I'm trying to set up a cloud server as a reverse proxy for my home NAS, which will soon be behind a firewall that doesn't allow inbound connections. I've got the NAS connecting to the server via OpenVPN, and am trying to set up port forwarding rules on the server.
The server is running Ubuntu 18.04. net.ipv4.ip_forward is enabled.
I have the following section set up in /etc/ufw/before.rules
Code:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d $SERVER_IP -m tcp -p tcp --dport 2022 -j DNAT --to-destination 10.8.0.2:22
-A PREROUTING -d $SERVER_IP -m tcp -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -d $SERVER_IP -m tcp -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -d $SERVER_IP -m tcp -p tcp --dport 32400 -j DNAT --to-destination 10.8.0.2
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
-A POSTROUTING --out-interface tun0 -j MASQUERADE
COMMIT
I also have corresponding rules for port opening in /etc/ufw/user.rules:
Code:
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT
### tuple ### allow tcp 2022 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 2022 -j ACCEPT
### tuple ### allow tcp 32400 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 32400 -j ACCEPT
Traffic bound for ports 80/443 gets forwarded correctly. Traffic for 2022 and 32400 gets a "connection refused" error, e.g. if I execute (from a client on a different network):
Code:
> curl -k https://$SERVER_IP:32400
curl: (7) Failed to connect to $SERVER_IP port 32400: Connection refused
But I know the service is running at port 32400 on the NAS, because if I execute (from the server):
Code:
> curl -k https://10.8.0.2:32400
<html>...
I get a correct response.
Another strange thing I noticed, is that when I run "iptables -t nat -L PREROUTING -v", I get the following:
Code:
Chain PREROUTING (policy ACCEPT 293 packets, 18812 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere $SERVER_IP tcp dpt:2022 to:10.8.0.2:22
2 128 DNAT tcp -- any any anywhere $HOSTNAME tcp dpt:http to:10.8.0.2
0 0 DNAT tcp -- any any anywhere $HOSTNAME tcp dpt:https to:10.8.0.2
0 0 DNAT tcp -- any any anywhere $SERVER_IP tcp dpt:32400 to:10.8.0.2
On the working rules, the destination column shows the hostname of the server machine, whereas the other rules show its IP.
Another minor frustration is that for a few minutes earlier, the 2022 forward *was* working, but it broke after a reboot, and I can't for the life of me remember what rules might have changed in the reboot.