[SOLVED] Problem with NAT/port forwarding

Jason_25 · 08-30-2022, 04:39 PM

I am having trouble trying to forward port 80 from my router with a cellular device to another computer on the network. The router is on the "DMZ" of the cellular device which is set to 192.168.1.109. This is the script:

Code:

sudo sh -c "echo '1' >> /proc/sys/net/ipv4/ip_forward"
sudo ifconfig eth1 up
sudo ifconfig usb0 up
sudo ifconfig eth1 192.168.1.19
sudo ifconfig usb0 192.168.1.109
sudo route add default gw 192.168.1.1
sudo iptables -A FORWARD -i usb0 -j ACCEPT
sudo iptables -A FORWARD -o usb0 -j ACCEPT
sudo iptables -A FORWARD -i eth1 -j ACCEPT
sudo iptables -A FORWARD -o eth1 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o usb0 -j MASQUERADE
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:80
sudo route add 192.168.1.3 -dev eth1
192.168.1.1 is default gateway for 192.168.1.3

The result is SSH on the router is accessible from inside and outside. But the port forward to 192.168.1.3 does not work.

I did get this to work using a bridge but duplicate packets were being created and so SSH on the router was not reliable but I was able to access a web page on 192.168.1.3 from the Internet. I would prefer to stay with just routing for now until I get this figured out. If it absolutely cannot work this way I will further detail the partially working bridging method.

Does anything look wrong?

boughtonp · 08-30-2022, 04:49 PM

Quote:

Originally Posted by Jason_25

Does anything look wrong?

In your first line you are appending instead of overwriting.

michaelk · 08-30-2022, 07:04 PM

Quote:

Does anything look wrong?

In addition, NAT really does not work if both interfaces are on the same network.
It should only have one route i.e sudo route add default gw 192.168.1.1 (I assume that is your cell device LAN address?)
The gateway of your web server should be the eth1 IP address.
You do not have an interface defined for your port forwarding rule.

Code:

iptables --table nat --append POSTROUTING --out-interface usb0 -j MASQUERADE
iptables --append FORWARD -i eth1 -j ACCEPT
iptables -t nat -A PREROUTING -i usb0 -p tcp --dport 80 -j DNAT --to-destination <address:port>

Jason_25 · 08-31-2022, 03:18 AM

I got this solved once I had some sleep. There were 3 problems.
1. I reversed the routing with putting the gateway for the router out of usb0 and then I did not need a static route. The routing table is pretty interesting.
2. The MASQUERADE part is not needed. The cellular device at 192.168.1.1 does the bulk of the network address translation. The DNAT stuff is short for "destination NAT" and only changes - well - the destination address so it will know to go to the server I specified.
3. The gateway for the web server. It really clued me in when I could not even ping 8.8.8.8 from the web server through the cellular device "internal" at 192.168.1.1. Using the cellular device "external" at 192.168.1.109 for gateway or the "internal" as before is improper and a red herring.

It is really confusing that there is an address on usb0 at the computer side "externally" at 192.168.1.109 in this case and an address on usb0 on the logic side "internally" at 192.168.1.1. It is the USB network inside the ethernet network. Like a Matroska doll. But maybe I have been thinking at this for too long now.

Michaelk you found the problem perfectly. It is good to know that if I did not figure it out someone else would have.

This is just a code snippet. The actual router code is going to be much larger.

Code:

sudo sh -c "echo '1' >> /proc/sys/net/ipv4/ip_forward"
sudo ifconfig eth1 up
sudo ifconfig usb0 up
sudo ifconfig eth1 192.168.1.19
sudo ifconfig usb0 192.168.1.109
sudo route add default gw 192.168.1.1 dev usb0
sudo iptables -A FORWARD -i usb0 -j ACCEPT
sudo iptables -A FORWARD -o usb0 -j ACCEPT
sudo iptables -A FORWARD -i eth1 -j ACCEPT
sudo iptables -A FORWARD -o eth1 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:80
192.168.1.19 is default gateway for 192.168.1.3

Jason_25 · 08-31-2022, 05:52 PM

It turns out that at least at times the MASQUERADE option was required. Either it stops working at random from the cellular device at 192.168.1.1 or never did at all. Anyway it does not cause a double NAT situation like I thought it might so NAT must have not been working from the beginning on the cellular device. So here is a revised snippet with the masquerade added back in.

Code:

sudo sh -c "echo '1' >> /proc/sys/net/ipv4/ip_forward"
sudo ifconfig eth1 up
sudo ifconfig usb0 up
sudo ifconfig eth1 192.168.1.19
sudo ifconfig usb0 192.168.1.109
sudo route add default gw 192.168.1.1 dev usb0
sudo iptables -A FORWARD -i usb0 -j ACCEPT
sudo iptables -A FORWARD -o usb0 -j ACCEPT
sudo iptables -A FORWARD -i eth1 -j ACCEPT
sudo iptables -A FORWARD -o eth1 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o usb0 -j MASQUERADE
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:80
192.168.1.19 is default gateway for 192.168.1.3