0

I'm very new to Linux and bash. I'm working on a homelab (machine a) project.

My ultimate goal is to set up Nginx on my server and connect externally (machine c) to Docker apps File Browser, possibly Sonarr and a few other services. I'm following this video > LINK

I cannot port forward on my rubbish UK BT router so I have opted for a VPS (machine b). Mainly because I didn't want to have to deal with bandwidth limitations with Cloudflare or Oracle zero tier.

I have been looking for the right iptables command for the port forwarding. I have landed on the below.

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 (Machine b) -j DNAT --to-destination x.x.x.x:18880 (machine a)
sudo iptables -t -A POSTROUTING -p tcp x.x.x.x(machine a) --dport 18880 -j SNAT to --to-source x.x.x.x (machine b)
sudo iptables -A FORWARD -p tcp -d x.x.x.x (machine a) --dport 18880 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

What I've done so far:

  • I've enabled ipv4 port forwarding
  • Flushed the nat table
  • Initially, I enabled ufw but disabled it after I discovered iptables. - I also reset the ufw and there are no rules.

When I view the iptables rules this is what I get. Although I ran the prerouting command but it didn't appear.

here

If you have any suggestions feel free. This is still very new to me.

TIA

iptables-save output (shows all tables):

# Generated by iptables-save v1.8.4 on Mon Nov  6 20:37:01 2023
*filter
:INPUT DROP [54923:2610101]
:FORWARD DROP [120:5736]
:OUTPUT ACCEPT [402:21052]
:ts-forward - [0:0]
:ts-input - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ts-input
-A INPUT
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -j ts-forward
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000
-A ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
-A ts-forward -s 100.64.0.0/10 -o tailscale0 -j DROP
-A ts-forward -o tailscale0 -j ACCEPT
-A ts-input -s 100.105.39.150/32 -i lo -j ACCEPT
-A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN
-A ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
-A ts-input -i tailscale0 -j ACCEPT
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Mon Nov  6 20:37:01 2023
# Generated by iptables-save v1.8.4 on Mon Nov  6 20:37:01 2023
*nat
:PREROUTING ACCEPT [23534:1179042]
:INPUT ACCEPT [5148:292118]
:OUTPUT ACCEPT [257:18587]
:POSTROUTING ACCEPT [257:18587]
:ts-postrouting - [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.209:1880
COMMIT
# Completed on Mon Nov  6 20:37:01 2023
Improve this question
5
  • What you're showing in the iptables output is incomplete. Install pastebinit, then use sudo iptables-save | pastebinit and put the link in a comment here for us to see the full ruleset of IPTables (NAT rules don't show in standard iptables output). Note also what you're doing is NAT, not Reverse Proxying. What is your intended goal here?
    – Thomas Ward
    Commented Nov 6, 2023 at 16:59
  • Here's the output paste.ubuntu.com/p/8sxVk8wtXF I want to use my VPS as a gateway between my homelab and external services due to my router not being able to port forward. My first hurdle is portfowarding my VPS hence my initial post. I'm following this walkthrough HERE to complete the reverse proxy. I just need help with the port forwarding to get me started to set up Reverse proxy.
    – Twinkle
    Commented Nov 7, 2023 at 6:51
  • @ThomasWard see above
    – Twinkle
    Commented Nov 8, 2023 at 16:26
  • If your router doesn't do NAT/Port Forward then you have a larger problem. You can't port-forward your VPS to a non-NAT'd network. It doesn't work that way. If you sit behind a router and it doesn't support Port Forwarding or NAT, then you can't 'reverse proxy' to something that can't be connected to from the outside network.
    – Thomas Ward
    Commented Nov 8, 2023 at 18:47
  • HI @ThomasWard my router does allow it but as I have a plex entry but I can't enter my own manual rules. I have spoken to BT however they don't have a fix. Therefore the router can a portforward however not manualling by me. Meaning when i save my entry it doesn't save. I should have made the clearer. The commands i found are they correct?
    – Twinkle
    Commented Nov 9, 2023 at 14:53

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .