Escolar Documentos
Profissional Documentos
Cultura Documentos
dnotes.net/blogs/david-hunt/forwarding-tcp-traffic-iptables-and-ufw-1069
July 6, 2016
I've recently had two situations where I needed to forward all traffic on certain ports from
one server to another. In one case I did this using only iptables, and in another using
iptables commands in the context of ufw. So I'm going to archive my learning here for future
reference.
Make sure you save these commands in some way so that they are not lost when the
server is restarted, since by default iptables configuration does not survive reboots.
I was already using the common and familiar Uncomplicated Firewall as a front-end for
iptables, but that program does not expose the nat table through the regular commands;
you have to edit the configuration files, specifically /etc/ufw/before.rules , and
1/3
manually add in the iptables commands. However, I found that the syntax of those
configuration files was not too difficult to intuit once I remembered how iptables worked,
since basically it is just a list of iptables rules. (See this comment for an excellent diagram
explaining iptables processes.)
I needed to forward the right traffic to my SIP device, which requires the use of the nat table
in iptables. I did this by setting up a section for the nat table in before.rules, by following
and modifying the ones here and here:
# Port Forwardings
-A PREROUTING -p tcp --dport 5060 -j DNAT --to-destination 192.168.X.X:5060
-A PREROUTING -p udp --dport 5060 -j DNAT --to-destination 192.168.X.X:5060
# Masquerading seems to be unnecessary for SIP packets. May even mess things
up but I doubt it.
#-A POSTROUTING -j MASQUERADE
# every table section needs its own COMMIT line - the one at the bottom of
the file won't suffice
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT
After saving the file and ufw reload this still does not work, because ufw sets itself up by
default to drop all traffic from iptables FORWARD filter. Most documentation recommends
setting DEFAULT_FORWARD_POLICY="ACCEPT" in /etc/default/ufw, but I didn't want to just let
all the traffic through. So, following this comment, I set up rules in the ufw-before-forward
chain to allow SIP traffic out from my device, and in from the specific IP addresses of my
VOIP provider, which can be obtained with dig +short gvgw.simonics.com. a :
2/3
Getting Google Voice to actually work
I didn't realize that it was working, because Google Voice wasn't actually connecting to my
VOIP provider when I called the number, so I wasn't seeing any traffic in. Using iptables
-t nat -L -v -n showed no traffic being forwarded, and even looking at the filter table
with iptables -L -v -n didn't show any traffic from those IP addresses. After fudging
around more than I wanted to with tcpdump, I finally realized that Google Voice was not
staying connected with the Simonics GV Gateway. I changed some settings in Google
voice, turning off "receive calls in hangouts", and I logged out of hangouts and google voice
on all my devices, reset the connection with Simonics, and finally the calls started going
through. After a day, though, I'm back to not getting my calls. I read somewhere once that
they recommend using a completely clean Google account for this kind of setup, where you
don't use Gmail or any of the other services, lest you get logged out from Google Voice with
your SIP provider, and perhaps that is what I will have to do.
Nonetheless, I did manage to solve the port forwarding problem with iptables and ufw, and
now I understand a lot better how that traffic works.
3/3