(Solved) forward port to another computer?

Nemesis

Member
Joined
Nov 19, 2019
Messages
31
Reaction score
5
Credits
46
I've got one Linux server (Ubuntu) that has a public IP.

I want by connecting to it, on a specified port, be routed to another Linux computer on the same local network.

is this possible?
found this online;

Bash:
iptables -t nat -A PREROUTING -p tcp --dport 49620 -j DNAT --to-destination 192.168.0.4:22


iptables -t nat -A POSTROUTING -j MASQUERADE


service iptables save

but that only caused my server to loose dns? (it couldn't find the Linux archive to update a file, but can still connect to it remotely..)
 


You either use DNAT or Maquerading. DNAT and Masquerading are setup a bit differently, see the links I posted.
 
You either use DNAT or Maquerading. DNAT and Masquerading are setup a bit differently, see the links I posted.

after a lot of trial and errors, it suddenly worked.
But as a newbie, I'm not sure if all this is necessary, and how do I get it to stick?
Bash:
sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
sudo iptables -A FORWARD -o enp0s3 -j ACCEPT
sudo sysctl -w net.ipv4.ip_forward=1

sudo iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 49620  -j DNAT --to 192.168.0.4:22222
sudo iptables -A FORWARD -i enp0s3 -p tcp --dport 22222 -d 192.168.0.4 -j ACCEPT
 
Install iptables-persistent, then add them to that file. But since that file exists you probably already have that package installed.
 
Install iptables-persistent, then add them to that file. But since that file exists you probably already have that package installed.
yep, I got that one installed, but something about the line -A FORWARD -o enp0s3 -j ACCEPT is wrong, at least what it says when I'm trying to save it..
but running sudo iptables -A FORWARD -o enp0s3 -j ACCEPT in the terminal works... no idea why?
 
What error are you getting when you restart iptables after entering that line into /etc/iptables/rules.v4 and what does that file look like now?
 
Last edited:
What error are you getting when you restart iptables after entering that line into /etc/iptables/rules.v4 and what does that file look like now?
well, when I was saving, it just said error on line 8, it didn't specify anything...

regarding the list, I was afraid you wanted to see it, i have never ever seen a stranger list, and I have no idea what half of it means, but here we go:

Bash:
*nat
:PREROUTING ACCEPT [144:39368]
:INPUT ACCEPT [17:1004]
:OUTPUT ACCEPT [267:17828]
:POSTROUTING ACCEPT [167:10630]
:DOCKER - [0:0]
-A PREROUTING -i enp0s3 -p tcp -m tcp --dport 49620 -j DNAT --to-destination 192.168.0.4:22222
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o enp0s3 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Aug  7 23:43:05 2020
# Generated by iptables-save v1.6.1 on Fri Aug  7 23:43:05 2020
*filter
:INPUT DROP [100:30750]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A FORWARD -o enp0s3 -j ACCEPT
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 32400 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 32400 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 8888 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 8888 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 31337 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 31337 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 3128 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 3128 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 10000 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 10000 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 2049 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 2049 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 34000 -j DROP
-A ufw-user-input -p udp -m udp --dport 34000 -j DROP
-A ufw-user-input -p tcp -m tcp --dport 49625 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 49625 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 49620 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 49620 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT

here isn't the -A FORWARD -o enp0s3 -j ACCEPT code inserted
 
First you will want to disable/stop ufw, ufw is just a frontend for iptables. If you are going to be editing iptables directly you don't want ufw to override or to interfere with your rules. After that restart iptables again and see what line gives an error, and then if you could share that line here and also the whole file after you have stopped ufw.
 
I actually found that you can use both. Leave ufw enabled and running. Go to the "ufw Masquerading" section of the link I just posted. But basically you should be able to post your custom iptables rules in /etc/ufw/before.rules. This way you can still be using ufw while editing iptables directly, this rules will then probably get loaded before the ufw rules.
 
I actually found that...
Hi again, sorry for the delay.

I actually tried to disable ufw, but everytime I restarted the server it was enabled again, even thou I actually used the disable function. However, now does it suddenly work, maybe me disabling it and the system reactivating it again modified the rules somehow..

I would like to thank you for the help!
 
Hi again, sorry for the delay.

I actually tried to disable ufw, but everytime I restarted the server it was enabled again, even thou I actually used the disable function. However, now does it suddenly work, maybe me disabling it and the system reactivating it again modified the rules somehow..

I would like to thank you for the help!
I just made a few suggestions, glad that helped you out!
 


Top