Ubuntu – Ubuntu 18.04 as a router

Wanted to post the answer I was looking for in case anyone else needs the same scenario. AlexP pointed me in the right direction above - the outside boxes didn't know how to reply back and I didn't want to have to add routes on every network that may use this.

I did want routing but I also needed NAT.

These instructions were cobbled together from several different sources but primarily - https://help.ubuntu.com/lts/serverguide/firewall.html <- the ufw IP Maquerading section here.

CentOS instructions from here- https://ronnybull.com/2015/11/20/how-to-centos-7-router/.

I am assuming an internal and an external interface on the Ubuntu box and that the settings for those have already been configured. (Also added instructions at the very bottom to accomplish the same thing with CentOS 7 - that was also a requirement of mine)

1. first, enable ufw and ufw logging

sudo ufw enable
sudo ufw logging on

2. Flush any existing rules (do NOT do this if you are already using ufw or IP tables for firewalling). Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.

iptables --flush            # Flush all the rules in filter and nat tables    
iptables --table nat --flush    
iptables --delete-chain    # Delete all chains that are not in default filter and nat table    
iptables --table nat --delete-chain    

3. First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:

DEFAULT_FORWARD_POLICY="ACCEPT"

4. Then edit /etc/ufw/sysctl.conf and uncomment:

net/ipv4/ip_forward=1
net/ipv4/conf/all/forwarding=1 
net/ipv6/conf/default/forwarding=1 # if using IPv6

5. Now add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

For each Table a corresponding COMMIT statement is required. In these examples only the nat and filter tables are shown, but you can also add rules for the raw and mangle tables. In the above example replace eth0, eth1, and 192.168.0.0/24 with the appropriate interfaces and IP range for your network.

6. Finally, disable and re-enable ufw to apply the changes:

sudo ufw disable && sudo ufw enable

IP Masquerading should now be enabled. You can also add any additional FORWARD rules to the /etc/ufw/before.rules. It is recommended that these additional rules be added to the ufw-before-forward chain.

CentOS 7 firewalld config to accomplish the same thing -

1. Enable IPv4 packet forwarding.

a. Add the following to /etc/sysctl.conf:

 net.ipv4.ip_forward = 1

b. Apply the sysctl settings:

sysctl -p

2. Add direct rules to firewalld. Add the --permanent option to keep these rules across restarts.

firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o eth_ext -j MASQUERADE    
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth_int -o eth_ext -j ACCEPT    
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth_ext -o eth_int -m state --state RELATED,ESTABLISHED -j ACCEPT

a. Add the following to /etc/sysctl.conf:

 net.ipv4.ip_forward = 1

b. Apply the sysctl settings:

sysctl -p

2. Add direct rules to firewalld. Add the --permanent option to keep these rules across restarts.

firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o eth_ext -j MASQUERADE    
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth_int -o eth_ext -j ACCEPT    
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth_ext -o eth_int -m state --state RELATED,ESTABLISHED -j ACCEPT