Forward port to LXC guest using UFW
Solution 1
Add to the top of the /etc/ufw/before.rules
before the *filter
(top of file):
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to 10.0.3.11:2222
COMMIT
then restart/reload the firewall
sudo ufw disable && sudo ufw enable
Since we're using other that ufw's chains ufw-before-*, ufw-after-* and ufw-reject-*
, we have to change MANAGE_BUILTINS=no
to MANAGE_BUILTINS=yes
in file `/etc/default/ufw. Check this post for more details.
Solution 2
Steve Zhan's answer is correct, one more thing to do if you're on Vagrant is to change DEFAULT_FORWARD_POLICY="DROP"
to DEFAULT_FORWARD_POLICY="ACCEPT"
in /etc/default/ufw
Solution 3
There are a few more configuration steps that are needed to allow general traffic to flow; simply adding the pre-routing lines are insufficient.
Assuming your UFW rules are not already heavily modified, the following should be sufficient:
At the top of /etc/ufw/before.rules
, before the *filter
section
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i enp0s8 -p tcp --dport 2222 -j DNAT --to 10.0.3.11:2222
COMMIT
And near the bottom, before the final COMMIT
:
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A INPUT -p udp --dport 53 -i enp0s8 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 53 -i enp0s8 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 67 -i enp0s8 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 67 -i enp0s8 -m state --state NEW -j ACCEPT
And also, in the /etc/ufw/after.rules
, again before the *filter
section you need
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
COMMIT
mb21
Updated on September 18, 2022Comments
-
mb21 over 1 year
I am trying to forward port 2222 on my host 192.168.2.252 to a LXC guest on 10.0.3.11. How do I do it using the UFW-framework?
In other words I want to do this but with the ufw-framework.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to 10.0.3.11:2222
Regards, MB