Команда IT специалистов выполнит подготовку инфраструктуры для вашего бизнеса.
Внедрение самых передовых решений и технологий.
Поддержка и сопровождение ваших сервисов.
Выполнение работ под "ключ", от покупки сервера, до настройки автоматизации процессов.
8(977)608-78-62 adm@nixm.ru

UFW : IP Masquerade

Ответить
Аватара пользователя
ALEXX
Администратор
Администратор
Сообщения: 1316
Зарегистрирован: 21 дек 2014, 14:59
Откуда: Королёв
Контактная информация:

UFW : IP Masquerade

Сообщение ALEXX »

This is how to configure IP Masquerading on UFW.
This example is based on the environment like follows.

Internet
-------------+-------------
Gateway|192.168.0.1
|
External |
enp1s0|192.168.0.30
+------------+------------+
| |
| dlp.srv.world |
| |
+------------+------------+
enp7s0|10.0.0.30
Internal |
|

[1] Enable Forward policy first.
root@dlp:~# vi /etc/default/ufw
# line 19 : change

DEFAULT_FORWARD_POLICY="ACCEPT
"
root@dlp:~# vi /etc/sysctl.conf
# line 28 : uncomment

net.ipv4.ip_forward=1
# reload settings

root@dlp:~# sysctl -p

root@dlp:~# ufw reload

[2] In addition to the UFW default setting, add rules that computers in Internal network can connect to external network or internet via [10.0.0.30] as a gateway.
root@dlp:~# ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

root@dlp:~# vi /etc/ufw/before.rules

.....
.....
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

# add to the end
# NAT
*nat
-F
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE

COMMIT

root@dlp:~# ufw reload

[3] In addition to the setting of [2] above, add rules like follows.
* requests to [enp1s0] with 22 or 80 port destination on External side are forwarded to the Host [10.0.0.51] with the same port on Internal side
* requests to [enp1s0] with 3306 port destination on External side are forwarded to the Host [10.0.0.52] with the same port on Internal side
root@dlp:~# ufw allow ssh

Rule added
Rule added (v6)
root@dlp:~# ufw allow http

Rule added
Rule added (v6)
root@dlp:~# ufw allow mysql

Rule added
Rule added (v6)
root@dlp:~# ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
3306/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
3306/tcp (v6) ALLOW IN Anywhere (v6)

root@dlp:~# vi /etc/ufw/before.rules

.....
.....
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

# NAT
*nat
-F
:POSTROUTING ACCEPT [0:0]
# add rules
:PREROUTING ACCEPT [0:0]

-A PREROUTING -p tcp --dst 192.168.0.30 -m multiport --dports 22,80 -j DNAT --to-destination 10.0.0.51
-A POSTROUTING -p tcp --dst 10.0.0.51 -m multiport --dports 22,80 -j SNAT --to-source 10.0.0.30

-A PREROUTING -p tcp --dst 192.168.0.30 --dport 3306 -j DNAT --to-destination 10.0.0.52:3306
-A POSTROUTING -p tcp --dst 10.0.0.52 --dport 3306 -j SNAT --to-source 10.0.0.30

-A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE

COMMIT

root@dlp:~# ufw reload
Ответить

Вернуться в «Сети. Настройка и администрирование»