This question has been asked many times and there are many tutorials online so I thought it would be easy. And yet I can’t get it to work no matter what.
I have a server running Ubuntu. It has a Wifi adapter (interface wlo1) and an ethernet port (interface enp44s0). The Wifi network is 10.42.1.0/24 and the wired network is 10.42.0.0/24. The server has IP 10.42.0.1 and 10.42.1.1.
I have a workstation on the wired network with a web server running. Its IP is 10.42.0.216. From the server I can connect to the workstation’s web page no problem.
I have a phone connect to the Wifi. Its IP is 10.42.1.111.
I want to setup port forwarding so that when I connect to 10.42.1.1 from my phone, it redirect to the workstation and the web server running on it. Easy right?
I use UFW on the server (it comes with Ubuntu). Surprisingly UFW can’t set up port forwarding (uncomplicated firewall my a*s). Following online tutorials this is what I tried:
- Uncomment the line
net/ipv4/ip_forward=1in the /etc/ufw/sysctl.conf file. - Set
DEFAULT_FORWARD_POLICY="ACCEPT"in the /etc/default/ufw file. - Allow both port 80 and 443 with an UFW rule.
- Add the following at the beginning of the /etc/ufw/before.rules file:
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -d 10.42.1.1 -p tcp --dport 80 -j DNAT --to-destination 10.42.0.216:80
-A PREROUTING -d 10.42.1.1 -p tcp --dport 443 -j DNAT --to-destination 10.42.0.216:443
-A POSTROUTING -s 10.42.0.0/24 -j MASQUERADE
COMMIT
And here is the result:
ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere on eno2 ALLOW FWD Anywhere on enp44s0
[ 2] Anywhere on enp44s0 ALLOW IN Anywhere
[ 3] 6881/tcp on eno2 ALLOW IN Anywhere
[ 4] 53 on wlo1 ALLOW IN Anywhere
[ 5] 67/udp on wlo1 ALLOW IN Anywhere
[ 6] 8888/tcp on wlo1 ALLOW IN Anywhere
[ 7] 445/tcp on wlo1 ALLOW IN Anywhere
[ 8] Anywhere on eno2 ALLOW FWD Anywhere on wlo1
[ 9] 443/tcp ALLOW IN Anywhere
[10] 80/tcp ALLOW IN Anywhere
[11] 443/tcp (v6) ALLOW IN Anywhere (v6)
[12] 80/tcp (v6) ALLOW IN Anywhere (v6)
Chain PREROUTING (policy ACCEPT 10211 packets, 579K bytes)
pkts bytes target prot opt in out source destination
11 660 DNAT tcp -- * * 0.0.0.0/0 10.42.1.1 tcp dpt:80 to:10.42.0.216:80
0 0 DNAT tcp -- * * 0.0.0.0/0 10.42.1.1 tcp dpt:443 to:10.42.0.216:443
9795 541K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
2 120 MASQUERADE all -- * !br-1972fe7a2df1 172.18.0.0/16 0.0.0.0/0
6 1192 MASQUERADE all -- * * 10.42.0.0/24 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.18.0.2 172.18.0.2 tcp dpt:9999
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-1972fe7a2df1 * 0.0.0.0/0 0.0.0.0/0
1 60 DNAT tcp -- !br-1972fe7a2df1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9999 to:172.18.0.2:9999
And with all that when I enter 10.42.1.1 in my phone’s browser address bar I can’t get a connection. What did I miss? What test procedure or tools can I use to troubleshoot the issue?
