I'm trying to set up an ubuntu 14.04 server as a router that also does some port forwarding. I've got the router part working but cannot for the life of me figure out why the port forwarding isn't working. I've gone through the following steps, the goal being forwarding SMTP and http traffic to servers on the private subnet:
- Uncomment forwarding line in
/etc/ufw/sysctl.conf
- Update /etc/default/ufw line
DEFAULT_FORWARD_POLICY="ACCEPT"
-
Added the following lines to
/etc/ufw/before.rules
(tried both before and after the *filter section):*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.16.0.51:25
-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.16.0.20:80
-A POSTROUTING -s 10.16.0.0/24 -o eth0 -j MASQUERADE
COMMIT
-
Added the following lines to the
*filter
section of/etc/ufw/before.rules
(as per the example here):-A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.16.0.51:25
-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.16.0.20:80 -
Added UFW rules:
To Action From
-- ------ ----
10.16.0.5 22 ALLOW 10.10.20.0/24
10.16.0.51 25 ALLOW [Public IP on eth0]
10.16.0.20 80 ALLOW [Public IP on eth0]
I've checked the UFW logs and they show where it is allowing traffic through the firewall but I assume that's where it stops. I've followed the guides and examples on various different posts and threads and for whatever reason the traffic just isn't being forwarded.
If it helps, I did an iptables -t nat -L -v
:
Chain PREROUTING (policy ACCEPT 1600 packets, 202K bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:smtp to:10.16.0.51:25
1 60 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:http to:10.16.0.20:80
Chain INPUT (policy ACCEPT 4 packets, 770 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 20 packets, 1430 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 22 packets, 1550 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eth0 10.16.0.0/24 anywhere
From what I can tell it should work. What else can I check? Did I miss any steps? Are there any tools I can use to try and figure out what might be going on? Any help or advice is greatly appreciated. Thanks.
Best Answer
Issue is a network routing issue. I've been trying to set up a sort of DMZ so I had the servers pointing to an internal router. The gateway could ping the server but I guess it didn't know how to route the smtp or http traffic. Changing the mail and web servers to point to the ubuntu gateway fixed the routing issue and forwarding started working.