Команда IT специалистов выполнит подготовку инфраструктуры для вашего бизнеса.
Внедрение самых передовых решений и технологий.
Поддержка и сопровождение ваших сервисов.
Выполнение работ под "ключ", от покупки сервера, до настройки автоматизации процессов. 8(977)608-78-62 adm@nixm.ru
Внедрение самых передовых решений и технологий.
Поддержка и сопровождение ваших сервисов.
Выполнение работ под "ключ", от покупки сервера, до настройки автоматизации процессов. 8(977)608-78-62 adm@nixm.ru
UFW : IP Masquerade
-
ALEXX
- Администратор
- Сообщения: 1350
- Зарегистрирован: 21 дек 2014, 14:59
- Откуда: Королёв
- Контактная информация:
UFW : IP Masquerade
This is how to configure IP Masquerading on UFW.
This example is based on the environment like follows.
Internet
-------------+-------------
Gateway|192.168.0.1
|
External |
enp1s0|192.168.0.30
+------------+------------+
| |
| dlp.srv.world |
| |
+------------+------------+
enp7s0|10.0.0.30
Internal |
|
[1] Enable Forward policy first.
root@dlp:~# vi /etc/default/ufw
# line 19 : change
DEFAULT_FORWARD_POLICY="ACCEPT
"
root@dlp:~# vi /etc/sysctl.conf
# line 28 : uncomment
net.ipv4.ip_forward=1
# reload settings
root@dlp:~# sysctl -p
root@dlp:~# ufw reload
[2] In addition to the UFW default setting, add rules that computers in Internal network can connect to external network or internet via [10.0.0.30] as a gateway.
root@dlp:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
root@dlp:~# vi /etc/ufw/before.rules
.....
.....
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
# add to the end
# NAT
*nat
-F
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE
COMMIT
root@dlp:~# ufw reload
[3] In addition to the setting of [2] above, add rules like follows.
* requests to [enp1s0] with 22 or 80 port destination on External side are forwarded to the Host [10.0.0.51] with the same port on Internal side
* requests to [enp1s0] with 3306 port destination on External side are forwarded to the Host [10.0.0.52] with the same port on Internal side
root@dlp:~# ufw allow ssh
Rule added
Rule added (v6)
root@dlp:~# ufw allow http
Rule added
Rule added (v6)
root@dlp:~# ufw allow mysql
Rule added
Rule added (v6)
root@dlp:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
3306/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
3306/tcp (v6) ALLOW IN Anywhere (v6)
root@dlp:~# vi /etc/ufw/before.rules
.....
.....
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
# NAT
*nat
-F
:POSTROUTING ACCEPT [0:0]
# add rules
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dst 192.168.0.30 -m multiport --dports 22,80 -j DNAT --to-destination 10.0.0.51
-A POSTROUTING -p tcp --dst 10.0.0.51 -m multiport --dports 22,80 -j SNAT --to-source 10.0.0.30
-A PREROUTING -p tcp --dst 192.168.0.30 --dport 3306 -j DNAT --to-destination 10.0.0.52:3306
-A POSTROUTING -p tcp --dst 10.0.0.52 --dport 3306 -j SNAT --to-source 10.0.0.30
-A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE
COMMIT
root@dlp:~# ufw reload
This example is based on the environment like follows.
Internet
-------------+-------------
Gateway|192.168.0.1
|
External |
enp1s0|192.168.0.30
+------------+------------+
| |
| dlp.srv.world |
| |
+------------+------------+
enp7s0|10.0.0.30
Internal |
|
[1] Enable Forward policy first.
root@dlp:~# vi /etc/default/ufw
# line 19 : change
DEFAULT_FORWARD_POLICY="ACCEPT
"
root@dlp:~# vi /etc/sysctl.conf
# line 28 : uncomment
net.ipv4.ip_forward=1
# reload settings
root@dlp:~# sysctl -p
root@dlp:~# ufw reload
[2] In addition to the UFW default setting, add rules that computers in Internal network can connect to external network or internet via [10.0.0.30] as a gateway.
root@dlp:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
root@dlp:~# vi /etc/ufw/before.rules
.....
.....
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
# add to the end
# NAT
*nat
-F
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE
COMMIT
root@dlp:~# ufw reload
[3] In addition to the setting of [2] above, add rules like follows.
* requests to [enp1s0] with 22 or 80 port destination on External side are forwarded to the Host [10.0.0.51] with the same port on Internal side
* requests to [enp1s0] with 3306 port destination on External side are forwarded to the Host [10.0.0.52] with the same port on Internal side
root@dlp:~# ufw allow ssh
Rule added
Rule added (v6)
root@dlp:~# ufw allow http
Rule added
Rule added (v6)
root@dlp:~# ufw allow mysql
Rule added
Rule added (v6)
root@dlp:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
3306/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
3306/tcp (v6) ALLOW IN Anywhere (v6)
root@dlp:~# vi /etc/ufw/before.rules
.....
.....
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
# NAT
*nat
-F
:POSTROUTING ACCEPT [0:0]
# add rules
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dst 192.168.0.30 -m multiport --dports 22,80 -j DNAT --to-destination 10.0.0.51
-A POSTROUTING -p tcp --dst 10.0.0.51 -m multiport --dports 22,80 -j SNAT --to-source 10.0.0.30
-A PREROUTING -p tcp --dst 192.168.0.30 --dport 3306 -j DNAT --to-destination 10.0.0.52:3306
-A POSTROUTING -p tcp --dst 10.0.0.52 --dport 3306 -j SNAT --to-source 10.0.0.30
-A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE
COMMIT
root@dlp:~# ufw reload