Access public IP from NAT.

Ken D'Ambrosio ken at jots.org
Fri Jun 5 00:16:48 EDT 2020 

Hey, all.  So I finally yanked my Comcast modem ("for reasons," largely
having to do with lack of static routes), and put in my own cable modem,
a WAP, and a RasPi-4 that's doing routing/NAT.  It all works great. 
But... I have services exposed that I want to access on the public IP. 
It works *great* from out there, but if I try to access the public IP
from my NATted network, no dice.  And, sadly, if there's one Linux place
where there's a truck-sized hole in my knowledge, it's IP Tables.  I've
googled the Interwebs to no avail on what magic IPTables stuff would be
needed to make it work.  Here's my current script:

root at ubuntu:/usr/local/bin# cat start-NAT.sh 
#!/bin/bash
export PUBLIC=eth1
export PRIVATE=eth0

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $PUBLIC -j MASQUERADE
iptables -A FORWARD -i $PUBLIC -o $PRIVATE -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $PRIVATE -o $PUBLIC -j ACCEPT

=====================================================================================================
root at ubuntu:/usr/local/bin# cat start-port-forwarding.sh 
#!/bin/bash

export PRIVATE=eth0
export PRIV_IP=192.168.10.1
export PUBLIC=eth1 
export JELLYFIN=192.168.10.12 

iptables -A FORWARD -i $PUBLIC -o $PRIVATE -p tcp --syn --dport 8096 -m
conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i $PUBLIC -o $PRIVATE -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $PRIVATE -o $PUBLIC -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT
iptables -P FORWARD DROP
iptables -t nat -A PREROUTING -i $PUBLIC -p tcp --dport 8096 -j DNAT
--to-destination $JELLYFIN
iptables -t nat -A POSTROUTING -o $PRIVATE -p tcp --dport 8096 -d
$JELLYFIN -j SNAT --to-source $PRIV_IP
=====================================================================================================
If anyone could be kind enough to let me know what extra magic(tm) I
need to employ to get at my public IP from inside, I'd be most
interested to hear. 

Thanks! 

-Ken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/pipermail/gnhlug-discuss/attachments/20200605/091ebd84/attachment.html

More information about the gnhlug-discuss mailing list