Forwarding Port Traffic From a Domain to an External IP

Discussion in 'Server Operation' started by mjhasbach, Jun 27, 2011.

  1. mjhasbach

    mjhasbach New Member

    Hello, I'm not sure if this is the correct section, but I thought I'd ask here, because I've always had pretty good luck getting questions answered at HowtoForge.

    I have an Ubuntu 11.04 ISPConfig 3-based VPS running a few websites and services. Basically, what I'm trying to do if forward all traffic on a certain domain's port to an external IP address. More specifically, I want to forward traffic from the video game Terraria's port 7777 from (e.g.) "domain.com" to (e.g.) "1.1.1.1."

    The reason for this is because there is no Linux software for the Terraria server, and no one (afaik) has gotten it to work with mono or wine yet. As a result, the server is being hosted on a Windows machine and I would like to be able to connect to the server using (e.g.) "domain.com" (the domain that is associated with my Linux server) instead of (e.g.) "1.1.1.1" (the IP that is associated with my Windows machine).

    I thought that I could accomplish this with DNS records, but have learned that this is apparently not the case.

    If someone knows how to do this and is willing to share, I would appreciate it greatly.

    Thanks.
     
  2. mjhasbach

    mjhasbach New Member

    Shameless bump, since my question was asked 4-5 days ago. This thread has a reasonable number of hits, which indicates to me that others are seeking the same information.

    Thanks.
     
  3. erosbk

    erosbk New Member

    You can achieve what you are asking for with IP tables... I can't test right now, but try in some vm before using this in production.

    Use this like a guide, not as the final solution (or use at your own risk, test first, correct next if something is wrong)

    iptables -t nat -A PREROUTING -p tcp -d 190.1.1.1 --dport 7777 -j DNAT --to 1.1.1.1:7777
    iptables -t nat -A POSTROUTING -d 1.1.1.1 -j MASQUERADE

    Where 190.1.1.1 is your linux box, and 1.1.1.1 is your windows box.

    Best regards.-
     
  4. mjhasbach

    mjhasbach New Member

    Thanks for the reply. I tried the steps you mentioned and ran into a problem.

    *Where x.x.x.x are the appropriate IPs

    Needless to say, that error is causing traffic not to be forwarded as intended.

    The error is pretty clear, but I'm not sure how to fix it. I don't know much about iptables, but I did a bit of research about the error and proceeded to try:

    ...and then tried adding the iptables rules again to no avail.
     
  5. erosbk

    erosbk New Member

    Follow this step by step and post here results please:

    1) list your actual nat rules
    iptables --list -n -t nat

    2) flush your nat rules (becarefull, if you have other nat rules, you will remove them too...)
    iptables -t nat -F PREROUTING
    iptables -t nat -F POSTROUTING

    3) Add rules again, watch for IPs
    [email protected]:~# iptables -t nat -A PREROUTING -p tcp -d 192.168.78.129 --dport 7777 -j DNAT --to 192.168.78.128:7777
    [email protected]:~# iptables -t nat -A POSTROUTING -d 192.168.78.128 -j MASQUERADE

    [email protected]:~# iptables --list -t nat
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT tcp -- anywhere dns2.erosbk.com.ar tcp dpt:7777 to:192.168.78.128:7777

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    MASQUERADE all -- anywhere dns1.erosbk.com.ar

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination


    __________________________________________________________________________________________

    Tested in Debian... u are using Ubuntu, but I think there is no difference...
     
  6. mjhasbach

    mjhasbach New Member

    I seem to be running into the same problem as before:

    #1
    *Accidentally had the rule in there twice from earlier testing


    #2
    #3
    #4
    x.x.x.x represents the correct IP addresses in the preceding quotes. It's also worth mentioning that in the game client, when I type the domain and port to connect to, it resolves the IP address of my Linux box and not my Windows box. Thanks again.
     
  7. erosbk

    erosbk New Member

    I will see if I can in this days, install a vm with win and another with ubuntu and play.

    In the mean while, post this in a ubuntu forum and ask why it is not working in your box.
     
  8. mjhasbach

    mjhasbach New Member

    I went ahead and made a similar topic on the Ubuntu forums. I will post the solution here if they figure out the problem before you. Thanks again.
     
  9. mjhasbach

    mjhasbach New Member

    Just an update: A user on the Ubuntu forums suggested socat, and I managed to forward my traffic properly with that.

    Here's all I needed to do:

    Code:
    apt-get install socat
    Foreground:
    Code:
    socat TCP-LISTEN:7777,fork TCP:x.x.x.x:7777
    or
    Background:
    Code:
    screen -S SOCAT1 socat TCP-LISTEN:7777,fork TCP:x.x.x.x:7777
    While socat is getting the job done, there are still obvious advantages to using iptables.

    Below is an excerpt from my post on the Ubuntu forums, which presents a theory as to why I'm receiving that error in iptables:

    Further suggestions are welcome.
     
  10. mjhasbach

    mjhasbach New Member

    For those of you that are interested, I managed to solve this myself.

    Apparently, "ipt_MASQUERADE," the module that makes masquerading possible, is not (yet?) available in OpenVZ. The absence of this module is what causes the following command to fail:

    Code:
    [email protected]:~# iptables -t nat -A POSTROUTING -d x.x.x.x -j MASQUERADE
    [B]iptables: No chain/target/match by that name.[/B]
    I discovered that it was still possible to accomplish my goal, only that an alternate second command was required. So here's what I did.

    1. Cleared out existing nat PREROUTING and POSTROUTING rules from earlier testing.
    Code:
    [email protected]:~# iptables -t nat -F PREROUTING
    [email protected]:~# iptables -t nat -F POSTROUTING
    2. Added the following two rules:
    Code:
    [email protected]:~# iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --dport 7777 -j DNAT --to y.y.y.y:7777
    [email protected]:~# iptables -t nat -A POSTROUTING -j SNAT --to-source x.x.x.x
    *Where x.x.x.x represents the source IP and y.y.y.y represents the destination IP.

    3. Saved iptables (necessary for changes to persist after reboot)
    Code:
    [email protected]:~# iptables-save

    Hope this helps someone...I know it would have helped me.
     
  11. erosbk

    erosbk New Member

    Resolving this by yourself helps you more than find the answers posted somewhere!!!

    Congratz!!!
     
  12. mjhasbach

    mjhasbach New Member

    I'd just like to let you guys know that my solution causes some MySQL connections to be resolved as my external IP address instead of localhost or 127.0.0.1. These connections are consequently rejected, because by default, external MySQL connections are blocked (for good reason). Removing the iptables rules causes the issue to disappear.

    Allowing external MySQL connections would be the easy and obvious fix, but I'm seeking a more secure and professional solution to the problem. Unfortunately, due to lack of time and because this issue is rather low priority, I have not found a solution yet.

    I'll keep you folks updated.
     

Share This Page