Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: UFW and Port Forwarding

  1. #1
    Join Date
    Jun 2005
    Beans
    2

    Question UFW and Port Forwarding

    I've got my Ubuntu box acting as a router / firewall for my network and everything is working fine. I need to forward some ports into my network, but I'm unsure how to do this. I have the proper iptables command to enable it, and if I run it from the command line, it works. I imagine the rule has to go into /etc/ufw/before.rules, but I don't know where.

    iptables code that works:
    Code:
    sudo iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 50002 -j DNAT --to 192.168.100.20
    ufw status:
    Code:
    To                         Action  From
    --                         ------  ----
    Anywhere                   ALLOW   192.168.100.0/24
    22:tcp                     ALLOW   Anywhere
    22:udp                     ALLOW   Anywhere
    192.168.100.20 50002:tcp   ALLOW   Anywhere
    192.168.100.20 50002:udp   ALLOW   Anywhere
    /etc/ufw/before.rules:
    Code:
     
    # rules.before
    #
    # Rules that should be run before the ufw command line added rules. Custom
    # rules should be added to one of these chains:
    #   ufw-before-input
    #   ufw-before-output
    #   ufw-before-forward
    #
    
    # nat Table rules
    *nat
    :POSTROUTING ACCEPT [0:0]
    
    # Forward traffic from eth1 through eth0.
    -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE
    
    # don't delete the 'COMMIT' line or these nat table rules won't be processed
    COMMIT
    
    # Don't delete these required lines, otherwise there will be errors
    *filter
    :ufw-before-input - [0:0]
    :ufw-before-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-not-local - [0:0]
    # End required lines
    
    
    # allow all on loopback
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-output -i lo -j ACCEPT
    
    # connection tracking rules
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    # drop INVALID packets
    # uncomment to log INVALID packets
    #-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: "
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    
    # connection tracking for outbound
    -A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    -A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    
    # ok icmp codes
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
    
    # allow dhcp client to work
    -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
    
    #
    # ufw-not-local
    #
    -A ufw-before-input -j ufw-not-local
    
    # if LOCAL, RETURN
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    
    # if MULTICAST, RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    
    # if BROADCAST, RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: "
    
    # all other non-local packets are dropped
    -A ufw-not-local -j DROP
    
    # allow MULTICAST, be sure the MULTICAST line above is uncommented
    -A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
    -A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
    
    
    # don't delete the 'COMMIT' line or these rules won't be processed
    COMMIT

  2. #2
    Join Date
    Feb 2005
    Location
    Alberta
    Beans
    142
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: UFW and Port Forwarding

    Code:
    -A PREROUTING -p tcp -m tcp -i eth0 --dport 50002 -j DNAT --to-destination 192.168.100.20
    I believe that goes right before your MASQUERADE line. Or at least I can say that I had that line right before my MASQUERADE line on an old debian router and it was working fine.

    db

  3. #3
    Join Date
    Feb 2005
    Location
    Alberta
    Beans
    142
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: UFW and Port Forwarding

    I still can't get port forwarding and ufw to work together. I tried stack's before.rules file (substituting my own values) and still no dice. When I enable ufw, forwarding stops. When I disable ufw I get forwarding back.

    Anybody have this working? stack, does the config you posted here work for you? Did you have to alter any other ufw config files to make it roll?

    db

  4. #4
    Join Date
    Feb 2005
    Location
    Alberta
    Beans
    142
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: UFW and Port Forwarding

    Quote Originally Posted by clarknova View Post
    I still can't get port forwarding and ufw to work together.

    https://help.ubuntu.com/8.04/serverguide/C/firewall.html


    Check the section on masquerading. The tutorial assumes that your LAN is 192.168.0.0/24. Aside from doing everything there, you must also add at least one rule to allow your lan to access the outside world.

    Code:
    sudo ufw allow from 192.168.0.0/24 to any
    Then restart the firewall.

    db

  5. #5
    Join Date
    Mar 2007
    Beans
    15

    Re: UFW and Port Forwarding

    please every body here...i wana make ubuntu proxy server in my country where no blocked websites..coz i ve in other country where i work some blocked sites...so i want to make my ubuntu server forward internet so i can use it as proxy in the other country to use in order to open these blocked sites.....thanks for all of you..

  6. #6
    Join Date
    Jan 2007
    Beans
    60
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: UFW and Port Forwarding

    asm2000: this is ot
    install squid, allow connections from localhost and connect to your box with ssh and forward -L 3128:localhost:3128, then set your proxy to localhost in firefox

  7. #7
    Join Date
    Mar 2007
    Beans
    15

    Re: UFW and Port Forwarding

    thanks its nice of you to reply me this post ..but still vague for me could u please simplify it for me ...i know much headacke but im still new to ubuntu servers..thanks again

  8. #8
    Join Date
    Feb 2005
    Location
    Alberta
    Beans
    142
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: UFW and Port Forwarding

    Quote Originally Posted by asm2000 View Post
    i wana make ubuntu proxy server in my country where no blocked websites.
    Rephrasing your question: How do I use an ubuntu server in country B act as a proxy for web client in country A, where certain web sites are blocked in country A, but not blocked in country B?

    If that is your question then try searching for instructions on using ssh or putty (from windows) to connect to an ubuntu machine and use it as a socks proxy. Here's a start:

    http://ubuntuforums.org/showthread.php?t=952043

    You're very off topic in this thread though, so post your further questions somewhere more appropriate, like in the above-linked thread.

    db

  9. #9
    Join Date
    Mar 2007
    Beans
    15

    Re: UFW and Port Forwarding

    thanks dear finally i did it and like to sumarize steps for others :
    after ubuntu server installation::
    ---------------------------------------deleting all roles---------------------------------------
    sudo iptables -F
    sudo iptables -X
    sudo iptables -t nat -F
    sudo iptables -t nat -X
    sudo iptables -t mangle -F
    sudo iptables -t mangle -X
    ---------------------------------------allowing NAT---------------------------------------
    # modprobe iptable_nat
    # echo "1" > /proc/sys/net/ipv4/ip_forward
    # iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE
    ---------------------------------------installing squid---------------------------------------
    sudo apt-get install squid
    ---------------------------------------configuring squid---------------------------------------
    sudo -s
    cd /etc/squid
    mv squid.conf squid.conf.original
    touch squid.conf
    nano squid.conf
    ::then add :: considering server name is [server]::

    http_port 3128
    visible_hostname server
    acl all src 0.0.0.0/0.0.0.0
    http_access allow all [to be deleted later after finishing all configuration]
    ---------------------------------------restarting squid---------------------------------------
    sudo /etc/init.d/squid restart
    ---------------------------------------preparing cache---------------------------------------
    sudo nano /etc/squid/squid.conf
    ::and add::

    cache_mem 512 MB
    maximum_object_size_in_memory 64 KB
    maximum_object_size 1024 MB
    minimum_object_size 0 KB
    cache_swap_low 90
    cache_swap_high 95
    cache_dir ufs /var/spool/squid 81920 16 256
    cache_access_log /var/log/squid/access.log
    refresh_pattern ^ftp: 15 20% 2280
    refresh_pattern ^gopher: 15 0% 2280
    refresh_pattern . 15 20% 2280
    ---------------------------------------proxy authentication---------------------------------------
    sudo apt-get install apache2-utils
    ---------------------------------------
    sudo -s
    touch /etc/squid/squid_passwd
    htpasswd /etc/squid/squid_passwd username

    *then it will ask for pass

    ::then after adding users add following lines to squid.conf::

    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
    acl allowed_users proxy_auth REQUIRED
    http_access allow allowed_users

  10. #10
    Join Date
    Feb 2009
    Location
    Canada
    Beans
    3
    Distro
    Ubuntu 8.04 Hardy Heron

    Smile Re: UFW and Port Forwarding

    I figured out how to get DNAT to work with ufw.

    Add the following to the very beginning of the before.rules file.

    Code:
    #
    # rules.before
    #
    # Rules that should be run before the ufw command line added rules. Custom
    # rules should be added to one of these chains:
    #   ufw-before-input
    #   ufw-before-output
    #   ufw-before-forward
    #
    
    *nat
    :PREROUTING - [0:0]
    
    # My DNAT rules
    -A PREROUTING -i <iface> -p tcp --dport <port> -j DNAT --to-destination <addr>
    -A PREROUTING -i <iface> -p udp --dport <port> -j DNAT --to-destination <addr>
    
    # don't delete the 'COMMIT' line or these nat table rules won't be processed
    COMMIT
    
    ...
    then

    Code:
    $ sudo ufw disable
    $ sudo ufw enable
    Hope that answers many people's questions.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •