Two machines: client, which is the machine that forwards, and server, the server hosting the website. With firewall disabled, works as expected.
A default set of rules, such as the simple_firewall.rules file included with Arch, may look as follows:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
I then added the following rule on the client and server to enable SSH:
Code:
sudo iptables -I INPUT -p tcp -i eno1 --dport 22 -m state --state NEW -j ACCEPT
And the following rule on the client to allow connections to HTTPS port 443:
Code:
sudo iptables -I INPUT -p tcp -i eno1 --dport 443 -m state --state NEW -j ACCEPT
Then setup forwarding as follows:
Code:
sudo ssh -L '*:443:<SERVER>:8384' <USER>@<SERVER>
In this case, I'm redirecting 443 (HTTPS port) to 8384 (Syncthing web management port). Works successfully. The issue lies somewhere in your firewall configuration on either machine, depending on what the error is. Note that I've used -I to prepend the rules to the top of the INPUT chain, so it may be that you have a rule that is overriding the one you've added. You don't want a forwarding rule in iptables, as the forwarding isn't taking place there. You should just need an accept rule as above, and on the server a rule set that will allow the local connection.
