Hi All,

I am running a home built Ubuntu server, having a few issues with port forwarding.

My scenario is:

My internal network IP = 192.168.0.1

My TVbox IP = 192.168.0.10 port 8005

My Dns someonexxx.ddns.net (made up of course!)

From my PC within my network, I can login to the web interface of my TVbox by typing in the browser 192.168.0.10:8005

What I'd like to do is be able to go to my DNS

http://someonexxx.ddns.net:8005

OR

http://192.168.0.1:8005

and reach my TVBox webinterface. I know it's around Iptables port forwarding but i'm struggling to make this work.

Things i've tried (just on internal network) include

iptables -t nat -A PREROUTING -p tcp -d 192.168.0.10 --dport 8005 -j DNAT --to-destination 192.168.0.1:8005
iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 8005 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

any help appreciated

Hello,

I expect that you have also a wan interface on your server (where you use iptables). I will use eth0 here for your wan interface. eth1 will be your internal interface (local gw - 192.168.0.1):

You also need to ensure that ip forwarding is enabled. You should see the following output:
Regarding the DNS - I believe that you were referring to your wan IP with the DNS name. So if your hostname resolves to you WAN IP you should be good after the above IP tables settings.
If your hostname does not resolve you need to set up DNS (either your own or the authoritative server for your zone)

Hope this helps.

Hua, firstly thanks a million for taking the time to reply. This has been doing my head in for a few days!
In my setup, i bridge my eth1 and wlan0, so it becomes br0. eth0 connects to my modem.

gw on br0 is 192.168.0.1
Does this change slightly now?

Also i use bubble upnp on my server which i can access from an external network no problem using my ddns address looking at port 58050,so i guess something is working, its just my tvbox i cant access remotely on port 8005.
Thanks

That should be ok. You should be able to use br0 for this:
There might be some further things which prevents this connection but try the above configuration first.

I tried, but it didn't work i'm afraid

#!/bin/sh

iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -A FORWARD --in-interface br0 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 -m tcp --dport 8005 -j DNAT --to-destination 192.168.0.10:8005

OK, so i went back to basics on the TVbox, changed the port to 80, and i just type 192.168.0.10 in my webbrowser to reach it. No problem this works!

So now I want to redirect it to port 8005 of my gateway, so I try:

iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.10 -d 192.168.0.1 --dport 8005 -j MASQUERADE

And it still doesn't work!

It's driving me crazy!

Please provide more details of you network structure. What devices you have? Your IP addresses of WAN LAN NICs ...
It seems that there is a confusion in your network configuration. You are trying to NAT a port which hits your internal GW to a internal IP. This is not how it should work. You should try to forward requests hitting your external IP into your internal network/IP (LAN).

-> modem -> linux router -> TVbox

for all devices - interfaces, IP addresses (external WAN, internal LAN)

Also describe from where you are trying to access the TVbox (when it doesn't work). What are you using to access it (domain name, WAN IP ??)

It's hard to recommend iptables rules until it's not clear what is you network structure...

Hi hua, thanks again for replying and your patience! I think I've copied below the relevant bits from my system.
if you need more information, please let me know.

***************************************************

/etc/hosts

127.0.0.1 localhost
127.0.1.1 UbuntuRouter
192.168.0.1 WORKGROUP

****************************************************
/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface


auto lo eth0 eth1 wlan0
iface lo inet loopback
iface eth0 inet dhcp
dns-nameservers xx.222.18.xx xx.222.18.xx

pre-up ifup br0 start
pre-up /etc/firewall/firewall.fw start

iface br0 inet static
address 192.168.0.1
netmask 255.255.255.0

bridge_ports eth1 wlan0
bridge_stp off
bridge_maxwait 1

iface eth1 inet manual
iface wlan0 inet manual

pre-up iw dev wlan0 set type __ap

iface tun0 inet manual #VPN

**********************************************
/etc/firewall/firewall.fw

#!/bin/sh
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 1194,1935,58050,8005,8200 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 58050,1935,8005,8200 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED -j ACCEPT
iptables -A FORWARD -i br0 -m state --state NEW -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE


GetGateway=`ip route | grep default | awk {'print $3'}`



for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do

echo 0 > $i

done

ip route flush table 100

ip route flush cache
iptables -t mangle -F PREROUTING
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE



# NOTE: Here I assume the OpenVPN tunnel is named "tun0".
#


ip route show table main | grep -Ev ^default | grep -Ev tun0 \

| while read ROUTE ; do

ip route add table 100 $ROUTE

done

ip route add default table 100 via $GetGateway

ip rule add fwmark 1 table 100

ip route flush cache


# 0 vpn and 1 bypass


iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0


# All traffic to a specific Internet IP address will bypass the VPN


iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 1935 -j MARK --set-mark 1 #BBC port 1935
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 8005 -j MARK --set-mark 1 #TVBox port
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range xx.210.138.xx -j MARK --set-mark 1 #IPTV VPN Bypass
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range xx.114.242.xx -j MARK --set-mark 1 #IPTV VPN Bypass
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range xx.20.49.xx -j MARK --set-mark 1 #Gold Radio VPN Bypass

Any ideas what could be wrong?

Other things I have tried, still no luck! Gonna throw it in the bin me thinks!

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8005 -j DNAT --to <EXT IP>
iptables -t nat -A PREROUTING -p tcp --dport 8005 -j DNAT --to <EXT IP>
iptables -t nat -A POSTROUTING -p tcp -d <EXT IP> --dport 8005 -j MASQUERADE