How do I port forward my linode:8080 to my home isp:8080 ?
I have some services running on some servers at my home.
I have a linode account.
I want to port forward my linode port XXXX to my home IP address port YYYY.
I have a DDNS address for my home and plan to get another one for my linode.
Regards, Chuck
3 Replies
✓ Best Answer
In my opinion, the best way to do this, would be connecting your Linode and your computer at home over a VPN, then use a firewall on your Linode to forward incoming requests on one port, to the VPN IP address where your home computer can be reached. This would allow your servers at home to be accessible via your Linode IP address.
There are two things you could be aware of with this approach. First, your home server will need to rout all its internet access through your Linode in order for this to work properly. Second, you will have increased latency, since you're sending the data through one server in one location, which sends it to another server in another location. This could potentially double the latency for your users, or more. It should work aside from these two things, though, I've used this approach with success before.
There should be plenty of guides on the internet about setting up a VPN for forwarding internet traffic through a server, and guides on setting up a firewall for port forwarding.
If you want to use IPV6 in the same fashion, I believe the concepts will be similar, though you could get a /64 from Linode and rout it through your VPN to take some of the port forwarding complexity out of your setup for IPV6. I've done this, and again, routing IPV6 internet traffic over the VPN seems to be the only way this will work correctly, also.
Good luck,
Blake
"First, your home server will need to route all its internet access through your Linode in order for this to work properly."
Hi, Blake:
Thank you for your suggestion.
However, routing all my home internet traffic through my linode is not acceptable.
Regards, Chuck
You'll need to tunnel the connection, like a vpn would, so that the source ip of packets from the internet arriving to the vps to be preserved as they get forwarded to home port (or your home services will just reply only to the vps rather than reply to the clients through the vps).
Which means you need software at both ends to wrap/unwrap the packets like vpn software using a vpn protocol would. Except just for one port rather than the entire connection like you want. You could find some python script on github for testing, since Python will run in plenty of different OSes easily.
Additionally you'll need 3 (or more, depending on how secure you want it) iptables rules to do the NATing and forwarding.
A nat PREROUTING rule, a FORWARD rule, and POSTROUTING MASQUERADE rule. Incoming filtering would best be done before nat PREROUTING, like at raw or mangle PREROUTING and more filtering can also be done at FORWARD before accepting anything in FORWARD. So barebones, not secure by itself rules would look something like:
iptables -t nat PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.2:8080 (10.0.0.2 being whatever local ip networking the wrapper software is configured to use)
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Again you should make these more granular for more security. Rules to DROP stuff go above what you ACCEPT. You can have FORWARD accept only port 8080 packets and drop everything else for example.
Lastly on the home end you'll need to make sure packets going out to the vps are sent from the wrapper/vpn too. This could involve just a single iptables port REDIRECT rule to redirect from service port to wrapper port.