使用 UFW 配置 Ubuntu 路由器

tag-icon tag-icon networking iptables firewall ufw
使用 UFW 配置 Ubuntu 路由器

走 ubuntu 20.04 服务器路线并使用 UFW。到目前为止的步骤(从全新安装开始) 附有网络布局

使用 netplan 配置的网络 - 下面是 YAML 文件 - 这里的问题是,我是否需要 192.168.1.0/24 网络的默认 g/w,在本例中是 192.168.1.1

network:
  ethernets:
    enp2s0:
      addresses:
      - 192.168.1.230/24
      gateway4: 192.168.1.1
      nameservers:
        addresses:
        - 192.168.1.1
        search: []
    enx000acd394549:
      addresses:
      - 192.168.10.230/24
      nameservers:
        addresses: []
        search: []
  version: 2

/etc/ufw/sysctl.conf - 取消注释 net_ipv4_ip_forward=1

ufw allow 22 (for ssh) access
ufw disable && ufw enable

从连接到 192.168.10.x/24 的机器作为测试机器,可以 ping 通路由器的两侧,并且可以通过 ssh 进入路由器,但无法 ping 通路由器以外的区域。

检查 ufw status verbose 的输出:

root@router:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
22 (v6)                    ALLOW IN    Anywhere (v6)

路由已禁用。

将 /etc/default/ufw 中的 DEFAULT_FORWARD_POLICY 从“DROP”更改为“ACCEPT”

 ufw default allow forward

从 192.168.10.x/24 网络到 192.168.1.x/24 网络 ping 仍然不起作用。

需要更新规则以允许相关网络通过防火墙,这里有点过分,但让我们先让它工作起来......

ufw allow from 192.168.10.0/24 to any
ufw allow from 192.168.1.0/24 to any

重新运行状态:

root@router:~# ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
Anywhere                   ALLOW IN    192.168.10.0/24
Anywhere                   ALLOW IN    192.168.1.0/24
22 (v6)                    ALLOW IN    Anywhere (v6)

还是没有变化...

我已经检查了 ufw 中的 before.rules,并且允许以下 ICMP 数据包:

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

我已经在后台运行了 /var/log/ufw.log 上的 tail -f,并且没有显示任何 UFW BLOCK - 只是大量的审核,感谢您的任何想法。

非常感谢,

答案1

需要在/etc/ufw/before.rules中添加以下内容

*nat
:POSTROUTING ACCEPT [0:0]

    # Forward traffic through enp2s0 - which in this case is the outbound interface from internal network
    -A POSTROUTING -s 192.168.10.0/24 -o enp2s0 -j MASQUERADE
    
    # don't delete the 'COMMIT' line or these nat table rules won't
    # be processed
    COMMIT

源网络为 192.168.10.0,出站网络接口为 enp2s0(在本例中为从 /etc/netplan/00xyxhx.yaml 复制而来)

相关内容