Building an Ubuntu Router Part 3 - Firewall/NAT

Publicado en

Firewall

Add rules to allow traffic on your loopback interface:

1
2
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

And lets also allow anything on the LAN:

1
sudo iptables -A INPUT -i enp0s8 -j ACCEPT

To accept traffic being forwarded from the LAN to the WAN:

1
2
3
sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT
sudo iptables -A INPUT -i enp0s3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -i enp0s3 -o enp0s8 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

We should accept traffic from the WAN going to the LAN if, and only if, the LAN initiated the connection:

Enable Ip Forwarding

Edit the file sysctl.conf to activate it permanently.

1
2
sudo cp /etc/sysctl.conf{,.bak}
sudo nano /etc/sysctl.conf

Change the value of net.ipv4.ip_forward from 0 to 1

1
net.ipv4.ip_forward=1

Activate the changes with the following command.

1
sudo sysctl -p

Through iptables we change the destination address of the packets to the interface enp0s3 which has an internet connection.

1
sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE

The configuration can be viewed with the following command.

1
sudo iptables -L -v

Saving Iptables Firewall Rules Permanently

Unable to locate package iptables-persistent directly, it is necessary to change source.list and update to be able to install it.

1
2
sudo cp /etc/apt/sources.list{,.bak}
sudo nano /etc/apt/sources.list

Add at the end of each source universe.

1
2
3
deb http://archive.ubuntu.com/ubuntu bionic main universe
deb http://archive.ubuntu.com/ubuntu bionic-security main universe
deb http://archive.ubuntu.com/ubuntu bionic-updates main universe

Update and install iptables-persistent

1
2
sudo apt-get update
sudo apt install iptables-persistent -y

Each time a rule change is made, save the changes with the following command.

1
sudo dpkg-reconfigure iptables-persistent

(You will need to answer yes to the questions about whether to save the rules.)

After that, the next time iptables-persistent is started/restarted, the iptables rulesets you expect will be loaded.

Check conection to internet with PC

networking
© 2020 Juvenal Yescas All Rights Reserved.
Theme by hiero