Access public IP from NAT.

r270 at mrt4.com r270 at mrt4.com
Sat Jun 6 11:35:32 EDT 2020


Try removing "-i $PUBLIC" from the first nat table spec in "start-port-forwarding.sh" so it reads:
iptables -t nat -A PREROUTING -p tcp --dport 8096 -j DNAT --to-destination $JELLYFIN

Also, if any of your inside clients use UDP for DNS, you'll need to create specific rules for that.

If that doesn't fix it, let us know what your exact physical network topology is (which device is connected to which and to which interface each is connected).

Also, use iptables -L -n to verify that everything you put in your scripts are actually being applied to Netfilter and that nothing else is in there. (As a sanity check, you should flush the tables (iptables -F) and reset policies for each (iptables -P <tablename> DROP) at the beginning of your first script.)

Ron
r270 at mrt4.com

--------------

On Fri, 05 Jun 2020 00:16:48 -0400
"Ken D'Ambrosio" <ken at jots.org> wrote:

> Hey, all.  So I finally yanked my Comcast modem ("for reasons," largely
> having to do with lack of static routes), and put in my own cable modem,
> a WAP, and a RasPi-4 that's doing routing/NAT.  It all works great. 
> But... I have services exposed that I want to access on the public IP. 
> It works *great* from out there, but if I try to access the public IP
> from my NATted network, no dice.  And, sadly, if there's one Linux place
> where there's a truck-sized hole in my knowledge, it's IP Tables.  I've
> googled the Interwebs to no avail on what magic IPTables stuff would be
> needed to make it work.  Here's my current script:
> 
> root at ubuntu:/usr/local/bin# cat start-NAT.sh 
> #!/bin/bash
> export PUBLIC=eth1
> export PRIVATE=eth0
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o $PUBLIC -j MASQUERADE
> iptables -A FORWARD -i $PUBLIC -o $PRIVATE -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i $PRIVATE -o $PUBLIC -j ACCEPT
> 
> =====================================================================================================
> root at ubuntu:/usr/local/bin# cat start-port-forwarding.sh 
> #!/bin/bash
> 
> export PRIVATE=eth0
> export PRIV_IP=192.168.10.1
> export PUBLIC=eth1 
> export JELLYFIN=192.168.10.12 
> 
> iptables -A FORWARD -i $PUBLIC -o $PRIVATE -p tcp --syn --dport 8096 -m
> conntrack --ctstate NEW -j ACCEPT
> iptables -A FORWARD -i $PUBLIC -o $PRIVATE -m conntrack --ctstate
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $PRIVATE -o $PUBLIC -m conntrack --ctstate
> ESTABLISHED,RELATED -j ACCEPT
> iptables -P FORWARD DROP
> iptables -t nat -A PREROUTING -i $PUBLIC -p tcp --dport 8096 -j DNAT
> --to-destination $JELLYFIN
> iptables -t nat -A POSTROUTING -o $PRIVATE -p tcp --dport 8096 -d
> $JELLYFIN -j SNAT --to-source $PRIV_IP
> =====================================================================================================
> If anyone could be kind enough to let me know what extra magic(tm) I
> need to employ to get at my public IP from inside, I'd be most
> interested to hear. 
> 
> Thanks! 
> 
> -Ken


More information about the gnhlug-discuss mailing list