When running self-hosted services like GIT it’s possible to forward non-standard ports such as :10022
such that your git address might be ssh://git@git.sebastientaggart.com:10022/sebastientaggart/my-project.git
. This works fine but using a non-standard port brings with it several annoyances including port blocking on public networks, the need for extra documentation, and simple degradation of aesthetics.
This use-case assumes you are running ufw
on one server listening on :22
that will proxy that traffic back to the non-standard port on a second server.
Edit this file: sudo vi /etc/ufw/before.rules
adding:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Forward traffic from this server (1.1.1.1:22) to a remote server (2.2.2.2:10022)
-A PREROUTING -i eth0 -d 1.1.1.1 -p tcp --dport 22 -j DNAT --to-destination 2.2.2.2:10022
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
Change the 1.1.1.1
and 2.2.2.2
placeholders. The first IP is that of the server itself. The second is the IP of the target server.
Reload with sudo systemctl restart ufw
Verify your settings: sudo iptables -t nat -L -n -v
After completing, port :22
will forward to :10022
on the remote server. Your GIT addresses would now look like: ssh://git@git.sebastientaggart.com/sebastientaggart/my-project.git
Modifying Existing Rules
Flushing all iptables rules with sudo iptables -F
is too destructive for most situations, instead, it’s safer and better to list existing rules and delete them individually as needed:
iptables -t nat --line-numbers -L -n -v
The key is --line-numbers
which are used as the reference when passing the -D
(delete) command, like so:
iptables -t nat -D PREROUTING 2
(would delete the 2nd rule in the PREROUTING
section.
The instructions in the previous section assumed that we were adding rules to /etc/ufw/before.rules
for the first time. However if changes are made to existing rules, systemctl restart ufw
will add rules. It’s necessary to remove the old rules with -D
.