Selfhosted @lemmy.world Statick @programming.dev 1d ago

[Question] Does this iptables rule cause unnecessary routing?

I'm routing game traffic on my VPS via wireguard to a home server that has games hosted via docker.

Setup is...

VPS/Wireguard -> Internet -> Wireguard/Dockerized Games Server

Now, my current config WORKS... however I'm curious if there is some unnecessary routing going on.

VPS iptable rules (omitted PostDown)

PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --match multiport --dports 61000:61100 -j DNAT --to-destination 10.0.0.3
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Game Server (omitted PostDown)

Here are the iptable rules on the game server and the --to-destination part is what I'm curious about...

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 61000:61100 -d 10.0.0.3 -j DNAT --to-destination 192.168.1.14
PostUp = iptables -t nat -A POSTROUTING -j MASQUERADE

10.0.0.3 is the same machine as 192.168.1.14

The reason I'm setting the --to-destination ip to that is because the docker rules that are created in the Chain DOCKER section of the iptable rules are looking for the destination nam-games.localdomain which is my dns entry for the game server. I unfortunately don't think I can change these because I'm using a game server management panel called Pterodactyl that adds these. I also don't want to have to manually add rules to this every time I create a server.

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             nam-games.localdomain  tcp dpt:61000 to:172.18.0.2:61000
DNAT       udp  --  anywhere             nam-games.localdomain  udp dpt:61000 to:172.18.0.2:61000
DNAT       tcp  --  anywhere             nam-games.localdomain  tcp dpt:61001 to:172.18.0.3:61001
DNAT       udp  --  anywhere             nam-games.localdomain  udp dpt:61001 to:172.18.0.3:61001

Concerns

The setup I described above is the only config I have gotten to work, but I'm curious if it's hitting the server, then going the router, only to be routed back to the same machine again. If it is, is there a better way to set this up?

You're viewing a single thread.

8 comments

Why still using iptables today?

Nftables has been the way to go for quite a while...

But I see you use docker, maybe that's why.
- The self hosted web interface tool I use called Pterodactyl Game Server Panel uses docker and iptables when it creates the game servers.
  
  I'm just trying to add some additional routing since I'm using wireguard.
  
  I tought so... Nothing bad with using iptables, just there is a better guy on the block, was wondering.
- No v4/v6 dual stack mentioned here, nor any multi-action rules required, so nftables would be of no advantage here.
  
  Unless you're just saying "new thing good, old thing bad" here, I'm not sure why bother mentioning nftables.
  
  Nah, I am saying good new things, good old things, why not take the opportunity to migrate? Its fun.
  
  Because bringing up nftables is not relevant to op's question.

8 comments