3

Using applications like qbittorrent and airdcpp to share files. They all need some ports to be forwarded in order to be "connectable".

In the home connection I would go into the router settings 192.168.1.1 and then forward the ports, ex. 56000 to my PC's local ip address: 192.168.1.124. And the services would work alright.

Later set up wireguard on a Linode VPS wishing I can vpn into it and and mask my IP. But when I do that, my ip address is changed when I go to somewhere like https://whoer.net . But the ports used, ex. 56000 is not forwarded and thus the apps are not "connectable".

What are the things I need to add in iptables in order for the VPS to forward those ports like my home router does?

Port 56000 is set to allow in the active VPS ufw firewall.

Many thanks for looking.

This is what my VPS wireguard conf looks like:

Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 49503
PrivateKey = ***


[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
Asmodean
  • 59
  • 1
  • 1
  • 6

1 Answers1

4

Since you're using UFW, first make sure the UFW rule for port 56000 that you added is not a regular input rule, but instead a "route" (aka forwarding) rule, like this (assuming it's for a TCP port; replace tcp with udp for UDP):

ufw route allow proto tcp to 10.66.66.2 port 56000

Then you need an iptables rule like this for each port you want to forward (where eth0 is the name of your WAN interface):

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2

If you have a bunch of individual ports you want to forward, you can put them all (up to 15 ports) in the same rule using the --dports flag (note the s) of the multiport module:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 123,456,789 -j DNAT --to-destination 10.66.66.2

And since you're using UFW, you probably want to put your PREROUTING rules in the *nat block of your /etc/ufw/before.rules config file, like this (assuming you probably already have something similar to the POSTROUTING rule there):

# /etc/ufw/before.rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

If you don't already have a *nat block in your /etc/ufw/before.rules file, add it at the end of the file. Restart UFW after you make the changes.

Justin Ludwig
  • 1,006
  • 7
  • 8
  • ufw is not capable of port forwarding? That's rather odd. – Michael Hampton Jun 25 '21 at 19:26
  • @MichaelHampton, it is just that you need to use iptables for forwarding, not that ufw can't. It is a firewall. So I guess you could say it can't but technically it isn't for that. – Asmodean Jun 26 '21 at 02:43
  • Thank you so much! You don't know how long and how much I gave agonized over this, because of how I didn't know of that rules to specifically let the ports to be forwarded. Guess I haven't been asking the question in the right exchange either. Was always in unix before I found out about serverfault. Again the answer is very appreciated! – Asmodean Jun 26 '21 at 03:12
  • Well, firewalld has port forwarding built in. About a year ago I migrated everything to firewalld, including Debian/Ubuntu systems, just to keep things consistent, as I have to manage a wide variety of distros. The larger feature set of firewalld and it being easier to manage via automation were compelling reasons to standardize on it. – Michael Hampton Jun 26 '21 at 07:34
  • @MichaelHampton, is firewalld able to forward things like the answer does? I have used it on my local machine, though it is currently off as of now, I have used it to forward ports locally very conveniently with its GUI. Love it for that purpose, but don't know about what the iptables mentioned was able to do. – Asmodean Jun 27 '21 at 18:00
  • @Asmodean Yes, it both forwards ports and does masquerading itself. – Michael Hampton Jun 27 '21 at 18:06
  • @MichaelHampton, so I just don't know how to, can you look at this question? https://serverfault.com/questions/1068004/firewalld-forwarding-functionality-with-wireguard – Asmodean Jun 27 '21 at 18:09