我可以通过以下配置使用 UFW 启用 NAT。
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.141.0/24 -o ens192 -j MASQUERADE
COMMIT
如果我想启用TCPMSS,我必须手动运行以下命令。
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
如何在 UFW 配置中进行设置?
答案1
它按照以下配置按预期工作。
/etc/ufw/after.rules在最后一行之前添加以下行COMMIT。
-A ufw-after-forward -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
例子:
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
# End required lines
# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
# don't log noisy broadcast
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
# TCPMSS rule
-A ufw-after-forward -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT