UFW – Port Forwarding Guide

firewalliptablesufw

I realize UFW is mainly just for enabling/disabling access on particular ports, but I'm trying to forward one port to another. I want any connection to port 1724 to be forwarded to 1723.

The file /etc/default/ufw already has DEFAULT_FORWARD_POLICY="ACCEPT". And I believe I need to uncomment net/ipv4/ip_forward=1 in /etc/ufw/sysctl.conf. Finally I need to edit /etc/ufw/before.rules to add an iptables rule.

And here is where I get lost because I can't find any documentation for this file. Where do I add the rule? And how exactly?

In particular:

On exactly which line do I add the rule?
Do I put anything before or after it?

Best Answer

Add before filter section in /etc/ufw/before.rules(top of file):

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 1724 -j REDIRECT --to-port 1723
COMMIT

These rules will then need to be reloaded; simply disabling and re-enabling ufw or running ufw reload is not sufficient. The simplest solution is to reboot, otherwise you can use one of the workarounds mentioned in Launchpad bug #881137.

Related Solutions

Ubuntu – Which INPUT rules do I need to add to iptables so apt (apt-get, aptitude) can work (update, upgrade, search, install)

When you send a HTTP request to the other server, you're using TCP. First, a SYN packet go outside to the other server from a random high port, then you'll receive a ACK response. Finally you send SYN/ACK to the server and the server responds with the requested document (in multiple packets). Your rules do not allow the ACK packet to be received and therefore the connection cannot be established. Add a rule like:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

You don't get iptables logs for free. Your rules should look like:

# if no rule matched, the input should be dropped
-P INPUT DROP

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# etc

# the limit prevents your logs from being flooded if there are a lot packets being captured
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied" --log-level debug

Note that I've omitted iptables before the commands, I recommend using iptables-restore (or iptables-apply for testing) to avoid locking yourself out if a rule fails to apply. The file to be passed to the command looks like:

*FILTER
# your rules here, for example:
-P INPUT DROP
-P INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

A newline after the COMMIT line is mandatory.

By default, the entries go to /var/log/kern.log. Not good if you want to differentiate between kernel and iptables messages, so create a filter for rsyslog in /etc/rsyslog.d/iptables.conf containing:

:msg,contains,"iptables denied" /var/log/iptables.log
& ~

This will filter iptables errors and send those to /var/log/iptables.log.

Ubuntu – Internet connection sharing without Network Manager

Fixed:

sudo iptables -A FORWARD -o ppp0 -i eth1 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Thanks again to g0rdon at #openwrt :)

Best Answer

Related Solutions

Ubuntu – Which INPUT rules do I need to add to iptables so apt (apt-get, aptitude) can work (update, upgrade, search, install)

Ubuntu – Internet connection sharing without Network Manager

Related Question