Ubuntu Server / IpTables / Port Forwarding / NAT

Question

I got referred here from StackOverflow.

I'm using IpTables to forward an incoming port on one server to an external server (not on LAN) and the same port. The problem I'm having is that I have to use MASQUERADE or it will not forward. So all users on my server have my first servers IP as their IP.

Here is a breakdown of my iptables configuration.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:25565 to:192.241.156.238:25565

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Any help would be deeply appreciated so I can port forward from the one server to the other.

Also, a question, when I do this, does it just trannsfer the connection, then all data back and forth is between the two PCs? Or am I doubling up my bandwidth?

There doesn't seem to be any point to this. You are only consuming double your bandwidth for no apparent benefit whatsoever. — Michael Hampton, Dec 10 '13 at 02:32
I don't want the public IP of my gameserver to really be known or anything. I suppose it would be wiser to use a subdomain instead... — OBLE Codemonkey, Dec 10 '13 at 02:53
So is this supposed to be some kind of crude DDoS protection? — Michael Hampton, Dec 10 '13 at 02:55
So you're a game server hosting company? What are you using for a top-rack firewall? — Wesley, Dec 10 '13 at 03:21
What's your main question here? You're using MASQUERADE and it's working as expected. — etagenklo, Dec 10 '13 at 09:51
A "subdomain" still has to resolve to an IP Address, so it won't help you. If you're offering a public service, you're going to have to share the IP Address. Security through Obscurity isn't. — fukawi2, Dec 11 '13 at 02:10

score 2 · Answer 1 · answered Dec 10 '13 at 23:34

2

masquerade is working as expected and is needed. If the external server would receive the original local ip addresses as source addresses, it wouldn't know where to send back the answer, or at best it would try to send it through its local network. A machine routing with masquerading handles all the connections, redirecting then the answers to the correct local machine.

answered Dec 10 '13 at 23:34

stoned

808
5
10

If you want to understand further, Google for Asynchronous or Asymmetric Routing. What you are looking to do isn't technically possible (at least not at layer 2/3 where iptables works), and isn't a good plan anyway. – fukawi2 Dec 11 '13 at 02:09

Ubuntu Server / IpTables / Port Forwarding / NAT

1 Answers1