Forward all ports down a VPN

[kingqueen]

My ISP has CGNAT, so no public IP and thus no port forwarding available. I have applications that need port forwarding. I have therefore bought a router that allows a VPN as its Internet connection, and hired a VPS with a static public IP. I have installed Debian 10 Server on it.
My intent is to set the VPS up with L2TP/IPSec. (My router accepts PPTP, L2TP/IPSEC or OpenVPN, but PPTP is filtered out by my ISP and my router only has partial support for OpenVPN.) There will only be 1 client: my router. The VPS will do NAT for outgoing connections and replies. For unsolicited incoming traffic on any TCP or UDP port except those used for SSH or VPN, it forwards it all down the VPN to the equivalent port and protocol on my router.
I am moderately experienced at Debian, enough to configure a server with the help of the many handholding tutorials helpful people have put online (I.e. I'm by no means a trained or experienced sysadmin.) So I can do all the above with the exception of the last bit. I have used UFW and am aware of IPTables, but I have no idea how to set such up to forward all the traffic down the VPN to my router.
Much Googling hasn't helped. So I'm wondering please if any of you very helpful people please have any useful tutorials you could link to, or any useful pointers or resources similarly.
Thank you ever so much.

[p.H]

Assuming the VPS external network interface is eth0 and the internal VPN address of the router is 192.0.2.3

Code: Select all

iptables -t nat -A PREROUTING -i eth0 -p ah -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p esp -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 500 -j ACCEPT # IKE
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4500 -j ACCEPT # NAT-T
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j ACCEPT # SSH
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.0.2.3

[kingqueen]

Thank you very much for this.
I've tried what you have kindly written but I can't get it to work. I suspect that this may be because the script that sets up the VPN does some things with IPTables also.
The VPS's Ethernet device is called "ens192", I have set SSH to use port 22222, and the address that Strongswan gives my router is 192.168.42.2, so I tried running at the command prompt:

sudo iptables -t nat -A PREROUTING -i ens192 -p ah -j ACCEPT
sudo iptables -t nat -A PREROUTING -i ens192 -p esp -j ACCEPT
sudo iptables -t nat -A PREROUTING -i ens192 -p udp --dport 500 -j ACCEPT # IKE
sudo iptables -t nat -A PREROUTING -i ens192 -p udp --dport 4500 -j ACCEPT # NAT-T
sudo iptables -t nat -A PREROUTING -i ens192 -p tcp --dport 22222 -j ACCEPT # SSH
sudo iptables -t nat -A PREROUTING -i ens192 -j DNAT --to 192.168.42.2

That didn't result in any noticeable change: the VPN connects and I have Internet access, but I don't have any port forwarding (according to ShieldsUp / testing via another device on another Internet connection.)
The FAQ for the script I used to set up the L2TP/IPSec VPN says:

If you want to modify the IPTables rules after install, edit /etc/iptables.rules and/or /etc/iptables/rules.v4 (Ubuntu/Debian), or /etc/sysconfig/iptables (CentOS/RHEL). Then reboot your server.

/etc/iptables/ doesn't exist, so I had a guess at what to add to /etc/iptables.rules. Here's the file with my attempted addition in bold:

# Modified by hwdsl2 VPN script
# Generated by xtables-save v1.8.2 on Sun Jun 6 17:23:22 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i ens192 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o ens192 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i ens192 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o ens192 -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Sun Jun 6 17:23:22 2021
# Generated by xtables-save v1.8.2 on Sun Jun 6 17:23:22 2021
*nat
: PREROUTING ACCEPT [0:0]
-A PREROUTING -i ens192 -p ah -j ACCEPT
-A PREROUTING -i ens192 -p esp -j ACCEPT
-A PREROUTING -i ens192 -p udp --dport 500 -j ACCEPT # IKE
-A PREROUTING -i ens192 -p udp --dport 4500 -j ACCEPT # NAT-T
-A PREROUTING -i ens192 -p tcp --dport 22222 -j ACCEPT # SSH
-A PREROUTING -i ens192 -j DNAT --to 192.168.42.2
:INPUT ACCEPT [0:0]
: POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o ens192 -m policy --dir out --pol none -j MASQUERADE
COMMIT

On rebooting, I discovered my guess was wrong; however - when connecting my router to the VPN, I have no Internet access at all.
I am very wary of abusing your generosity of time and expertise, and that of other members; but I wonder if you would mind please giving any final pointers to make this work for me? or another member? I really would be very grateful indeed.
Thank you
Doug

[p.H]

The rules in the FORWARD chain do not allow the forwarded connections from the ethernet interface to the ppp interface. You need either to delete the last rule (DROP) or insert this rule before :

Code: Select all

iptables -A FORWARD -i ens192 -o ppp+ -j ACCEPT

[kingqueen]

Thank you!
I commented out the DROP instruction and rebooted, however I am still unable to access anything on the Internet via the VPN. Traceroutes work:

tracert 208.67.220.220

Tracing route to resolver2.opendns.com [208.67.220.220]
over a maximum of 30 hops:

1 3 ms 3 ms 4 ms KQ-SYNOLOGY [192.168.1.1]
2 36 ms 44 ms 35 ms 136.22.68.129
3 41 ms 36 ms 34 ms 72.14.216.106
4 36 ms 35 ms 37 ms 74.125.242.113
5 39 ms 43 ms 35 ms lonap.rtr1.lon.opendns.com [5.57.80.198]
6 40 ms 32 ms 35 ms resolver2.opendns.com [208.67.220.220]

Trace complete.

But nothing actually works. All connection attempts time out; Web, Mail, FTP, everything I attempt to do.

If I comment out the PREROUTING instructions I added (in bold in an earlier message in this thread) the VPN goes back to working, but the port forwarding obviously doesn't work.

All the best and thank you

[p.H]

IPSec packet handling is tricky, try to add this rule before DNAT :

Code: Select all

iptables -t nat -A PREROUTING -i ens192 -p udp --dport 1701 -j ACCEPT # L2TP

Note : I am not sure # comments are allowed at the end of lines in iptables.rules.

[kingqueen]

p.H, you utter genius, you've done it.
I can connect via VPN, get the static IP and then port forwarding Just Works.
I quote my iptables.rules below in case it may benefit anybody else is in a similar position.
I am incredibly grateful; I recognise your time and expertise that has made this work for me.
I would love to donate some money, to you or to a charity of your choice - could you let me know which?
Thank you!

Code: Select all

# L2TP/IPSEC with Port Forwarding
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i ens192 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o ens192 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i ens192 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o ens192 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i ens192 -p ah -j ACCEPT
-A PREROUTING -i ens192 -p esp -j ACCEPT
-A PREROUTING -i ens192 -p udp --dport 500 -j ACCEPT
-A PREROUTING -i ens192 -p udp --dport 4500 -j ACCEPT
-A PREROUTING -i ens192 -p tcp --dport 22222 -j ACCEPT
-A PREROUTING -i ens192 -p udp --dport 1701 -j ACCEPT
-A PREROUTING -i ens192 -j DNAT --to 192.168.42.2
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o ens192 -m policy --dir out --pol none -j MASQUERADE
COMMIT

[sunrat]

You should use code tags rather than quotes for code type posting. It won't change certain characters to emojis!

[kingqueen]

Thank you; good point. I went for the Quote tag earlier because it allowed me to Bold certain lines, which the Code tag didn't.
I've replaced that Quote with Code.

[p.H]

I quote my iptables.rules below in case it may benefit anybody else is in a similar position.

One comment about the ruleset : since you removed the final DROP rule in the FORWARD chain whose default policy is ACCEPT, the ACCEPT rules in the FORWARD chain are useless.

I would love to donate some money, to you or to a charity of your choice - could you let me know which?

Thank you for your kind offer, but I participate to this forum and others in my spare time as a hobby, learning things in the process is enough as a reward. If you like you can donate to the charity of your choice on my behalf, or to this forum (if they accept donations), Debian, a free software project or service you appreciate...

[kingqueen]

One comment about the ruleset : since you removed the final DROP rule in the FORWARD chain whose default policy is ACCEPT, the ACCEPT rules in the FORWARD chain are useless.

oh well, it seems to work, so I'll let sleeping dogs lie, imperfect code can be subsumed to practicality

Thank you for your kind offer, but I participate to this forum and others in my spare time as a hobby, learning things in the process is enough as a reward. If you like you can donate to the charity of your choice on my behalf, or to this forum (if they accept donations), Debian, a free software project or service you appreciate...

I'll pay your kindness forward in some way Thanks again.