Ubuntu 18.04 配置防火墙路由转发

1.安装防火墙

ubuntu系统默认安装ufw防火墙，如没有请通过下列命令进行安装。

nvidia@nvidia-desktop:~$sudo apt-get install ufw
[sudo] password for nvidia:输入账号密码

2.启用防火墙

开启防火墙，并开机自启，关闭外部访问，本机对外访问不受限制。

nvidia@nvidia-desktop:~$sudo ufw enable 
[sudo] password for nvidia: 输入账号密码
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y 选择y
nvidia@nvidia-desktop:~$sudo ufw default deny 
[sudo] password for nvidia: 输入账号密码

3.开启和禁用

nvidia@nvidia-desktop:~$sudo ufw allow|deny [service] 
nvidia@nvidia-desktop:~$sudo ufw allow ssh

打开或关闭某个端口，例如：
sudo ufw allow smtp　允许所有的外部IP访问本机的25/tcp (smtp)端口
sudo ufw allow 22/tcp 允许所有的外部IP访问本机的22/tcp (ssh)端口
sudo ufw allow 53 允许外部访问53端口(tcp/udp)
sudo ufw allow from 192.168.1.100 允许此IP访问所有的本机端口
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp 禁止外部访问smtp服务
sudo ufw delete allow smtp 删除上面建立的某条规则

4.查看防火墙状态

nvidia@nvidia-desktop:~$sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
53                         ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
8080                       ALLOW       Anywhere                  
81                         ALLOW       Anywhere                  
8181                       ALLOW       Anywhere                  
18181                      ALLOW       Anywhere                  
8081                       ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
53 (v6)                    ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
8080 (v6)                  ALLOW       Anywhere (v6)             
81 (v6)                    ALLOW       Anywhere (v6)             
8181 (v6)                  ALLOW       Anywhere (v6)             
18181 (v6)                 ALLOW       Anywhere (v6)             
8081 (v6)                  ALLOW       Anywhere (v6)

5.配置网关

网卡规划

网络配置

nvidia@nvidia-desktop:~$sudo vim /etc/network/interface
[sudo] password for nvidia: 
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto eth0 ###eth0自动获得IP地址
iface eth0 inet static
address 192.169.1.203
gateway 192.168.1.1
netmask 255.255.255.0

查看网络信息

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.169.1.203  netmask 255.255.255.0  broadcast 192.169.1.255
        inet6 fe80::4ab0:2dff:fe75:e723  prefixlen 64  scopeid 0x20<link>
        inet6 fd00:ec60:73ed:7656:4ab0:2dff:fe75:e723  prefixlen 64  scopeid 0x0<global>
        ether 48:b0:2d:75:e7:23  txqueuelen 1000  (Ethernet)
        RX packets 12168897  bytes 15849502653 (15.8 GB)
        RX errors 0  dropped 5452  overruns 0  frame 0
        TX packets 3288917  bytes 183279018 (183.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 37  

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.77  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::8822:6e1f:b943:a22a  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::c5da:5fca:b00d:7fe7  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::d643:2386:6282:6098  prefixlen 64  scopeid 0x20<link>
        ether 84:5c:f3:26:9d:46  txqueuelen 1000  (Ethernet)
        RX packets 3752526  bytes 266968966 (266.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11714537  bytes 16282975825 (16.2 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

开启内核转发

nvidia@nvidia-desktop:~$sudo vim /etc/sysctl.conf
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1  ###取消前面的注释即可

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

###################################################################
# Magic system request Key
# 0=disable, 1=enable all
# Debian kernels have this set to 0 (disable the key)
# See https://www.kernel.org/doc/Documentation/sysrq.txt
# for what other values do
#kernel.sysrq=1

###################################################################
# Protected links
#
# Protects against creating or following links under certain conditions
# Debian kernels have both set to 1 (restricted) 
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
#fs.protected_hardlinks=0
#fs.protected_symlinks=0

使内核生效

nvidia@nvidia-desktop:~$ sudo sysctl -p
net.ipv4.ip_forward = 1

配置内网路由

nvidia@nvidia-desktop:~$route add -net 0.0.0.0 gw 192.169.1.203
加一条路由，告诉内网机器，发送给 192.168.1.0/24 的数据包，交给网关 192.168.1.203 处理

配置网关NAT 转发规则

nvidia@nvidia-desktop:~$iptables -t nat -A POSTROUTING -s 192.169.1.0/24 -o wlan0 -j MASQUERADE

来自 192.169.1.0/24 ，并由 wlan0 发出去的数据包，应进行 NAT 转换。该 MASQUERADE 会自动进行SNAT转换 

6.配置防火墙策略

修改 /etc/default/ufw配置文件

nvidia@nvidia-desktop:~$ sudo vim /etc/default/ufw
定位到DEFAULT_FORWARD_POLICY=DROP，将其修改为：DEFAULT_FORWARD_POLICY="ACCEPT"

修改 /etc/ufw/before.rules，在 *filter 之前，加入以下这段：

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d $from_ip --dport $from_port -j DNAT --to-destination $to_ip:$to_port
-A POSTROUTING -j MASQUERADE
COMMIT

示例：

nvidia@nvidia-desktop:~$ sudo vim /etc/ufw/before.rules
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d 192.169.1.51 --dport 80 -j DNAT --to-destination 192.168.1.77:8080
-A POSTROUTING -j MASQUERADE
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d 192.168.1.77 --dport 8080 -j DNAT --to-destination 192.169.1.51:80
-A POSTROUTING -j MASQUERADE
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d 192.169.1.52 --dport 80 -j DNAT --to-destination 192.168.1.77:8081
-A POSTROUTING -j MASQUERADE
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d 192.168.1.77 --dport 8081 -j DNAT --to-destination 192.169.1.52:80
-A POSTROUTING -j MASQUERADE
COMMIT

打开端口

nvidia@nvidia-desktop:~$ sudo ufw allow from any to any port $port

示例：

nvidia@nvidia-desktop:~$sudo ufw allow from any to any port 8080
nvidia@nvidia-desktop:~$sudo ufw allow from any to any port 8081
nvidia@nvidia-desktop:~$sudo ufw allow from any to any port 80

开启防火墙

nvidia@nvidia-desktop:~$ sudo ufw enable

重新加载配置

nvidia@nvidia-desktop:~$ sudo ufw reload

查看ufw

nvidia@nvidia-desktop:~$ sudo ufw status
[sudo] password for nvidia: 
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
53                         ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
8080                       ALLOW       Anywhere                  
81                         ALLOW       Anywhere                  
8181                       ALLOW       Anywhere                  
18181                      ALLOW       Anywhere                  
8081                       ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
53 (v6)                    ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
8080 (v6)                  ALLOW       Anywhere (v6)             
81 (v6)                    ALLOW       Anywhere (v6)             
8181 (v6)                  ALLOW       Anywhere (v6)             
18181 (v6)                 ALLOW       Anywhere (v6)             
8081 (v6)                  ALLOW       Anywhere (v6)             

7.验证

通过浏览器访问外网地址进行验证

192.168.1.77:8080 (8080映射内网192.169.1.51.80端口)