Timmehh 0 Posted ... (edited) I think I'm really close to getting this figured out but I couldn't quite get it to work. I run a Plex and an Ark server that others on the internet connect to. Plex requires 32400 and Ark requires 7779 and 27016. So I ssh'd into my router that I put the vpn profile on and ran the following commands: iptables -I FORWARD -i tun1 -p udp -d 192.168.50.67 --match multiport --dports 7779,36731 -j ACCEPT iptables -I FORWARD -i tun1 -p tcp -d 192.168.50.67 --match multiport --dports 7779,36731 -j ACCEPT iptables -t nat -I PREROUTING -i tun1 -p udp --match multiport --dports 7779,36731 -j DNAT --to-destination 192.168.50.67 iptables -t nat -I PREROUTING -i tun1 -p tcp --match multiport --dports 7779,36731 -j DNAT --to-destination 192.168.50.67 iptables -I FORWARD -i tun1 -p udp -d 192.168.50.67 --match multiport --dports 27016,36732 -j ACCEPT iptables -I FORWARD -i tun1 -p tcp -d 192.168.50.67 --match multiport --dports 27016,36732 -j ACCEPT iptables -t nat -I PREROUTING -i tun1 -p tcp --match multiport --dports 27016,36732 -j DNAT --to-destination 192.168.50.67 iptables -t nat -I PREROUTING -i tun1 -p udp --match multiport --dports 27016,36732 -j DNAT --to-destination 192.168.50.67 The ports in those commands that aren't the ones I listed as needed earlier are the public ports that I set up in the AirVPN webportal that are supposed to forward to the ones I need. When I print the IPtable I get this: Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere 192.168.50.67multiport dports 27016,36732 ACCEPT udp -- anywhere 192.168.50.67multiport dports 27016,36732 ACCEPT tcp -- anywhere 192.168.50.67multiport dports 7779,36731 ACCEPT udp -- anywhere 192.168.50.67multiport dports 7779,36731 ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere 192.168.50.70multiport dports 36730,32400 ACCEPT udp -- anywhere 192.168.50.70multiport dports 36730,32400 So I see the ACCEPTS I made, but I can't find any reference to the DNATs I made. Did I do something wrong? Should I see the DNATs somewhere in the table? Also, is that random "ACCEPT all - anywhere anywhere" that ended up in the middle of the table dangerous? It looks like it is. Any idea what I would have done to make that show up? I'm only going down this rabbit hole because something is wrong with AT&T Fiber's routing in Atlanta, GA right now and pings to almost everything is 1000ms. Now I've bought 3 years of AirVPN, am excited to finally be encrypted traffic, but I'm stuck on providing my servers to the internet. EDIT: I should add that the reason I say that it still didn't work after all this is because the Plex server wasn't reachable outside of my network, and the port checker tool on AirVPN couldn't see the port being open. One of my concerns is that the AT&T box has to sit between the fiber jack and my router. But I do have the AT&T box set to IP passthrough mode, which is supposed to send all WAN traffic straight to the Asus router un-touched. Edited ... by Timmehh Quote Share this post Link to post
OpenSourcerer 1441 Posted ... 9 hours ago, Timmehh said: So I see the ACCEPTS I made, but I can't find any reference to the DNATs I made.Did I do something wrong? Should I see the DNATs somewhere in the table? DNAT jobs are in the PREROUTING chain, as correctly seen in the commands you posted. You posted the FORWARD chain here. If you want to list the PRE- and POSTROUTING chains, don't forget the -t nat option. iptables-legacy -t nat -L 9 hours ago, Timmehh said: Also, is that random "ACCEPT all - anywhere anywhere" that ended up in the middle of the table dangerous? It looks like it is. Any idea what I would have done to make that show up? There are no commands indicating you set the policy of any chain to DROP. I'm not entirely sure which one needs to be set to it, so I won't recommend you anything to not break it for you. But the command would be: iptables-legacy -P CHAIN DROP Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
Timmehh 0 Posted ... 31 minutes ago, giganerd said: DNAT jobs are in the PREROUTING chain, as correctly seen in the commands you posted. You posted the FORWARD chain here. If you want to list the PRE- and POSTROUTING chains, don't forget the -t nat option. iptables-legacy -t nat -L There are no commands indicating you set the policy of any chain to DROP. I'm not entirely sure which one needs to be set to it, so I won't recommend you anything to not break it for you. But the command would be: iptables-legacy -P CHAIN DROP Ok. So I just didn't see the DNAT because I didn't add that flag. I'd run it now and post the result, but I had to revert the router back to pre-VPN for at least last night so ARK and Plex could be used again. With what you see that I've done though, did I do something wrong or miss a step? Any reason why the port check wouldn't show green with everything I did? Quote Share this post Link to post