Forwarding a port from one machine to another For MC

Odd problem here and new to forums.
Spectrum sucks as a provider and can’t see 1 of my 2 linux servers so no direct port forwarding, as such I tried ip tables command on the machine it can see to set up the portforwarding accordingly.
sudo iptables -t nat -A PREROUTING -p tcp --dport 25566 -j DNAT --to-destination
But that didn’t work.
I found another post that said nginx proxy can’t do this but idk i’m lost I just want to open my server to my fellow internet humans.

It doesn’t work because that only rewrites the packet destination IP, before sending out the packet to LAN.

To have a connection, you need the second server to respond via the first, and not to the router directly.

What’s happening is that the second server is trying to answer the connections, by sending packets back to the internet through your local router… and your local router is confused, … it sees the reply from your second server that it didn’t ask anything, so that’s ignored.

There’s many ways to solve this:

You could additionally SNAT or MASQUERADE those packets on the first server, so the second server thinks the connection is being initiated by the first server, instead of some internet machine, and will reply to it.

There’s routing tricks and dscp/tos packets, tunneling and all other kinds of stuff.

But more simply, what router has spectrum given you? How come you can’t forward 25566 to .80 directly?

Also, you can absolutely proxy, that’s what stream stanzas are for in nginx, it’s just more complicated.

Spectrum’s horrible app doesn’t allow portforwarding if it can’t see the device. But It can see my other Ubuntu server no problem and nginx can forward things to server 2 with no problem but I will try looking at these commands.
EDIT: The router that spectrum provided doesn’t allow local setting access only anymore leaving only their app that won’t allow even the slightest of advanced settings to be setup.

Spectrum has an app for this?

You should put your modem into bridge mode and get a decent router, it’ll probably work a thousand times better.

1 Like

I mean the best solution would be I guess to figure out why spectrum can’t see my 2nd server but I tried for 2 months with spectrum and they just say Linux isn’t supported.

Can’t do that with the modem they provided would have to buy one.

Unfortunately I can’t seem to get it work. Just my luck I guess. I’ll keep trying. Your description of what is happening is great and gave me some new info, however the commands arnt working for me or I can’t figure out the syntax for the correct settings.

I think something like this

iptables -t nat -A POSTROUTING -d -j MASQUERADE

should do it.

You’d also need to enable forwarding sysctl -a | grep ipv4.*forward will help you find the setting, not sure about the exact spelling.

(Typed the above from memory, can verify in an hour or two)

You’d probably be better off in the long run doing this, to be honest. Plus, you no longer have to pay the modem rental fee.

The other option is that you can sometimes get the provider to give you a dumb modem or put your modem into a dumb mode.

Then you can put your own router in between their network and yours that can handle all the port forwarding for you.

So my guess is that spectrum can’t see your server because you’ve set your server to use a static ip address in the server itself instead of setting a static ip address in your router.

The components in your networking chain typically are: isp → modem → router → internal/private devices

I’m now going to go into a detailed explanation of all of the parts in this process, but it’s going to be a lot of information so feel free to skip to the Suggestion sections at the end and only read the rest if you’re curious or confused about anything.

So what is a modem, and what is a router?
A modem is the device that translates the data from your isp’s format to ethernet, so in the case of spectrum it’s the device that is connected to the cable line.

A router is the bridge between a public network (internet) and a private network (home), or another way to look at it is that it takes one ip address and turns it into many local addresses. This means it routes public devices to private devices. Typically this is where you configure things like port forwarding or firewall rules because it’s the only thing the internet directly talks to.

But I only have one box that the isp gave me, why are you talking about two?
The modem that the isp provides is generally both a modem and router, so if your server is connected to the same box that connects to the cable line I would expect that you want your modem to act as both a modem and a router.

Ok, but why does that affect connecting to my device?
So the way we connect to devices on the internet is by using an ip address, this is used somewhat like how your mailing address is used to get mail to you. The thing is that there’s a limited number of ip addresses and we’re running out of the most common type of address (ipv4). This means that your isp will only assign you a small number of those addresses, generally in the range of 1-3, and will ignore devices attached after they reach the limit. Turns out that these days most people want more than one device connected to the internet so that is where your router comes in. Your router takes the one ip address that your isp assigns to you and becomes the point of communication between you and the internet.

Then how do things from the internet talk to things on my network if the only thing the internet knows about is the router?
Your router assigns each device that’s connected to it what is known as a private ip address. These are specific ranges of addresses that are reserved for private networks, on most home networks you’ll see 192.168.x.x addresses, on most corporate networks you’ll see 10.x.x.x addresses, but some home routers also assign a 10.x.x.x address. Then the router typically uses a process known as NAT (network address translation) to decide which private ip address a connection from the internet should talk to.

How does NAT work?
The way this works is that your device sends a packet to a public ip address, which we’ll think of as a letter. When it sends the letter it puts a return address on the envelope, it will put its own private ip address as that return address along with the port that it expects to receive the data on (think of the port like an apartment/suite number). Now the problem with using a private ip address is that there’s no way for a private address to be reached from the internet. So your router intercepts the letter and it makes a note of who you were sending the letter to and what your return address is. Then it replaces the return address on the envelope with its own public address and a random apartment number (port) and sends it on its way. A little while later it gets a letter. It checks the incoming letter and compares the address and the return address to its notes. It then sees that the suite number the letter is getting sent to matches one of the random suite numbers it gave out, and that the return address matches with who it gave that suite number out for. So now it knows that this letter is a reply to the letter your device sent out and the router gives your device the letter to the original suite number that had been requested as the return address.

It sounds like NAT has nothing to do with port forwarding?
That’s true, port forwarding actually bypasses the entire NAT step. The important thing to note about NAT is that it only allows data to reach a private device if the data is in reply to a request from that private device. NAT by itself isn’t very useful if you want something to connect to a private device from an address on the internet that you don’t already know about. That’s where port forwarding comes in, port forwarding tells the router to always use a specific port to map incoming data to a specific private ip address and port. Or to word it a little differently, whenever someone else connects to your public ip address at that port they actually get connected to your private device at the forwarded port.

Suggestion 1: Don’t set a static ip address on your server
Ideally you want to setup port forwarding for your server, unfortunately your router doesn’t seem to be able to “see” your server to allow you to set it up. Likely this means your server is using a static ip address that wasn’t assigned to it by the router itself. So the first thing you’ll have to do is tell your server to stop using a static ip address. Depending on your distribution this could be done in a /etc/dhcpcd.conf file, a /etc/networks/interfaces file, or in the network manager, without knowing more about your setup I can’t really tell you more than that. Then when you remove the static ip configuration a quick reboot should result in your router assigning you a new ip address. At this point if you go to setup a port forward the router should be able to see your server. I would also suggest trying to setup a static ip address for the server in the router if it lets you set that.

Suggestion 2: Get a dedicated router
If you truly cannot get the router to let you port forward, the next option is to get a dedicated router instead of using the built in one on the modem. Before you buy a router you need to make sure you can set the modem to bridging mode. Bridging mode basically just turns off the router portion of your modem and let’s devices connected to the modem get a public ip address directly from the isp. One important thing to note is that when you turn bridging mode on you probably do not want any device other than another router to be connected directly to the modem because if there is not a router in-between your device and the isp, anyone can see that device and try to connect to it/hack into it/whatever. So if you were to get a dedicated router, your devices would plug into the router, then the internet port on the router would have an ethernet cable going from the router to the modem, and that would be the only ethernet cable plugged into the modem. You would then enable bridging mode on the modem and setup port forwarding on the dedicated router.

Suggestion 3: Use a tunneling service
As mentioned in a previous comment there are ways to take advantage of NAT to connect two private devices together. This generally works by having two computers (or more) talk to a server that then modifies the data to convince the computers to talk to each other instead of the server. Depending on network setups this sometimes doesn’t work, but usually it will. In the odd case that it doesn’t these services tend to have a fallback in which you continue to just send the data to the server and the server proxies the connection between the computers. Back in the day a lot of people used hamachi to do this. I won’t personally recommend hamachi just because I don’t really know how trustworthy it is, but it’s the only one I know off the top of my head. Just note there could be newer and better services out there than it.

Suggestion 4: Setup your own vpn
If you can’t port forward you probably won’t be able to setup a vpn server on your local network, but what you can do is setup one in a cloud server provider like linode. Then you could have your local server and the computers that want to connect to it all connect to the vpn in the cloud. Once all of the computers are connected to the vpn they should each have their own ip address from the vpn. At this point you would just have them all connect to whatever vpn ip address was assigned to the local server. Essentially the vpn would make it seem like all of the computers connected to it are on a local network.

I’ve found a program called tailscale so I can let trusted people login to this wireguard implementation and join so it’s an easy temp solution.
But the router spectrum gave me is the SAC2V2S only access to settings is through their app with no manual input for selecting an ip to portford to. I’m decently advanced and willing to brick an os with random settings changes to test stuff.


Might be a pi project for me.

They charge me 5 USD for it every month but they return 6 because I complained about install charges being 500 USD so i’ve never paid for it.
But I should get a real router or router modem combo doesn’t need wifi can do that with something else.

Wait does this command do exactly?


adds a rule that’ll match on packets going out to server2, and will overwrite the source IP address with it’s own; causing server2 to reply to/through server1.

Why POSTROUTING? Try running iptables-save and compare what you have to the

simplified iptables diagram

normally, when port forwarding on a Linux router, you’d just need DNAT, because replies will get routed from the host to hosts gateway, here you need both DNAT and SNAT/MASQUERADE to make replies flow through server1 ; or you need to configure gateway for server2 to be server1… ; or use ip rule and multiple routing tables on server2

I hadn’t seen tailscale before but it looks really neat, seems like a more modern version of hamachi and I might actually have to start using it some

I hate hamatchi lol I don’t know why.

iptables -t nat -A POSTROUTING -d -j MASQUERADE

So this command sends all the packets from xx.1.80 to the gateway correct? is there a reason a port isn’t needed?

:slight_smile: no.

It makes sure replies from forwarded connections come back the same path connection request came from.

Which is what you want… In addition to DNAT you were already doing originally to redirect packets.