Navigation

mjhasbach · #1 27th June 2011, 01:49

Hello, I'm not sure if this is the correct section, but I thought I'd ask here, because I've always had pretty good luck getting questions answered at HowtoForge.

I have an Ubuntu 11.04 ISPConfig 3-based VPS running a few websites and services. Basically, what I'm trying to do if forward all traffic on a certain domain's port to an external IP address. More specifically, I want to forward traffic from the video game Terraria's port 7777 from (e.g.) "domain.com" to (e.g.) "1.1.1.1."

The reason for this is because there is no Linux software for the Terraria server, and no one (afaik) has gotten it to work with mono or wine yet. As a result, the server is being hosted on a Windows machine and I would like to be able to connect to the server using (e.g.) "domain.com" (the domain that is associated with my Linux server) instead of (e.g.) "1.1.1.1" (the IP that is associated with my Windows machine).

I thought that I could accomplish this with DNS records, but have learned that this is apparently not the case.

If someone knows how to do this and is willing to share, I would appreciate it greatly.

Thanks.

mjhasbach · #2 1st July 2011, 21:07

Shameless bump, since my question was asked 4-5 days ago. This thread has a reasonable number of hits, which indicates to me that others are seeking the same information.

Thanks.

erosbk · #3 2nd July 2011, 00:29

You can achieve what you are asking for with IP tables... I can't test right now, but try in some vm before using this in production.

Use this like a guide, not as the final solution (or use at your own risk, test first, correct next if something is wrong)

iptables -t nat -A PREROUTING -p tcp -d 190.1.1.1 --dport 7777 -j DNAT --to 1.1.1.1:7777
iptables -t nat -A POSTROUTING -d 1.1.1.1 -j MASQUERADE

Where 190.1.1.1 is your linux box, and 1.1.1.1 is your windows box.

Best regards.-

mjhasbach · #4 2nd July 2011, 04:35

Thanks for the reply. I tried the steps you mentioned and ran into a problem.

Quote:

root@xxx:~# iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --dport 7777 -j DNAT --to x.x.x.x:7777
root@xxx:~# iptables -t nat -A POSTROUTING -d x.x.x.x -j MASQUERADE
iptables: No chain/target/match by that name.

*Where x.x.x.x are the appropriate IPs

Needless to say, that error is causing traffic not to be forwarded as intended.

The error is pretty clear, but I'm not sure how to fix it. I don't know much about iptables, but I did a bit of research about the error and proceeded to try:

Quote:

root@lv6:~# iptables -N nat

...and then tried adding the iptables rules again to no avail.

erosbk · #5 2nd July 2011, 15:59

Follow this step by step and post here results please:

1) list your actual nat rules
iptables --list -n -t nat

2) flush your nat rules (becarefull, if you have other nat rules, you will remove them too...)
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING

3) Add rules again, watch for IPs
root@dns2:~# iptables -t nat -A PREROUTING -p tcp -d 192.168.78.129 --dport 7777 -j DNAT --to 192.168.78.128:7777
root@dns2:~# iptables -t nat -A POSTROUTING -d 192.168.78.128 -j MASQUERADE

root@dns2:~# iptables --list -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere dns2.erosbk.com.ar tcp dpt:7777 to:192.168.78.128:7777

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere dns1.erosbk.com.ar

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

__________________________________________________ ________________________________________

Tested in Debian... u are using Ubuntu, but I think there is no difference...

mjhasbach · #6 2nd July 2011, 20:55

I seem to be running into the same problem as before:

#1

Quote:

root@xx:~# iptables --list -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 x.x.x.x tcp dpt:7777 to:x.x.x.x:7777
DNAT tcp -- 0.0.0.0/0 x.x.x.x tcp dpt:7777 to:x.x.x.x:7777

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

*Accidentally had the rule in there twice from earlier testing

#2

Quote:

root@xx:~# iptables -t nat -F PREROUTING
root@xx:~# iptables -t nat -F POSTROUTING

#3

Quote:

root@xx:~# iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --dport 7777 -j DNAT --to x.x.x.x:7777
root@xx:~# iptables -t nat -A POSTROUTING -d x.x.x.x -j MASQUERADE
iptables: No chain/target/match by that name.

#4

Quote:

root@xx:~# iptables --list -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere x.x.x.x tcp dpt:7777 to:x.x.x.x:7777

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

x.x.x.x represents the correct IP addresses in the preceding quotes. It's also worth mentioning that in the game client, when I type the domain and port to connect to, it resolves the IP address of my Linux box and not my Windows box. Thanks again.

erosbk · #7 2nd July 2011, 23:26

I will see if I can in this days, install a vm with win and another with ubuntu and play.

In the mean while, post this in a ubuntu forum and ask why it is not working in your box.

mjhasbach · #8 3rd July 2011, 02:18

I went ahead and made a similar topic on the Ubuntu forums. I will post the solution here if they figure out the problem before you. Thanks again.

mjhasbach · #9 4th July 2011, 23:10

Just an update: A user on the Ubuntu forums suggested socat, and I managed to forward my traffic properly with that.

Here's all I needed to do:

Code:

apt-get install socat

Foreground:

Code:

socat TCP-LISTEN:7777,fork TCP:x.x.x.x:7777

or
Background:

Code:

screen -S SOCAT1 socat TCP-LISTEN:7777,fork TCP:x.x.x.x:7777

While socat is getting the job done, there are still obvious advantages to using iptables.

Below is an excerpt from my post on the Ubuntu forums, which presents a theory as to why I'm receiving that error in iptables:

Quote:

I did some net research, and it seems my iptables problem may be caused by missing modules.

Here's the output of lsmod:

Code:

root@xx:~# lsmod
Module                  Size  Used by

This seems to indicate that I don't have any modules installed? I don't know how to add modules for iptables, but will do some more research. It apparently may involve compiling a new Linux kernel, which is something that I have no experience with and may cause issues in my case because I'm operating in an OpenVZ environment.

Further suggestions are welcome.

mjhasbach · #10 7th July 2011, 22:32

For those of you that are interested, I managed to solve this myself.

Apparently, "ipt_MASQUERADE," the module that makes masquerading possible, is not (yet?) available in OpenVZ. The absence of this module is what causes the following command to fail:

Code:

root@xx:~# iptables -t nat -A POSTROUTING -d x.x.x.x -j MASQUERADE
iptables: No chain/target/match by that name.

I discovered that it was still possible to accomplish my goal, only that an alternate second command was required. So here's what I did.

1. Cleared out existing nat PREROUTING and POSTROUTING rules from earlier testing.

Code:

root@xx:~# iptables -t nat -F PREROUTING
root@xx:~# iptables -t nat -F POSTROUTING

2. Added the following two rules:

Code:

root@xx:~# iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --dport 7777 -j DNAT --to y.y.y.y:7777
root@xx:~# iptables -t nat -A POSTROUTING -j SNAT --to-source x.x.x.x

*Where x.x.x.x represents the source IP and y.y.y.y represents the destination IP.

3. Saved iptables (necessary for changes to persist after reboot)

Code: