Forward port to LXC guest using UFW

Solution 1

Add to the top of the /etc/ufw/before.rules before the *filter (top of file):

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to 10.0.3.11:2222
COMMIT

then restart/reload the firewall

sudo ufw disable && sudo ufw enable

Since we're using other that ufw's chains ufw-before-*, ufw-after-* and ufw-reject-*, we have to change MANAGE_BUILTINS=no to MANAGE_BUILTINS=yes in file `/etc/default/ufw. Check this post for more details.

Solution 2

Steve Zhan's answer is correct, one more thing to do if you're on Vagrant is to change DEFAULT_FORWARD_POLICY="DROP" to DEFAULT_FORWARD_POLICY="ACCEPT" in /etc/default/ufw

Solution 3

There are a few more configuration steps that are needed to allow general traffic to flow; simply adding the pre-routing lines are insufficient.

Assuming your UFW rules are not already heavily modified, the following should be sufficient:

At the top of /etc/ufw/before.rules, before the *filter section

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i enp0s8 -p tcp --dport 2222 -j DNAT --to 10.0.3.11:2222
COMMIT

And near the bottom, before the final COMMIT:

-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT

-A INPUT -p udp --dport 53 -i enp0s8 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 53 -i enp0s8 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 67 -i enp0s8 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 67 -i enp0s8 -m state --state NEW -j ACCEPT

And also, in the /etc/ufw/after.rules, again before the *filter section you need

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
COMMIT

Author by

mb21

Updated on September 18, 2022