<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Fajar,<div class=""><br class=""></div><div class="">Just following up on this thread. Thanks for pointing out the redundant NAT problem with ufw. I found another solution to prevent this issue when restarting ufw (from here: <a href="https://gist.github.com/kimus/9315140" class="">https://gist.github.com/kimus/9315140</a> in the comments section)</div><div class=""><br class=""></div><div class="">Adding a “-F” statement before your first NAT rule flushes the NAT - thereby preventing the redundant NAT entries. Example:</div><div class=""><br class=""></div><div class=""><div class="">-----------------------</div></div><div class=""><top of file></div><div class=""># ========================</div><div class=""><div class=""># Rules for Custom Network</div><div class=""><div class=""># ========================</div><div class=""></div></div><div class="">*nat</div><div class="">:PREROUTING ACCEPT [0:0]</div><div class="">:POSTROUTING ACCEPT [0:0]</div><div class=""><br class=""></div><div class=""># Flush table to prevent redundant NAT rules</div><div class="">-F</div><div class=""><br class=""></div><div class=""># Port Forwardings (change dport to match incoming port and destination:port to match target server behind eth1)</div><div class="">-A PREROUTING -d 192.168.24.5 -p tcp --dport 222 -j DNAT --to-destination 30.1.1.3:22</div><div class="">-A PREROUTING -d 192.168.24.5 -p tcp --dport 801 -j DNAT --to-destination 30.1.1.3:80</div><div class="">-A PREROUTING -d 192.168.24.5 -p tcp --dport 802 -j DNAT --to-destination 30.1.1.3:443</div><div class=""><br class=""></div><div class=""># Use this if you have IP Aliases on the front end pointing to different back-end servers</div><div class="">-A PREROUTING -d 192.168.24.6 -p tcp --dport 222 -j DNAT --to-destination 30.1.1.3:22</div><div class=""><br class=""></div><div class=""># NAT traffic from inside network (30.1.1.0/24) through eth0 to the world</div><div class="">-A POSTROUTING -s 30.1.1.0/24 -o eth0 -j MASQUERADE</div><div class=""><br class=""></div><div class="">COMMIT</div></div><div class="">...</div><div class="">...</div><div class=""><rest of file></div><div class=""><div class="">...</div><div class="">...</div></div><div class="">-----------------------</div><div class=""><br class=""></div><div class="">I ran a test this morning with and without the “-F” option and verified everything worked as expected.</div><div class=""><br class=""></div><div class="">Just thought I would share with everyone.</div><div class=""><br class=""></div><div class="">Hope this helps.</div><div class=""><br class=""></div><div class="">-Ron</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div><div class="">On Apr 27, 2017, at 8:25 PM, Fajar A. Nugraha <<a href="mailto:list@fajar.net" class="">list@fajar.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote">On Fri, Apr 28, 2017 at 1:05 AM, Ron Kelley <span dir="ltr" class=""><<a href="mailto:rkelleyrtp@gmail.com" target="_blank" class="">rkelleyrtp@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Thanks for the feedback, Spike. After looking around for a while, I, too, decided a small ubuntu container with a minimal firewall tool is the way to go. In my case, I used “ufw” but will also look at "firehol”.<br class="">
<br class="">
Our firewall/NAT requirements are not very large, and I finally figured out the right set of rules we need. In essence, we just need to add these to the /etc/ufw/before.rules file and restart ufw:<br class="">
<br class=""></blockquote><div class=""><br class=""></div><div class="">with ONLY changes to /etc/ufw/before.rules, the NAT rules would be reapplied (resulting multiple rules on NAT table) whenever you restart ufw. No big deal if you plan to restart the container anyway on every rule change (or never plan to change the rules), but not ideal if your plan is to use "ufw reload".</div><div class=""><br class=""></div><div class="">In my case I had to separate ufw NAT rules into a new custom chain, ufw-before-prerouting: </div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">- edit /etc/ufw/before.init (copy it from /usr/share/ufw/before.init), and make it executable (e.g. chmod 700). Snippet of edited lines:</div><div class=""><br class=""></div><div class=""><div class="">start)</div><div class=""> iptables -t nat -N ufw-before-prerouting || true<br class=""></div><div class=""> iptables -t nat -I PREROUTING -j ufw-before-prerouting || true</div><div class=""> ;;<br class=""></div><div class="">stop)</div><div class=""> iptables -t nat -D PREROUTING -j ufw-before-prerouting || true<br class=""></div><div class=""> iptables -t nat -F ufw-before-prerouting || true</div><div class=""> iptables -t nat -X ufw-before-prerouting || true</div><div class=""> ;;<br class=""></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">- add NAT lines to /etc/ufw/before.rules to look similar to this:</div><div class=""><div class=""><br class=""></div><div class=""><div class=""># nat Table rules</div><div class="">*nat</div><div class="">:ufw-before-prerouting - [0:0]</div><div class=""><br class=""></div><div class=""># DNAT example<br class=""></div><div class="">-A ufw-before-prerouting -i eth0 -p tcp --dport 21122 -j DNAT --to <a href="http://10.0.3.211:22/" class="">10.0.3.211:22</a><br class=""></div></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">-- </div><div class="">Fajar</div></div></div></div>
_______________________________________________<br class="">lxc-users mailing list<br class=""><a href="mailto:lxc-users@lists.linuxcontainers.org" class="">lxc-users@lists.linuxcontainers.org</a><br class="">http://lists.linuxcontainers.org/listinfo/lxc-users</div></div><br class=""></div></body></html>