Fajar, Just following up on this thread. Thanks for pointing out the redundant NAT problem with ufw. I found another solution to prevent this issue when restarting ufw (from here: https://gist.github.com/kimus/9315140 <https://gist.github.com/kimus/9315140> in the comments section)
Adding a “-F” statement before your first NAT rule flushes the NAT - thereby preventing the redundant NAT entries. Example: ----------------------- <top of file> # ======================== # Rules for Custom Network # ======================== *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # Flush table to prevent redundant NAT rules -F # Port Forwardings (change dport to match incoming port and destination:port to match target server behind eth1) -A PREROUTING -d 192.168.24.5 -p tcp --dport 222 -j DNAT --to-destination 30.1.1.3:22 -A PREROUTING -d 192.168.24.5 -p tcp --dport 801 -j DNAT --to-destination 30.1.1.3:80 -A PREROUTING -d 192.168.24.5 -p tcp --dport 802 -j DNAT --to-destination 30.1.1.3:443 # Use this if you have IP Aliases on the front end pointing to different back-end servers -A PREROUTING -d 192.168.24.6 -p tcp --dport 222 -j DNAT --to-destination 30.1.1.3:22 # NAT traffic from inside network (30.1.1.0/24) through eth0 to the world -A POSTROUTING -s 30.1.1.0/24 -o eth0 -j MASQUERADE COMMIT ... ... <rest of file> ... ... ----------------------- I ran a test this morning with and without the “-F” option and verified everything worked as expected. Just thought I would share with everyone. Hope this helps. -Ron On Apr 27, 2017, at 8:25 PM, Fajar A. Nugraha <l...@fajar.net> wrote: On Fri, Apr 28, 2017 at 1:05 AM, Ron Kelley <rkelley...@gmail.com <mailto:rkelley...@gmail.com>> wrote: Thanks for the feedback, Spike. After looking around for a while, I, too, decided a small ubuntu container with a minimal firewall tool is the way to go. In my case, I used “ufw” but will also look at "firehol”. Our firewall/NAT requirements are not very large, and I finally figured out the right set of rules we need. In essence, we just need to add these to the /etc/ufw/before.rules file and restart ufw: with ONLY changes to /etc/ufw/before.rules, the NAT rules would be reapplied (resulting multiple rules on NAT table) whenever you restart ufw. No big deal if you plan to restart the container anyway on every rule change (or never plan to change the rules), but not ideal if your plan is to use "ufw reload". In my case I had to separate ufw NAT rules into a new custom chain, ufw-before-prerouting: - edit /etc/ufw/before.init (copy it from /usr/share/ufw/before.init), and make it executable (e.g. chmod 700). Snippet of edited lines: start) iptables -t nat -N ufw-before-prerouting || true iptables -t nat -I PREROUTING -j ufw-before-prerouting || true ;; stop) iptables -t nat -D PREROUTING -j ufw-before-prerouting || true iptables -t nat -F ufw-before-prerouting || true iptables -t nat -X ufw-before-prerouting || true ;; - add NAT lines to /etc/ufw/before.rules to look similar to this: # nat Table rules *nat :ufw-before-prerouting - [0:0] # DNAT example -A ufw-before-prerouting -i eth0 -p tcp --dport 21122 -j DNAT --to 10.0.3.211:22 <http://10.0.3.211:22/> -- Fajar _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
