ubuntu防火墙配置
启用/停止/清空规则

[shell]
#启用ufw【慎重操作,多次enable,disable,会导致规则叠加】
ufw enable
#停用ufw【慎重操作,多次enable,disable,会导致规则叠加】
ufw disable

#清空ufw配置【iptables方式】当ufw增加了一堆错误规则的时候,可以使用iptables来清空所有规则
iptables -F
iptables -X
#查看规则是否全部清空
iptables -L

#清空ufw配置【ufw自带方式】【一般不要使用,会清除原来所有的配置,慎重操作】
ufw reset

[/shell]

配置规则

[shell]
#开放ssh的22端口,允许任何人访问
ufw allow ssh
#开放https的443端口,允许任何人访问
ufw allow 443
#只允许ip段【10.8.0.0/24】访问80端口
ufw allow from 10.8.0.0/24 to any port 80
#只允许ip段【10.8.0.3】访问80端口
ufw allow from 10.8.0.3 to any port 80

#删除规则
ufw delete allow ssh
ufw delete allow 443
ufw delete allow from 10.8.0.0/24 to any port 80
ufw delete allow from 10.8.0.3 to any port 80

[/shell]

enable IP forwarding with UFW

[shell]
#sudo vim /etc/default/ufw
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY=”ACCEPT”

#sudo vim /etc/ufw/sysctl.conf
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

# 重启ufw服务
#sudo service ufw restart
[/shell]

建立nat转发

[shell]

# 打开/etc/ufw/before.rules
# START OPENVPN RULES
# NAT table rules
*nat
:PREROUTING – [0:0]
:POSTROUTING – [0:0]

# -s 表示源网络,即内网地址;–to-source 为本机ip(这个用来表示内网其他机器,通过这台机器访问外网)
-A POSTROUTING -s 172.19.148.0/24 -j SNAT –to-source 本机ip
# -s 表示源网络,即内网地址;-o 为连接因特网的接口
-A POSTROUTING -s 10.8.0.0/24 -o tun0 -j MASQUERADE

# 这是端口转发
-A PREROUTING -p tcp –dport 9000 -j DNAT –to-destination 被转发机器的ip:9000
-A POSTROUTING -p tcp -d 被转发机器的ip –dport 9000 -j SNAT –to-source 本机ip

COMMIT
# END OPENVPN RULES
[/shell]