I have followed some posts in order to redirect all incoming traffic public IP to an internal IP address using iptables. I set sudo sysctl net.ipv4.ip_forward=1
and used the following rules:
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination 192.168.178.1:80
iptables -t nat -A POSTROUTING -j MASQUERADE
The idea is that I have a remote server (Ubuntu 20.04.1 LTS) which I can always reach using a reverse SSH tunnel. In that network I would like to access some devices like gateway and other devices. With the iptables I would like to be able to access, for example, the GUI of the gateway. On the local network the rules work!
The problem is that on the server I cannot set up the tunnel to redirect 9080 to 192.168.178.1:80. When I try other things on the server, for example ping I get the following:
$ ping google.com
ping: google.com: Temporary failure in name resolution
And when I set the tunnel:
$ ssh user@remoteserverfortunnel.com
ssh: Could not resolve hostname remoteserverfortunnel.com: Temporary failure in name resolution
When I set up the tunnel before the rules (removing then with -D), and adding the rules again a get this when requesting the remoteserverfortunnel.com:9080
ssh -N -R 9080:localhost:9080 user@remoteserverfortunnel.com
user@remoteserverfortunnel.com's password:
connect_to localhost port 9080: failed.
I can still login the server using the normal port 22 SSH.
My question is, why are the rules blocking the tunnel? Is there an extra rule I have to add?
EDIT:
I added the interface option:
iptables -t nat -A PREROUTING -i enp2s0 -p tcp --dport 9080 -j DNAT --to 192.168.1.103:80
iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
The failure in name resolution is solved. Unfortunately the idea using the tunnel still does not work, I get connect_to localhost port 9080: failed.
I did found out that I could also tunnel direct to the device, for example using ssh -N -R 9080:192.168.178.1:80 user@remoteserverfortunnel.com
. Using this avoids using the iptables, I would still want to the IP tables option to learn. Some devices also do not work as expect through the tunnel.