Wrapping one's head around port forwarding with iptables
Honestly, I get part of what's going on. Like I need to enter rules, to forward with specific filters. But do I need one rule, two, three? Why do some people do FORWARD and others also OUT and yet some others even IN. Do I need separate rules for SYN, ESTABLISHED, RELATED? Is conntrack a separate package? Why does one guide do -t nat and all the others don't?
It's really painful, since everybody delivers almost copy&pastable guides, but not enough explanation of what they are actually providing as a solution, or how to get help if the reader's setup (oh surprise) is not 100% the same.
What I basically want to achieve is:
- accept connections from everybody on *:443
- send all the requests to 1.2.3.4:443 (nobody but me can reach 1.2.3.4)
- enable requesters to receive the response from 1.2.3.4 as well
- see in dmesg whether or not stuff works, but not more if not necessary
Please explain why you are doing or not doing something. I really want to grasp this stuff. Thanks!
The best explanation I found is in archwiki, even with further references to more in depth descriptions and diagrams. One real in depth guide I found through archwiki is this iptables tutorial.
For instance, here (Simple stateful firewall) is a detailed example with explanation of all the decisions.
Because I'm a visual learner I also found this youtube video very helpful that shows and explains a running example with two VMs that pretty much anybody can reproduce at home.
Now I feel I'm at a level that I mostly just need to reference the following diagram, which shows how a package walks through the tables and chains:
Furhter reading:
- discussion whether one should drop or reject
- the internet protocols RFC
- What's going on with NEW and SYN packages?
- Why do some tutorials use conntrack and others use state?
Side notes:
- I always got confused why some guides contain
ESTABLISHED,RELATEDrules and others don't. Whether or not these rules are there decides if already existing network traffic is cut or not. For instance if you are using an ssh session to connect to the machine, it would be nice if your ssh session wouldn't get killed by adding iptables rules, thus having a rule that allows yourESTABLISHEDconnection is nice.RELATEDpackages are for instances responses to ping or network information packages (ICMP). - The Simple stateful firewall example also explains the differences between different nmap tests.
- Also a good overview
- Iptables forward port range to another port range on a different host
- Unable to GET nginx welcome page from Hetzner Ubuntu 24.04. LTS server with custom domain and docker
- Is there a way for non-root processes to bind to "privileged" ports on Linux?
- iptables block access to port 8000 except from IP address
- What is the best practice of docker + ufw under Ubuntu
- Docker server networking - reject incoming connections but allow outgoing
- iptables rules for jupyter notebook
- Iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
- Restrict connections to the Docker daemon - What should be the value of ext_if
- Logging Dropped Packets in IPTables?
- Connection refused to MongoDB errno 111
- Rancher 1.6 port forwarding on any host forwards to host with rancher/server installed
- What is the best way to forward all requests on a certain port to another machine on the network?
- DNAT translation in iptables for TCP connections
- iptables rate limiting connection request
- Docker containers with bridge network cannot ping anything (even default gateway)
- rsyslog - Property-based filtering not working
- iptables LOG and DROP in one rule
- Docker ignores iptable rules when using "-p <port>:<port>"
- Docker: How to re-create dockers additional iptables rules?
- nftables rules for docker
- Prevent prompt when `apt install -y iptables persistent` on Debian/Ubuntu
- Not sure how to properly use variables and use them in if statements in bash scripting
- Change port number while forwarding
- GCP overriding iptables rules in centOS
- How to add rule with IPTables.Net to iptables in real system with .NET 6 Web API
- best way to check if a iptables userchain exist
- SSL installed on Apache2 but HTTPS not working
- Ununtu 20 + Rancher 1.6 — 80 port issue
- ufw seems not to block all ports (Ubuntu with Docker)