I am trying to set up NAT on a LinuxMint box, but failing at it. Need some help. Sorry for the verbosity of this post, but I wanted to give all relavent details I could think of.
The problem I am trying to solve is access to my Plex Media Server from outside my LAN. I do not want to use Plex's official solution, which is to set up an account with them and then use their servers as a middleman for connection to my media server. I want to keep this totally under my control, with no third-party middleman that could potentially cause privacy/security concerns.
So my proposed solution is to VPN from my remote client into my home LAN, and then access Plex from inside my LAN. This knocks the Plex companies account and middleman server out of the picture. The issue is that the Plex Media Server (the application running on my home Linux box) accepts connections without authentication from the home LAN, but requires authentication (again, through the Plex company middleman servers) for connection attempts from outside the LAN. Now, even though my client computer is VPN'ed into my home LAN, Plex Media Server still sees this as a connection attempt from *outside* the LAN. Why? Because my VPN is using TUN and not TAP. TUN requires that the VPN clients are on a seperate subnet from the home LAN, and then their communications are routed to the LAN's subnet. Contrastingly, TAP actually puts the VPN clients on the home LAN's subnet, so no routing is required. So why am I using TUN? Because one of my remote clients is an iPad, and iPads ONLY support TUN, they do not support TAP. OK, enough background.
So my situation is that my home LAN is 10.192.168.0/24 And my VPN clients are on 10.192.169.0/24 (note: 168 vs 169 in that third octet). Plex sees that incoming connection from a VPN client and says, "Hey, different subnet, therefore remote, therefore mandate that they authenticate through the Plex company servers". That's the whole third-party thing I am trying to avoid.
So my proposed solution is to NAT the incoming connections from the VPN clients, so that they appear to be originating from the home LAN subnet, not the VPN subnet. To fool Plex Media Server.
And that's where I'm failing - what I'm doing is not working. I'm sure it's some user error on my part - setting up the NAT'ing incorrectly.
My Linux server on my home LAN that is hosting the Plex Media Server is 10.192.168.2 and Plex Media Server runs on tcp port 32400. My VPN client is 10.192.169.20 (specific IP can vary, but always on the "169" subnet). I am running the iptables script on the Plex Media Server host, 10.192.168.2 My intent is to have these VPN clients come into port 32401 and have iptables change that destination to port 32400 and at the same time replace the incoming source IP address (on the VPN subnet) to be the same as the Plex Media Server IP address. So, in theory, Plex Media Server would see the incoming connection as originating from localhost, so therefore it wouldn't require authentication.
The problem is that NAT does not appear to be doing what I intend. If I try to connect incoming to port 32401, things just hang, the browser just spins on "Connecting..." (I should have mentioned, the Plex Media Server interface is http, so you access it with a web browser). My testing thus far has been done from computers inside my LAN. If a LAN computer tries to connect to port 32401, it should be NAT'ed just the same as a VPN client coming in to that same port. So I'm testing totally from the LAN for now, once that works, I'll move on the testing from the VPN.
Here's the script I'm using to set up NAT:
Code:
#!/bin/bash
IPTABLES=/sbin/iptables
IFCONFIG=/sbin/ifconfig
GREP=/bin/grep
ECHO=/bin/echo
AWK=/usr/bin/awk
REAL_PLEX_PORT=32400
FAKE_PLEX_PORT=32401
THIS_COMPUTER=`$IFCONFIG eth0 | $GREP "inet addr" | $AWK -F: '{print $2}' | $AWK '{print $1}'`
$IPTABLES -t nat -F
$IPTABLES -t filter -F
$IPTABLES -t mangle -F
$IPTABLES \
-t nat -A POSTROUTING \
-d $THIS_COMPUTER -p tcp --dport $FAKE_PLEX_PORT \
-j SNAT --to $THIS_COMPUTER
$IPTABLES \
-t nat -A PREROUTING \
-d $THIS_COMPUTER -p tcp --dport $FAKE_PLEX_PORT \
-j DNAT --to 127.0.0.1:$REAL_PLEX_PORT
$ECHO 1 > /proc/sys/net/ipv4/ip_forward
Here's the results after running the script:
Code:
root sbin # iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere david tcp dpt:32401 to:127.0.0.1:32400
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere david tcp dpt:32401 to:10.192.168.2
root sbin #
The above output looks like exactly what I'm wanting. But it doesn't work when I attempt to come in to port 32401. Anybody know why?
Thanks in advance!