1

I'm accessing a remote Ubuntu Server using SSH over a VPN. Now I would like to configure the remote server.

I tried to forward incoming traffic on port 80 of my tunnel to the router address but it's not working:

sudo iptables -A FORWARD -i tun0 -o enp3s0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o enp3s0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -i enp3s0 -o tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -P FORWARD DROP

sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1
sudo iptables -t nat -A POSTROUTING -o tun0 -p tcp --dport 80 -d 192.168.1.1 -j SNAT --to-source 172.20.20.11

I also have a web server running on port 8080 so I tested with that address instead and it was working so I don't know why it's not working for the router interface:

sudo iptables -A FORWARD -i tun0 -o enp3s0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o enp3s0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -i enp3s0 -o tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -P FORWARD DROP

sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.197:8080
sudo iptables -t nat -A POSTROUTING -o tun0 -p tcp --dport 80 -d 192.168.1.197 -j SNAT --to-source 172.20.20.11

UFW firewall is inactive

Network Configuration:

adm@server:~$ ifconfig
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.197  netmask 255.255.255.0  broadcast 192.168.1.255
        ether f4:4d:30:6b:a2:8c  txqueuelen 1000  (Ethernet)
        RX packets 21987  bytes 22287960 (22.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14821  bytes 2654314 (2.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.20.20.11  netmask 255.255.255.0  destination 172.20.20.11
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 2761  bytes 134743 (134.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2523  bytes 936758 (936.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
JPelletier
  • 111
  • 4
  • 1
    Some routers reject connections not coming from their local subnet's ip address space. Try to edit your ruleset to use MASQUERADE target for connections forwarded to the router. Masquerade target syntax is widely documented. – Marco Oct 20 '17 at 16:31
  • Ok will read on that – JPelletier Oct 20 '17 at 19:33

0 Answers0