Custom Port Forwarding

[maximallist]

Hello everyone!
Help me to configure port forwarding from WAN (IP 10.100.1.71) to Exchange (IP 192.168.1.71) using port 993 as an example.
Through ufw configured rule:

ufw allow 993/tcp

Then in the file /etc/ufw/before.rules, before the filter section I added:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i ens224 -p tcp --dport 993 -j DNAT --to 192.168.1.71:993
COMMIT

Changed in /etc/default/ufw:

DEFAULT_FORWARD_POLICY="DROP"

to

DEFAULT_FORWARD_POLICY="ACCEPT"

Uncommented the line in /etc/ufw/before.rules:

net/ipv4/ip_forward=1

Restarted ufw.
Telnet connection to port 993 fails.

 

[Hannes Laimer]

Hey,

I think you're missing a

-A POSTROUTING -j MASQUERADE

without it packets can't come back out.

 

[maximallist]

Hey,

I think you're missing a

-A POSTROUTING -j MASQUERADE

without it packets can't come back out.

The problem is that the ports are not accessible via telnet.
Is it possible that unless masquerading is enabled they will not be available?

 

[maximallist]

after the changes now /etc/ufw/before.rules:

*nat
 :PREROUTING ACCEPT [0:0]
-A PREROUTING -i ens224 -p tcp --dport 993 -j DNAT --to-destination 192.168.1.71:993
-A POSTROUTING -s 192.168.1.71 -p tcp --dport 993 -o ens224 -j SNAT --to-source 10.100.1.71:993
COMMIT

but the port is still unavailable via telnet

netstat -pnltu

result (see attachment)

 

[FlyByWire]

@maximalist. Have you been able to solve the issue? I'm facing a similar problem and seeking for a solution.

 

[maximallist]

Greetings!
Yes, the problem is solved. I contacted a specialist who installed and configured the HAProxy service on PMG.
There are still problems:
1) automatic renewal of Let's Encrypt certificate on Exchange and PMG
2) ufw rules disappear after rebooting PMG

 

[FlyByWire]

Thanks for the answer. Seems my Problem is different.