what it says when I'm trying to save it..
but running sudo iptables -A FORWARD -o enp0s3 -j ACCEPT in the terminal works... no idea why?
 

f33dm3bits

Gold Member
Gold Supporter
Credits
3,384
What error are you getting when you restart iptables after entering that line into /etc/iptables/rules.v4 and what does that file look like now?
 
Last edited:

Nemesis

Member
Credits
46
What error are you getting when you restart iptables after entering that line into /etc/iptables/rules.v4 and what does that file look like now?
well, when I was saving, it just said error on line 8, it didn't specify anything...

regarding the list, I was afraid you wanted to see it, i have never ever seen a stranger list, and I have no idea what half of it means, but here we go:

Bash:
*nat
:PREROUTING ACCEPT [144:39368]
:INPUT ACCEPT [17:1004]
:OUTPUT ACCEPT [267:17828]
:POSTROUTING ACCEPT [167:10630]
:DOCKER - [0:0]
-A PREROUTING -i enp0s3 -p tcp -m tcp --dport 49620 -j DNAT --to-destination 192.168.0.4:22222
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o enp0s3 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Aug  7 23:43:05 2020
# Generated by iptables-save v1.6.1 on Fri Aug  7 23:43:05 2020
*filter
:INPUT DROP [100:30750]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A FORWARD -o enp0s3 -j ACCEPT
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 32400 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 32400 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 8888 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 8888 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 31337 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 31337 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 3128 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 3128 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 10000 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 10000 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 2049 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 2049 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 34000 -j DROP
-A ufw-user-input -p udp -m udp --dport 34000 -j DROP
-A ufw-user-input -p tcp -m tcp --dport 49625 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 49625 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 49620 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 49620 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
here isn't the -A FORWARD -o enp0s3 -j ACCEPT code inserted
 

f33dm3bits

Gold Member
Gold Supporter
Credits
3,384
First you will want to disable/stop ufw, ufw is just a frontend for iptables. If you are going to be editing iptables directly you don't want ufw to override or to interfere with your rules. After that restart iptables again and see what line gives an error, and then if you could share that line here and also the whole file after you have stopped ufw.
 

f33dm3bits

Gold Member
Gold Supporter
Credits
3,384
I actually found that you can use both. Leave ufw enabled and running. Go to the "ufw Masquerading" section of the link I just posted. But basically you should be able to post your custom iptables rules in /etc/ufw/before.rules. This way you can still be using ufw while editing iptables directly, this rules will then probably get loaded before the ufw rules.
 

Nemesis

Member
Credits
46
I actually found that...
Hi again, sorry for the delay.

I actually tried to disable ufw, but everytime I restarted the server it was enabled again, even thou I actually used the disable function. However, now does it suddenly work, maybe me disabling it and the system reactivating it again modified the rules somehow..

I would like to thank you for the help!
 

f33dm3bits

Gold Member
Gold Supporter
Credits
3,384
Hi again, sorry for the delay.

I actually tried to disable ufw, but everytime I restarted the server it was enabled again, even thou I actually used the disable function. However, now does it suddenly work, maybe me disabling it and the system reactivating it again modified the rules somehow..

I would like to thank you for the help!
I just made a few suggestions, glad that helped you out!
 


Members online


Latest posts

Top