Port Forwarding with iptables is not working

I have two servers:

server 1 with IP address 10.8.0.1

server 2 with IP address 10.8.0.6

I want server 2 work as a proxy for a website that is hosted on server 1. So I use the following commands:

sudo iptables -t nat -A PREROUTING  -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443

sudo iptables -t nat -A POSTROUTING -p tcp -d 10.8.0.1 --dport 443 -j SNAT --to-source 10.8.0.6

However, the above setup is not working as I cannot browse the website. Also, telnet 10.8.0.6 443 does not produce output.


I have an example of this working on my LAN, but based on the comments it might not solve your issue.:

Web traffic coming from 192.168.111.122 for 192.168.111.136 gets forwarded to 192.168.111.1. Replies from 192.168.111.1 traverse the path in reverse, back to 192.168.111.122. who thinks the packets came from 192.168.111.136.

doug@s19:~/iptables/misc$ sudo tcpdump -n -tttt -i br0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
2021-12-19 15:57:47.389745 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.389760 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.390055 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390062 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390301 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.390306 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.396847 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.396852 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.397080 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.397085 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.400934 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [P.], seq 1:1629, ack 518, win 501, length 1628
2021-12-19 15:57:47.400941 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], seq 1:1461, ack 518, win 501, length 1460
2021-12-19 15:57:47.400942 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [P.], seq 1461:1629, ack 518, win 501, length 168

The iptables rules are loaded via script on my test computer:

doug@s19:~/iptables/misc$ cat ask1382639
#!/bin/sh
FWVER=0.01
#
# ask1382639 Smythies 2021.12.18 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1382639
#
#       run as sudo on s19.
#
#       Note: These rules might need to be merged with
#       any existing iptables rules set.

echo "Loading ask1382639 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Smythies (for testing)

EXTIF="br0"
EXTIP="192.168.111.136"
REDIRECTIP="192.168.111.1"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"

#
# For the actual servers of the question
#
#EXTIF="UNKNOWN"
#EXTIP="10.8.0.6"
#REDIRECTIP="10.8.0.1"
#NETWORK="10.8.0.0/24" ASSUMED, ACTUALLY UNKNOWN
#UNIVERSE="0.0.0.0/0"


#CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about Admia's servers.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# First: redirect port 443 traffic to the other server.
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 443 -j DNAT --to $REDIRECTIP

# Second: The desination needs to know what IP address to reply to.
$IPTABLES  -t nat -A POSTROUTING -p tcp -o $EXTIF --dport 443 -d $REDIRECTIP -j SNAT --to $EXTIP

echo ask1382639 rule set version $FWVER done.

and:

doug@s19:~/iptables/misc$ sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 177 packets, 13129 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       6      312 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.111.1

Chain INPUT (policy ACCEPT 177 packets, 13129 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 3 packets, 252 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       6      312 SNAT       tcp  --  *      br0     0.0.0.0/0            192.168.111.1        tcp dpt:443 to:192.168.111.136

Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
    pkts      bytes target     prot opt in     out     source               destination