View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Forward traffic to my Linode port to my home VirtualBox
Log in to Ask a Question
✓ Solved

Forward traffic to my Linode port to my home VirtualBox

I have an application that runs on Ubuntu 14.04, and has not been ported to newer Ubuntu versions. It used to be hosted on my Linode node, but now that node is not running 14.04 and I don't think I can switch back.

I have a VirtualBox on my home machine and it is running 14.04 and the application.

The numeric (v4/v6) addresss for the Linode is published and I want to continue to provide service at those addresses.

So, I thought I could use iptables to forward traffic arriving to my Linode to my VirtualBox.

For documentation, these are the addresses to work with:

Linode: [2001:DB8:9AFE::123]:6789
203.0.113.456:6789

VirtualBox: [2001:DB8:3759::456]:6789
192.168.1.123:6789

The VirtualBox v4 address is behind the provider's NAT, so I don't really see a way to forward packets it.

I think that Linode does not allow v6 packets to be forwarded.

Thus, I think I am SOL on this plan. Does anyone have an idea that I missed? I would love to have a magic iptable command that makes things go.

I think I have the oompf to write a small forwarding program to run on the Linode, but I hoped to solve the problem at the configuration level.

Thanks.

3 Replies

✓ Best Answer

VirtualBox: [2001:DB8:3759::456]:6789
192.168.1.123:6789

As I pointed out here:

https://www.linode.com/community/questions/22626/cant-ping-nodes-with-private-ip

these IP addresses belong to networks that are not routable. In particular, the IPv6 address is part of the network that is for documentation and example source code (RFC3849)…so it’s not even for operational use (this makes the IPv6 traffic on your home LAN very secure).

The VirtualBox v4 address is behind the provider's NAT, so I don't really see a way to forward packets it.

More likely both the addresses are behind a home wifi router. Also, the IP addresses of your router are dynamically allocated by your ISP so you can't count on the router having the same IP address after a DHCP lease renewal.

Thus, I think I am SOL on this plan.

That would be my assessment as well.

Spin up a nanode with Ubuntu 14.04 on it and run your app there. Linode won't care. Ubuntu won't care. Canonical extended the support life for 14.04 and 16.04 to 10 years:

https://ubuntu.com/blog/ubuntu-14-04-and-16-04-lifecycle-extended-to-ten-years

so you'll still be able to get patches & security updates for it.

-- sw

Thank you Steve. To amplify your thoughts for other readers, documentation addresses are specified in RFC3849, and should be used in documentation, but never used in live networks. I use them in threads such as this, when I want to protect my actual network addresses.

Actually, git@github.com:a-mcintosh/git-an-IPv6.git produces the fd::/8 addresses (RFC4193) from the git commit ID. This is useful when I want a few VirtualBoxes to talk to each other without eavesdroppers, and Steve's comments about routability apply to them as well.

I did spin up a 14.04, and everything on it is a go. The problem is that the Linode addresses are still receiving incoming traffic, and I want a way to respond to that traffic, or to have a 14.04 Linode.

I did spin up a 14.04, and everything on it is a go. The problem is that the Linode addresses are still receiving incoming traffic, and I want a way to respond to that traffic, or to have a 14.04 Linode.

See here:

https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux

Once you set the magic sysctl parameter, you can do this with iptables.

However, this method, while relatively easy, has a caveat…depending on the nature of the traffic on port 6789 between the two nodes, forwarding it using iptables does not do so in a secure manner. You might look at setting up an ssh tunnel to handle this:

https://www.howtouselinux.com/post/exploring-ssh-port-forwarding-with-examples

You should make the tunnel two-way so the server can reply in a secure manner as well.

Actually, I would probably use a combination of the two:

  • Use iptables to forward inbound/outbound traffic on port 6789 to the Linode's private IP address. The private IP address is an address in 192.168.0.0/16 (so not routable).
  • Set up the tunnel between the two Linodes using the two private IP addresses as the endpoints.

This keeps the traffic between the two Linodes secure and unroutable.

You have lots of alternatives here…

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct