Time of the Time – Mokona Modoki

NAT/IP Masquerading and UFW

After getting OSPF working with UFW, it turned out I had a need to configure NAT/IP Masquerading as well.

After some troubleshooting and screwing around, here are the usable cliff notes.

1. sudo apt install ufw
2. sudo ufw disable

3. Add the following line to /etc/sysctl.conf:

net.ipv4.ip_forward = 1

4. Save the file and type the command:

sysctl -p

5. Add the following lines to the end of the /etc/ufw/before.rules file:

COMMIT
# Setting up NAT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s -o eth0 -j MASQUERADE
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT

Note 1. The first COMMIT finishes the *filter table, which starts further up. You then start a NAT/IP Masquerading table with the *nat line, which needs to be committed afterwards as well. Hence the second ‘COMMIT’.

Note 2. Don’t add anything to the after.rules file and don’t add anything to the user.rules file either (unless of course, you know what you are doing).

6. sudo ufw default deny forward
7. sudo ufw allow in on eth1
8. sudo ufw route allow in on eth0 out on eth1
9. sudo ufw route allow in on eth1 out on eth0
10. sudo ufw allow in on eth0 from EXTERNAL-WAN-IP to WAN-IP port 22 proto tcp
11. sudo ufw allow in on eth1 from INTERNAL-LAN-IP to LAN-IP port 22 proto tcp
12. sudo ufw enable

Note! If you’ve been screwing around with this all day and the above doesn’t work, try rebooting first.

1. Install UFW
2. Disable the firewall for good measure, especially if you’re doing something silly like testing in production :-/
3. Update the /etc/sysctl.conf file to enable IP Forwarding in the Kernel. Yes, there’s a UFW file for this too. You can uncomment the same line in /etc/ufw/sysctl.conf if you wish. Doing both won’t break anything, it’s just redundant. If you only make the change in this file: /etc/ufw/sysctl.conf it will only be effective while UFW is running. Could be problematic if you trying to troubleshoot a routing issue with the firewall off.
4. Safe the changes and validate the change. You should see the line you just added printed to the screen. If you dediced to use the /etc/ufw/sysctl.conf file instead, you won’t see anything printed to the screen.
5. Set up the NAT/IP Masquerading Table in UFW. It’s not there by default.
6. Just in case you already tried enabling forwarding in UFW, let’s make sure it’s disabled. That feature doesn’t do what you think it does.
7. Allow traffic inbound from your LAN interface.
8. Allow traffic to traverse your firewall from the WAN interface to the LAN interface.
9. Allow traffic to traverse your firewall from the LAN interface to the WAN interface.
10. You’ll probably want to allow SSH access to your firewall from outside your network. This command locks down external access to a single IP outside your network. If you need a little more freedom then that, try:

sudo ufw allow in on eth0 from any to any port 22 proto tcp

EXTERNAL-WAN-IP The IP Address you will be accessing the firewall from, outside your network.
WAN-IP The IP Address assigned to eth0.

11. You’ll probably want to allow SSH access to your firewall from inside your network. This command locks down internal access to a single IP inside your network. If you need a little more freedom then that, try:

sudo ufw allow in on eth1 from any to any port 22 proto tcp

INTERNAL-LAN-IP The IP Address you will be accessing the firewall from, inside your network.
LAN-IP The IP Address assigned to eth1

12. Enable the firewall.

Note 1. Unfortunately, you can’t setup the NAT/IP Masquerading table with native UFW commands. From an automation point of view, I’m focusing on simplicity without too much file modification. This is just a necassary complexity.

Note 2. You do not need to allow traffic in on eth0. i.e. do not issue the following command:

sudo ufw allow in on eth0

This would effectively open your firewall to everyone and everything on the internet. It’s required on the LAN interface for traffic passing through and out to the internet, but it is not required for traffic returning by request. Inbound traffic should be allowed by specific rules only, such as the rule in Step 10.

5:42 pm - Tuesday 7 February 2023

OSPF and UFW

It’s been a hot minute since I last posted and I figured this was worth sharing. There’s been plenty since the last post, but time has not always been on my side. Today it is!

Short and sweet. I have a VM being used as an OSPF router with two interfaces. I needed to allow traffic to traverse the VM in both directions while maintaining my standard UFW configuration. The commands look something like this:

1. sudo apt install ufw
2. sudo ufw disable
3. sudo ufw default allow forward
4. sudo ufw allow from 224.0.0.0/24
5. sudo ufw allow in on eth0 from
6. sudo ufw allow in on eth1 from
7. sudo ufw enable

1. Install UFW
2. Disable the firewall for good measure, especially if you’re doing something silly like testing in production :-/
3. Set the default behaviour of forwarded/routed traffic to ALLOW (it’s DROP by default)
(You can also use: sudo ufw default allow routed – routed is an alias of forward)
4. Allow the multicast subnet for OSPF
No ownership is implied. Other dynamic routing protocols use the same multicast range.
5. Allow traffic bound for eth0 from the IP Address of the upstream router (to send and receive routes)
6. Allow traffic bound for eth1 from the IP Address of the downstream router (to send and receive routes)
If you just have endpoints such as servers or workstations talking to eth1, then you don’t need to enter this command.
7. Enable the firewall.

There are plenty of other solutions out there for modifying configuration files and such, but if you’re going to do that, you might as well remove UFW and use IPTables directly.

That’s all folks!

Note 1. This does not break the default INPUT rule, which in my case was and still is DENY. The above commands allow traffic to traverse the VM firewall, they do not allow external access VM. i.e. If I tried to SSH in on port 22 to the IP Address on eth0, UFW will drop my request by default, until I specifically set an explicit allow rule.

Note 2. This is not an example of how to setup NAT/Masquerading. This is an example of how to forward traffic between two interfaces where the source and destination is facilitated by OSPF instead of using forward rules in UFW or entries to the Forward table in IPTables.

5:33 pm - Friday 3 February 2023

Telstra Smart Modem (with 4G) – No Internet Access

So I recently did something I swore I would never do… I finally got on board with Telstra, for internet access. I’ve had a mobile service with Telstra for nearly 20 years, but I’ve always used a separate carrier for my internet access. This week, that changed. When the Telstra Smart Modem (with 4G) arrived, […]

1:24 pm - Saturday 7 July 2018

Building AR Drone SDK 2.0.1 on Linux

I tried to build this SDK on more variants of linux than I care to admit. It only works successfully out of the box on Ubuntu. Specifically, Ubuntu 12.04.5. I compiled this for use with my AR Drone 2, but I don’t see why it couldn’t be used with the AR Drone as well. There’s […]

7:55 pm - Friday 2 June 2017