NAT or IP Port forwarding from container

mbedare · November 25, 2019, 4:56pm

Hi

I want to access local web-server behind Belea OS using public URL provided by Balena.

Setup
Device with webserver (192.168.100.20)----- (192.169.100.1) eth0 Baleba : Balena wlan0 (DHCP dynamic IP) ----- local wifi ----internet ---- browser

Can someone please guide on how we can achive NAT/Port forwarding? I tried software approach wherein simple java socket program binds to the incoming socket and opens other TCP connection in forward direction but this is very slow (I need to deploy this on raspberry pi 3).

This works perfectly fine on raspberrian using iptables -j DNAT.
iptables -A PREROUTING -t nat -i wlan0 -p tcp --dport 80 -j DNAT --to 192.168.100.20:8080
iptables -A FORWARD -p tcp -d 192.168.100.20 --dport 8080 -j ACCEPT

However, on Balena OS, DOCKER rules take precedence

thundron · November 25, 2019, 9:37pm

Hi, if you mean port-forwarding within the container, we have a way to do so in the docs.
Otherwise, could you be a bit more specific about what you’re trying to achieve? As in - what do you need port forwarding for, where from and where to?

thundron · November 25, 2019, 9:39pm

Re-reading your post though, I forgot to mention that if you need to expose ports for some reason, you can do so also following the networking docs here

mbedare · November 26, 2019, 9:34am

Thanks for reverting but iptables -t nat does catch filter as it is overruled by DOCKER. Hence iptables can not be used to achieve what I am seeking - well unless you play with DOCKER. But disturbing DOCKER for this is not a intent.

mbedare · November 26, 2019, 9:36am

No issue with public URL. It works perfectly fine. Question is about IP forwarding (NAT) not just port translation. I am able to do so using java program running in container on Balena OS but for obvious reasons, it is slow (Software opening multiple sockets and threads). There has to be some simpler way to achieve this.

mbedare · November 28, 2019, 3:53pm

I am able to solve problem by blocking packet forwarding to docker (remove all iptable rules related to docker and then customizing them)

iptables -t -nat -F PREROUTING

iptables -t -nat -A PREROUTING -i resin-vpn -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.100.20:8080

CameronDiver · November 28, 2019, 8:55pm

Thanks for sharing, I’m glad you managed to find a solution!

jakobsturm · December 1, 2022, 7:28am

Hi all,
I am trying to achieve the same (reaching IP camera with web interface through public device URL). Unfortunately forwarding with iptables as described does not work for me. I deleted all PREROUTING and DOCKER rules from the tables and added the DNAT rule to forward from the resin-vpn interface to the IP of the camera. However I am either getting the NGINX Welcome page or an ERR_EMPTY_RESPONSE.
Can somebody help me with this?

jakobsturm · December 5, 2022, 3:33pm

Got it working finally.
In the end I needed these rules to be set:

iptables -t nat -A PREROUTING -i resin-vpn -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.100
iptables -A FORWARD -d 192.168.0.100 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -o resin-vpn -j ACCEPT
iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE

The missing puzzle piece was to take care of the route back from the device by setting the POSTROUTING rule.
Also I didn’t have to change anything regarding the DOCKER rules, probably because my containers are running in host mode.

mpous · December 5, 2022, 3:40pm

Thanks @jakobsturm for posting the solution!

BTW welcome to the balena community!