Ubuntu 24.04
Sponsored Link

UFW : IP Masquerade2024/05/29

 

This is how to configure IP Masquerading on UFW.
This example is based on the environment like follows.

          Internet
-------------+-------------
      Gateway|192.168.0.1
             |
External     |
       enp1s0|192.168.0.30
+------------+------------+
|                         |
|      dlp.srv.world      |
|                         |
+------------+------------+
       enp7s0|10.0.0.30
Internal     |
             |

[1] Enable Forward policy first.
root@dlp:~#
vi /etc/default/ufw
# line 19 : change

DEFAULT_FORWARD_POLICY="
ACCEPT
"
root@dlp:~#
vi /etc/sysctl.conf
# line 28 : uncomment

net.ipv4.ip_forward=1
# reload settings

root@dlp:~#
sysctl -p

root@dlp:~#
ufw reload

[2] In addition to the UFW default setting, add rules that computers in Internal network can connect to external network or internet via [10.0.0.30] as a gateway.
root@dlp:~#
ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

root@dlp:~#
vi /etc/ufw/before.rules
.....
.....
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

# add to last line
# NAT
*nat
-F
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE

COMMIT

root@dlp:~#
ufw reload

[3] In addition to the setting of [2] above, add rules like follows.
* requests to [enp1s0] with 22 or 80 port destination on External side are forwarded to the Host [10.0.0.51] with the same port on Internal side
* requests to [enp1s0] with 3306 port destination on External side are forwarded to the Host [10.0.0.52] with the same port on Internal side
root@dlp:~#
ufw allow ssh

Rule added
Rule added (v6)
root@dlp:~#
ufw allow http

Rule added
Rule added (v6)
root@dlp:~#
ufw allow mysql

Rule added
Rule added (v6)
root@dlp:~#
ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
3306/tcp                   ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
3306/tcp (v6)              ALLOW IN    Anywhere (v6)

root@dlp:~#
vi /etc/ufw/before.rules
.....
.....
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

# NAT
*nat
-F
:POSTROUTING ACCEPT [0:0]
# add rules
:PREROUTING ACCEPT [0:0]

-A PREROUTING -p tcp --dst 192.168.0.30 -m multiport --dports 22,80 -j DNAT --to-destination 10.0.0.51
-A POSTROUTING -p tcp --dst 10.0.0.51 -m multiport --dports 22,80 -j SNAT --to-source 10.0.0.30

-A PREROUTING -p tcp --dst 192.168.0.30 --dport 3306 -j DNAT --to-destination 10.0.0.52:3306
-A POSTROUTING -p tcp --dst 10.0.0.52 --dport 3306 -j SNAT --to-source 10.0.0.30

-A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE

COMMIT

root@dlp:~#
ufw reload

Matched Content