Reference document:
"Ubuntu firewall IP forwarding as NAT, intranet cluster sharing network (simple)"
The "focal (8) ufw-framework.8.gz manual"
project requires a router to achieve NAT shared access to the external network and port mapping access to the internal network, simply use the ubuntu20.04 server to use the ufw firewall to achieve the function.
1 demand
Hardware: a server with at least two network ports.
Software: ubuntu 20.04+ufw.
Term explanation:
ip camouflage: In ubuntu, nat is called ip camouflage, meaning "allowing the private network address from the internal network port eno1 (such as 10.0. 0.0/20) computers share a single IP address on the external network port eno2"
Port redirection: To forward a port on the external network port eno2 to a port located on the internal network address 10.0.0.X, for example Forward the tcp port 80 on the external network port eno2 to the web server at 10.0.0.3.
2 UFW basic operation:
2.1 View current status and firewall rules
ufw status #Status: active 服务激活;如果没有配置规则,将不显示防火墙规则
2.2 Set default actions
ufw default allow/deny #对未配置的端口执行默认允许/拒绝动作
2.3 Add rules to allow/deny ports
ufw allow 22/tcp #允许 22 tcp封包;还可以换成 22/udp,表示允许22端口 udp封包
ufw deny 22 #拒绝 22 端口 (udp+tcp)
2.4 Delete the rules for allowing/denying ports
ufw delete allow/deny 20 #删除规则同添加一致 添加 22/tcp就删除 22/tcp,不能删除 22
2.5 Enable/disable/reload the firewall
Remote connection via ssh is recommended to set 22/tcp permission rules before starting the firewall service
ufw enable/disable/reload
3 firewall configuration forwarding
3.1 First turn on the IP forwarding of the system
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 #增加或修改该字段,值设为1
3.2 Effective
sysctl -p
3.3 Set up firewall forwarding (modify two configuration files)
3.3.1 Modify /etc/default/ufw
vim /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT" #该值设为ACCEPT
Note:
# The content of the default rules are all included in *filter…COMMIT
# When adding the following content, note that *nat…COMMIT cannot be placed in *filter…COMMIT
#10.0.0.0/20 is the intranet network segment
3.3.2 Modify /etc/ufw/before.rules
vim /etc/ufw/before.rules
#在末尾增加以下字段
*nat
:PREROUTING - [0:0]
:POSTROUTING - [0:0]
-A POSTROUTING -s 10.0.0.0/20 -o eno2 -j MASQUERADE
COMMIT
3.3.3 Restart the firewall, success
ufw disable
ufw enable
4 Set up port redirection:
4.1 Forward the tcp port 80 on the external network port eno2 to the web server at 10.0.0.3.
4.1.1 Edit /etc/ufw/sysctl.conf
vim /etc/ufw/sysctl.conf
net.ipv4.ip_forward=1
4.1.2 Edit /etc/ufw/before.rules and add in the nat section
vim /etc/ufw/before.rules
-A PREROUTING -p tcp -i eno2 --dport 80 -j DNAT --to-destination 10.0.0.3:80
4.1.3 Add ufw rules
ufw route allow in on eno2 to 10.0.0.3 port 80 proto tcp
ufw allow 80
Delete the data coming in from the eno2 port and forwarded to 10.0.0.3 port 80 added by the above ufw:
ufw route delete allow in on eno2 to 10.0.0.3 port 80 proto tcp
reject the data coming in from the eno2 port and forwarded to the host 10.0.0.3 port 22:
ufw route reject in on eno2 to 10.0.0.3 port 80
4.1.4 Restart ufw
ufw reload
4.2 Forward port 62022 to port 22 of 10.0.0.3.
4.2.2 Edit /etc/ufw/before.rules and add it to the nat section
-A PREROUTING -p tcp -i eno2 --dport 62022 -j DNAT --to-destination 10.0.0.3:22
4.2.3 Add ufw rules
ufw route allow in on eno2 to 10.0.0.3 port 22
ufw allow 62022
4.2.4 Restart ufw
ufw reload
5 Modify the ssh port to 64422
5.1 Modify /etc/ssh/sshd_config
vim /etc/ssh/sshd_config
port 22
port 64422
5.2 Restart the ssh service
service ssh restart
5.3 Modify ufw
ufw allow 64422
5.4 Restart ufw
ufw reload
5.5 ssh new port 64422
5.5 modify /etc/ssh/sshd_config after success
vim /etc/ssh/sshd_config
#port 22
5.6 Restart the ssh service
service ssh restart