Blogs » Jeff Brown's blog

UFW Port forward /masquerade

 /etc/ufw/before.rules
 
*nat
:PREROUTING ACCEPT Array
# forward 129.232.230.123 port 22 to 192.168.230.123:22

-A PREROUTING -i eno1:1 -d 129.232.230.123 -p tcp --dport 22 -j DNAT --to-destination 192.168.230.123:22
# setup routing
-A POSTROUTING -s 192.168.230.0/24 ! -d 192.168.230.0/24 -j MASQUERADE
COMMIT

NOTE: NET-TOOLS (e.g. ifconfig) DEPRECATED. USE IPROUTE2

ip addr add 129.232.230.123/29 dev eno1 label eno1:0

iptables -t nat -A PREROUTING --src 129.232.230.123/29 -j NETMAP --to 192.168.230.123/24

WORKS:
https://sandilands.info/sgordon/linux-servers-as-kvm-virtual-machines

iptables -t nat -I PREROUTING -d 129.232.230.123 -j DNAT --to-destination 192.168.230.123
iptables -t nat -I POSTROUTING -s 192.168.230.123 -j SNAT --to-source 129.232.230.123
iptables -t nat -I PREROUTING -d 129.232.230.124 -j DNAT --to-destination 192.168.230.124
iptables -t nat -I POSTROUTING -s 192.168.230.124 -j SNAT --to-source 129.232.230.124
iptables -I FORWARD -p tcp -d 192.168.230.123 --dport 22 -j ACCEPT
iptables -I FORWARD -p tcp -d 192.168.230.123--dport 25 -j ACCEPT
iptables -I FORWARD -p tcp -d 192.168.230.123--dport 110 -j ACCEPT
iptables -I FORWARD -p tcp -d 192.168.230.124 --dport 22 -j ACCEPT
iptables -I FORWARD -p tcp -d 192.168.230.124 --dport 25 -j ACCEPT
iptables -I FORWARD -p tcp -d 192.168.230.124 --dport 110 -j ACCEPT

In a nutshell:
iptables -t nat -I PREROUTING -d 129.232.230.123 -j DNAT --to-destination 192.168.230.123
iptables -t nat -I POSTROUTING -s 192.168.230.123 -j SNAT --to-source 129.232.230.123
iptables -I FORWARD -p tcp -d 192.168.230.123 --dport 22 -j ACCEPT

iptables -t nat -I PREROUTING -d 129.232.230.124 -j DNAT --to-destination 192.168.230.124
iptables -t nat -I POSTROUTING -s 192.168.230.124 -j SNAT --to-source 129.232.230.124
iptables -I FORWARD -p tcp -d 192.168.230.124 --dport 22 -j ACCEPT

Convert to UFW:
https://devops.profitbricks.com/tutorials/deploy-outbound-nat-gateway-on...

nano /etc/default/ufw
change DEFAULT_FORWARD_POLICY="DROP" to "ACCEPT"

iptables -I FORWARD -p tcp -d 192.168.230.0/24 -j ACCEPT
iptables -I FORWARD -p udp -d 192.168.230.0/24 -j ACCEPT

IPTABLES QEMU HOOK https://www.libvirt.org/hooks.html
nano /etc/libvirt/hooks/network
iptables -I FORWARD -d 192.168.230.0/24 -j ACCEPT`

FLUSH IPTABLES
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
 

Comments

Add new comment

Total views: 2,165