The rules are split into two different files, rules that should be executed before
ufw command line rules, and rules that are executed after ufw command line rules.
ufw Masquerading
-
First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in
/etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:
DEFAULT_FORWARD_POLICY="ACCEPT"
Then edit /etc/ufw/sysctl.conf and uncomment:
net.ipv4.ip_forward=1
Similarly, for IPv6 forwarding uncomment:
net.ipv6.conf.default.forwarding=1
-
Now we will add rules to the /etc/ufw/before.rules file. The default rules only configure the filter
table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file
just after the header comments:
# nat Table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic from eth1 through eth0. -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't be processed COMMIT
The comments are not strictly necessary, but it is considered
good practice to document your configuration. Also, when modifying
any of the rules files in /etc/ufw, make sure these lines are the last
line for each table modified:
# don't delete the 'COMMIT' line or these rules won't be processed COMMIT
-
Finally, disable and re-enable ufw to apply the changes:
sudo ufw disable && sudo ufw enable
IP Masquerading should now be enabled.
iptables Masquerading
iptables can also be used to enable masquerading.
-
Similar to ufw, the first step is to enable IPv4 packet forwarding by editing
/etc/sysctl.conf and uncomment the following line
net.ipv4.ip_forward=1
If you wish to enable IPv6 forwarding also uncomment:
net.ipv6.conf.default.forwarding=1
-
Next, execute the sysctl command to enable the new settings in the configuration file:
sudo sysctl -p
-
IP Masquerading can now be accomplished with a single
iptables rule, which may differ slightly based on your network
configuration:
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
The above command assumes that your private address space is 192.168.0.0/16 and
that your Internet-facing device is ppp0. The syntax is broken down as follows:
- -t nat — the rule is to go into the nat table
- -A POSTROUTING — the rule is to be appended (-A) to the POSTROUTING chain
- -s 192.168.0.0/16 — the rule applies to traffic originating from the specified address space
- -o ppp0 — the rule applies to traffic scheduled to be routed through the specified network device
-
-j MASQUERADE — traffic matching this rule is to “jump”
(-j) to the MASQUERADE target to be manipulated as described above
-
Also, each chain in the filter table (the default table, and where most or all packet
filtering occurs) has a default policy of
ACCEPT, but if you are creating a firewall in addition to a gateway device, you
may have set the policies to DROP or REJECT, in which case your masqueraded
traffic needs to be allowed through the FORWARD chain for the above rule to work:
sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT
The above commands will allow all connections from your local network to the
Internet and all traffic related to those connections to return to the machine
that initiated them.
-
If you want masquerading to be enabled on reboot, which you probably do, edit /etc/rc.local and add any
commands used above. For example add the first command with no filtering:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE