Skip to content

Instantly share code, notes, and snippets.

@mattsn0w

mattsn0w/enable-NAT-on-ubuntu-with-ufw.md

Forked from kimus/ufw.md
Last active September 28, 2024 16:27
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mattsn0w/3421d2942b96e1e6f3113b3d174b7cb0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mattsn0w/3421d2942b96e1e6f3113b3d174b7cb0 to your computer and use it in GitHub Desktop.
Download ZIP
NAT with Ubuntu ufw firewall
Raw
enable-NAT-on-ubuntu-with-ufw.md

UFW

This gist was originally found at https://gist.github.com/kimus/9315140 and modified for my use case.

Install UFW

sudo apt-get install ufw

Enable NAT

In the file /etc/default/ufw change the parameter DEFAULT_FORWARD_POLICY to enable forwarding policy required for NAT.

DEFAULT_FORWARD_POLICY="ACCEPT"

Enable ipv4 IP forwarding in the kernel at /etc/ufw/sysctl.conf to allow tink-stack host to act as a packet router.

net.ipv4.ip_forward=1

Add the following to /etc/ufw/before.rules just before the filter rules.

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.1.0/24 -o wlp2s0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

Make sure to allow SSH into the wireless interface so you can still manage the tink-stack.
Allow all traffic on the wired interface since this is where our nodes are that will be provisioned.
These lines are further down in the file.

# Allow all on enp1s0
-A ufw-before-input -i enp1s0 -j ACCEPT
-A ufw-before-output -o enp1s0 -j ACCEPT

# Allow inboud SSH on all interfaces. This is not to be used on public networks!
-A ufw-before-input -p tcp --dport 22 -j ACCEPT

Now enable the changes by restarting ufw.

$ sudo ufw disable && sudo ufw enable
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment