Instalar cortafuegos
apt install ufw
Ver el estado del firewall
sudo ufw status verbose
Configure el puerto 22 para que esté permitido (si usa SSH para acceder al servidor, primero debe permitirse el puerto 22; de lo contrario, no podrá conectarse al servidor después de iniciar el firewall)
sudo ufw allow 22
Iniciar cortafuegos
sudo ufw enable
Desactivar el cortafuegos
sudo ufw disable
Permitir puerto 8080
sudo ufw allow 8080
Configure la asignación del puerto 80 al puerto 8080.
Paso 1 Edite el archivo /etc/default/ufw y cambie los parámetros:
DEFAULT_FORWARD_POLICY="ACCEPT"
sudo vim /etc/default/ufw
Busque la línea DEFAULT_FORWARD_POLICY="DROP" y cambie el valor a "ACEPTAR"
Paso 2 Configure /etc/ufw/sysctl.conf para permitir el reenvío ipv4 o ipv6 (de forma predeterminada, los parámetros están comentados)
sudo vim /etc/ufw/sysctl.conf
El archivo contiene el siguiente contenido, elimine el signo # según sea necesario
#net/ipv4/ip_forward=1
#net/ipv6/conf/default/forwarding=1
#net/ipv6/conf/all/forwarding=1
Paso 3 Agregue NAT a la configuración de /etc/ufw/before.rules. Agregue lo siguiente antes de las reglas de filtro (*filtro)
sudo vim /etc/ufw/before.rules
El archivo contiene contenido similar a:
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
Agregue la configuración nat delante de *filter. Después de agregarlo, el contenido de mi archivo es el siguiente
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
COMMIT
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
Paso 4 Reinicie el firewall
sudo ufw reload
referencia
Configurar iptables, reenvío de puertos ufw
Linux Instalación del firewall UOS
Linux - ¿Puedo usar ufw para configurar el reenvío de puertos?