port forward iptables double nat

ofitofit OG
edited June 2023 in Help

Hello. Could you help me to configure port forward iptables. I have a VPS on which I installed docker with Nginx Proxy Manager and wireguard VPN (angristan wireguard-install script, not docker). I also have a home server on which proxmox is installed. Proxmox runs a KVM VPS (192.168.3.3) on which docker is installed with various applications, as well as a Wireguad VPN client (not on docker) with ip 10.66.66.2. Nginx Proxy Manager on cloud VPS (xxx.xxx.xxx.xxx ip) is configured with a domain name that points to the KVM VPS on the home server and everything work good with docker apps that run on home server kvm vps. But I also want to access the proxmox webui and openWRT (192.168.3.2) router WEBUI (192.168.3.1). I tried to set up port forwarding but I can't get packets further than (wg0)10.66.66.2 are not forwarded to local LAN 192.168.3.0/26.

Home network 192.168.3.0/26
openWRT Home router 192.168.3.1
Home Server where proxmox is install 192.168.3.2
KVM VPS inside proxmox 192.168.3.3
wg0 VPN WireGuard client that on KVM VPS inside proxmox 10.66.66.2

cloud VPS with xxx.xxx.xxx.xxx ip
wg0 VPN WireGuard server 10.66.66.1

Nginx Proxy Manager to openWRT in local network http://10.66.66.2:18102 that shout go to http://192.168.3.1:80

iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 18102 -j DNAT --to-destination 192.168.3.1:80
iptables -A POSTROUTING -t nat -p tcp -d 192.168.3.1 --dport 80 -j MASQUERADE
iptables -A FORWARD -p tcp -d 192.168.3.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Nginx Proxy Manager to openWRT in local network http://10.66.66.2:18103 that shout go to https://192.168.3.2:8006

iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 18103 -j DNAT --to-destination 192.168.3.2:8006
iptables -A POSTROUTING -t nat -p tcp -d 192.168.3.2 --dport 8006 -j MASQUERADE
iptables -A FORWARD -p tcp -d 192.168.3.2 --dport 8006 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Comments

  • ehabehab

    @yoursunny this is your cake.

  • tetechtetech OG

    If you are wanting HTTP traffic then you should be forwarding TCP, not UDP.

  • ofitofit OG

    @tetech said:
    If you are wanting HTTP traffic then you should be forwarding TCP, not UDP.

    I used tcp in the beginning, then udp. both options didn't work.

  • somiksomik OG

    @ehab said:
    @yoursunny this is your cake.

    Thanked by (1)ehab

    Artificial intelligence is no match for our natural stupidity.

    Time flies like an arrow; fruit flies like a banana.

  • tetechtetech OG

    The FORWARD rule should match the redirect, i.e. -i wg0 --dport 1810x otherwise it is not hitting the nat table.

    Can also do this using HAProxy.

  • tetechtetech OG

    Example, adjust eth0->wg0 and your subnets.

    -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.3.185:443
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
...
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 443 -j GEO-ACCEPT
    Thanked by (1)Falzo
  • FrankZFrankZ Moderator

    @ofit - Were you able to get this resolved ?

    I am currently traveling in mostly remote areas until sometime in April 2024. Consequently DM's sent to me will go unanswered during this time.
    For staff assistance or support issues please use the helpdesk ticket system at https://support.lowendspirit.com/index.php?a=add

Sign In or Register to comment.