Ubuntu – ufw port forwarding not working

I'm trying to set up an ubuntu 14.04 server as a router that also does some port forwarding. I've got the router part working but cannot for the life of me figure out why the port forwarding isn't working. I've gone through the following steps, the goal being forwarding SMTP and http traffic to servers on the private subnet:

Uncomment forwarding line in /etc/ufw/sysctl.conf
Update /etc/default/ufw line DEFAULT_FORWARD_POLICY="ACCEPT"
Added the following lines to /etc/ufw/before.rules (tried both before and after the *filter section):

*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.16.0.51:25 -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.16.0.20:80 -A POSTROUTING -s 10.16.0.0/24 -o eth0 -j MASQUERADE COMMIT
Added the following lines to the *filter section of /etc/ufw/before.rules (as per the example here):

-A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.16.0.51:25 -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.16.0.20:80
Added UFW rules:

To Action From -- ------ ---- 10.16.0.5 22 ALLOW 10.10.20.0/24 10.16.0.51 25 ALLOW [Public IP on eth0] 10.16.0.20 80 ALLOW [Public IP on eth0]

I've checked the UFW logs and they show where it is allowing traffic through the firewall but I assume that's where it stops. I've followed the guides and examples on various different posts and threads and for whatever reason the traffic just isn't being forwarded.

If it helps, I did an iptables -t nat -L -v:

Chain PREROUTING (policy ACCEPT 1600 packets, 202K bytes)
 pkts bytes target   prot opt in     out   source     destination
    1    60 DNAT     tcp  --  eth0   any   anywhere   anywhere   tcp dpt:smtp to:10.16.0.51:25
    1    60 DNAT     tcp  --  eth0   any   anywhere   anywhere   tcp dpt:http to:10.16.0.20:80

Chain INPUT (policy ACCEPT 4 packets, 770 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 20 packets, 1430 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 22 packets, 1550 bytes)
 pkts bytes target     prot opt  in     out     source               destination
    0     0 MASQUERADE  all  --  any    eth0    10.16.0.0/24         anywhere

From what I can tell it should work. What else can I check? Did I miss any steps? Are there any tools I can use to try and figure out what might be going on? Any help or advice is greatly appreciated. Thanks.

Best Answer

Issue is a network routing issue. I've been trying to set up a sort of DMZ so I had the servers pointing to an internal router. The gateway could ping the server but I guess it didn't know how to route the smtp or http traffic. Changing the mail and web servers to point to the ubuntu gateway fixed the routing issue and forwarding started working.

Best Answer

Related Solutions

Linux – Allow traffic on one port from one IP address with iptables

Ubuntu – nf_conntrack complaints in dmesg

Related Topic