Forward a port to an external ip

teamacc

Hey guys

I have a VPS in hong kong with shitty peering to France where my backend server is based (read: 2000+ ms ping). I also have a digitalocean vps in germany with good peering (200ms).

I'd like to somehow use that as a proxy, preferably with as little as possible extra software running on the DO box.

So my question is: Is it possible to have iptables do this for me?

Basically I want my DO vps (ip 1.1.1.1) to proxy traffic from my HK vps (2.2.2.2) to my backend server (3.3.3.3) running mysql on a non-default port (port 1234).

I've tried a bunch of stuff, which I will not list here due to the possibility I tried it incorrectly.

akb

Have you tried something like:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -s 2.2.2.2 -d 1.1.1.1 -i eth0 -p tcp --dport 4321 -j DNAT --to-destination 3.3.3.3:1234
iptables -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1

Will forward TCP data coming from 2.2.2.2 on port 4321 of your DO VPS (1.1.1.1) to port 1234 of your backend (3.3.3.3).

akb

Even this should work as droplets are KVM:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -s 2.2.2.2 -d 1.1.1.1 -p tcp --dport 4321 -j DNAT --to-destination 3.3.3.3:1234
iptables -t nat -A POSTROUTING -j MASQUERADE

teamacc

@akb said:
Even this should work as droplets are KVM:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -s 2.2.2.2 -d 1.1.1.1 -p tcp --dport 4321 -j DNAT --to-destination 3.3.3.3:1234
iptables -t nat -A POSTROUTING -j MASQUERADE

This works indeed. I think I forgot to disable the firewall of the DO server earlier.

Any idea how to make ufw play nicely alongside this?