0

The following is on a Virtual Private Server online and only one machine. I have tried a number of ideas using UFW on Ubuntu 15.10 to forward an incoming request on port 80 to a simple app I have running on 3000. My current ufw status looks like this.

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere
80 (HTTP)                  ALLOW IN    Anywhere
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)
80 (HTTP (v6))             ALLOW IN    Anywhere (v6)

162.243.39.90 3000         ALLOW FWD   162.243.39.90 80

To achieve that last line I used

ufw route allow from 162.243.39.90 port 3000 to 162.243.39.90 port 80

I tried several other combinations including

in on eth0

and

out on xxx

But,unless I open port 3000 directly, I can't access the app. My browser just spins it's wheels for a while before returning "web page not available error."

Any ideas?

Diamond
  • 8,791
  • 3
  • 22
  • 37
user2281135
  • 13
  • 1
  • 5

2 Answers2

1

route rules are meant for packets traversing the firewall in a multihomed setup (more than one network), so not going to work in your setup.

http://manpages.ubuntu.com/manpages/trusty/man8/ufw.8.html

Rules for traffic not destined for the host itself but instead for traffic that should be routed/forwarded through the firewall should specify the route keyword before the rule (routing rules differ significantly from PF syntax and instead take into account netfilter FORWARD chain conventions). For example:

     ufw route allow in on eth1 out on eth2

This will allow all traffic routed to eth2 and coming in on eth1 to traverse the firewall.

For your case, the answer is here: Can I use ufw to setup a port forward?

Community
  • 1
Diamond
  • 8,791
  • 3
  • 22
  • 37
  • I know in a larger network it is common to have a dedicated routing server. I only have a few apps. Quite small for the time being. So, the firewall will have to reside on the one server. Which means, I'm only doing port forwarding, not IP forwarding to other machines or network interfaces, i.e. eth0, eth1, etc. I was able to get it to work using iptables, but not with UFW. I may not have tried the example in the solution link you provided below your message. I will give that a shot. But, it seems like I tried it. I'll let you know if it works. Oh, and thanks for your response! – user2281135 Jan 30 '16 at 00:18
  • @user2281135, you are welcome. Well, that's what I wanted to point out in my answer that the route option is not the right one for your setup. The proper way to do it is in the given link. – Diamond Feb 01 '16 at 20:20
0

I assume you're doing this behind a router. Here's an alternative.

Suggestion A:

  • In your Router, open port 80 then forward it to the server using port 3000.
  • In your Server, open port 3000 in ufw.

Suggestion B:

  • In your Router, open port 3000 then forward it to the server using port 3000.

  • In your Server, open port 3000 in ufw.

I wouldn't do port forwards from ufw.

Note: With option A, all traffic in Port 80 will go to port 3000. This would be an issue if you have other applications using this port (like a web server).

jarvis
  • 1,956
  • 4
  • 17
  • 31
  • I'm sorry, looking back on my question I should have added that this is a VPS server online. So, it's just one virtual machine so to say. When I have this sort of thing at home using a router, it pretty much goes just like you suggested. I'm wanting to route from one port to another port on the same machine. This is somewhat a learning exercise for me using UFW. Once I put a web server such as Nginx or Lighttpd, etc., online, it will solve my problem. But, I'm trying to understand UFW a bit more. – user2281135 Jan 29 '16 at 07:42
  • I just made the correction to my original question. – user2281135 Jan 29 '16 at 07:44