UFW : IP Masquerade2024/05/29 |
This is how to configure IP Masquerading on UFW. Internet -------------+------------- Gateway|192.168.0.1 | External | enp1s0|192.168.0.30 +------------+------------+ | | | dlp.srv.world | | | +------------+------------+ enp7s0|10.0.0.30 Internal | | |
[1] | Enable Forward policy first. |
root@dlp:~#
vi /etc/default/ufw # line 19 : change DEFAULT_FORWARD_POLICY=" ACCEPT "
root@dlp:~#
vi /etc/sysctl.conf # line 28 : uncomment net.ipv4.ip_forward=1 # reload settings root@dlp:~# sysctl -p root@dlp:~# ufw reload |
[2] | In addition to the UFW default setting, add rules that computers in Internal network can connect to external network or internet via [10.0.0.30] as a gateway. |
root@dlp:~# ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), allow (routed) New profiles: skip
root@dlp:~#
vi /etc/ufw/before.rules ..... ..... # don't delete the 'COMMIT' line or these rules won't be processed COMMIT # add to last line # NAT *nat -F :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE COMMITroot@dlp:~# ufw reload |
[3] | In addition to the setting of [2] above, add rules like follows. * requests to [enp1s0] with 22 or 80 port destination on External side are forwarded to the Host [10.0.0.51] with the same port on Internal side * requests to [enp1s0] with 3306 port destination on External side are forwarded to the Host [10.0.0.52] with the same port on Internal side |
root@dlp:~# ufw allow ssh Rule added Rule added (v6) root@dlp:~# ufw allow http Rule added Rule added (v6) root@dlp:~# ufw allow mysql Rule added Rule added (v6) root@dlp:~# ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), allow (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 3306/tcp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 80/tcp (v6) ALLOW IN Anywhere (v6) 3306/tcp (v6) ALLOW IN Anywhere (v6)
root@dlp:~#
vi /etc/ufw/before.rules ..... ..... # don't delete the 'COMMIT' line or these rules won't be processed COMMIT # NAT *nat -F :POSTROUTING ACCEPT [0:0] # add rules :PREROUTING ACCEPT [0:0] -A PREROUTING -p tcp --dst 192.168.0.30 -m multiport --dports 22,80 -j DNAT --to-destination 10.0.0.51 -A POSTROUTING -p tcp --dst 10.0.0.51 -m multiport --dports 22,80 -j SNAT --to-source 10.0.0.30 -A PREROUTING -p tcp --dst 192.168.0.30 --dport 3306 -j DNAT --to-destination 10.0.0.52:3306 -A POSTROUTING -p tcp --dst 10.0.0.52 --dport 3306 -j SNAT --to-source 10.0.0.30 -A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE COMMITroot@dlp:~# ufw reload |
Sponsored Link |