Skip to main content
Super User

Return to Question

Tweeted twitter.com/super_user/status/1014826713057030145
deleted 21 characters in body
Source Link
Joseph Van Riper
Joseph Van Riper
  • 131
  • 6

I am using an Ubuntu 16 server.

I am trying to use iptables to forward a port from a particular network adapter and port to a specific port on lo/127.0.0.1. It seems like the correct tool.

By way of an example, let us imagine I want adapter ens192 to forward incoming traffic on port 8443 to 127.0.0.1:443. I do not want ens192's 443 to reach 127.0.0.1:443... it should appear closed.

I've made the following calls (as sudo su, for convenience) on a fresh install:

# sysctl -w net.ipv4.ip_forward=1  # permits port-forwarding
# sysctl -w net.ipv4.conf.ens192.route_localnet=1  # permits routing adapter 2 localhost
# iptables -P INPUT DROP
# iptables -t nat -A PREROUTING -i ens192 -p tcp --dport 8443 -j DNAT \
--to-destination 127.0.0.1:443
# iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE

However, this doesn't work... browsing to [ip]:8443 doesn't yield the desired results... the browser times out.

I have validated that the server is running properly at the desired port.

It's my assumptionI assume that the browser's TCP request is changedchanges within the server to appear as if it is contactingcontacts 127.0.0.1:443 instead. Then, when responding, the IP address is translatedtranslates back to the address/port of ens192 instead as it leaves. Or... not?

I am using an Ubuntu 16 server.

I am trying to use iptables to forward a port from a particular network adapter and port to a specific port on lo/127.0.0.1. It seems like the correct tool.

By way of an example, let us imagine I want adapter ens192 to forward incoming traffic on port 8443 to 127.0.0.1:443. I do not want ens192's 443 to reach 127.0.0.1:443... it should appear closed.

I've made the following calls (as sudo su, for convenience) on a fresh install:

# sysctl -w net.ipv4.ip_forward=1  # permits port-forwarding
# sysctl -w net.ipv4.conf.ens192.route_localnet=1  # permits routing adapter 2 localhost
# iptables -P INPUT DROP
# iptables -t nat -A PREROUTING -i ens192 -p tcp --dport 8443 -j DNAT \
--to-destination 127.0.0.1:443
# iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE

However, this doesn't work... browsing to [ip]:8443 doesn't yield the desired results... the browser times out.

I have validated that the server is running properly at the desired port.

It's my assumption that the browser's TCP request is changed within the server to appear as if it is contacting 127.0.0.1:443 instead. Then, when responding, the IP address is translated back to the address/port of ens192 instead as it leaves. Or... not?

I am using an Ubuntu 16 server.

I am trying to use iptables to forward a port from a particular network adapter and port to a specific port on lo/127.0.0.1. It seems like the correct tool.

By way of an example, let us imagine I want adapter ens192 to forward incoming traffic on port 8443 to 127.0.0.1:443. I do not want ens192's 443 to reach 127.0.0.1:443... it should appear closed.

I've made the following calls (as sudo su, for convenience) on a fresh install:

# sysctl -w net.ipv4.ip_forward=1  # permits port-forwarding
# sysctl -w net.ipv4.conf.ens192.route_localnet=1  # permits routing adapter 2 localhost
# iptables -P INPUT DROP
# iptables -t nat -A PREROUTING -i ens192 -p tcp --dport 8443 -j DNAT \
--to-destination 127.0.0.1:443
# iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE

However, this doesn't work... browsing to [ip]:8443 doesn't yield the desired results... the browser times out.

I have validated that the server is running properly at the desired port.

I assume that the browser's TCP request changes within the server to appear as if it contacts 127.0.0.1:443 instead. Then, when responding, the IP address translates back to the address/port of ens192 instead as it leaves. Or... not?

Source Link
Joseph Van Riper
Joseph Van Riper
  • 131
  • 6

How do I port forward from adapter to localhost, changing ports

I am using an Ubuntu 16 server.

I am trying to use iptables to forward a port from a particular network adapter and port to a specific port on lo/127.0.0.1. It seems like the correct tool.

By way of an example, let us imagine I want adapter ens192 to forward incoming traffic on port 8443 to 127.0.0.1:443. I do not want ens192's 443 to reach 127.0.0.1:443... it should appear closed.

I've made the following calls (as sudo su, for convenience) on a fresh install:

# sysctl -w net.ipv4.ip_forward=1  # permits port-forwarding
# sysctl -w net.ipv4.conf.ens192.route_localnet=1  # permits routing adapter 2 localhost
# iptables -P INPUT DROP
# iptables -t nat -A PREROUTING -i ens192 -p tcp --dport 8443 -j DNAT \
--to-destination 127.0.0.1:443
# iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE

However, this doesn't work... browsing to [ip]:8443 doesn't yield the desired results... the browser times out.

I have validated that the server is running properly at the desired port.

It's my assumption that the browser's TCP request is changed within the server to appear as if it is contacting 127.0.0.1:443 instead. Then, when responding, the IP address is translated back to the address/port of ens192 instead as it leaves. Or... not?