How do I port forward from adapter to localhost, changing ports

Question

I am using an Ubuntu 16 server.

I am trying to use iptables to forward a port from a particular network adapter and port to a specific port on lo/127.0.0.1. It seems like the correct tool.

By way of an example, let us imagine I want adapter ens192 to forward incoming traffic on port 8443 to 127.0.0.1:443. I do not want ens192's 443 to reach 127.0.0.1:443... it should appear closed.

I've made the following calls (as sudo su, for convenience) on a fresh install:

# sysctl -w net.ipv4.ip_forward=1  # permits port-forwarding
# sysctl -w net.ipv4.conf.ens192.route_localnet=1  # permits routing adapter 2 localhost
# iptables -P INPUT DROP
# iptables -t nat -A PREROUTING -i ens192 -p tcp --dport 8443 -j DNAT \
--to-destination 127.0.0.1:443
# iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE

However, this doesn't work... browsing to [ip]:8443 doesn't yield the desired results... the browser times out.

I have validated that the server is running properly at the desired port.

I assume that the browser's TCP request changes within the server to appear as if it contacts 127.0.0.1:443 instead. Then, when responding, the IP address translates back to the address/port of ens192 instead as it leaves. Or... not?

Answer 1

It looks like the problem is that you added the rules to NAT the traffic, but not to actually allow it to pass. The following rule is a quick way to allow all traffic that you're NATting:

iptables -A INPUT -m conntrack --ctstate DNAT -j ACCEPT

See if this rule does what you want. If it still doesn't work, try changing the INPUT chain policy back to ACCEPT temporarily, just to figure out whether the firewall is the problem or not.