ufw 포트포워딩 설정
iptables를 활용한 port forward 방식외에 우분투의 기본 방화벽인 ufw 패키지를 사용하여 port forward하는 방법에 대해 기술합니다.
ufw는 우분투 뿐만 아니라 다른 OS에서 설치하여 사용 가능합니다.
환경
Local PC → EC2(Port Forward) → RDS
EC2 IP : 33.220.152.112
RDS IP : kokkkoa-mysql8.cfp0wjun5cff.ap-northeast-2.rds.amazonaws.com (10.0.3.56)
Install
sudo apt update
sudo apt install ufw
Check UFW Status
sudo ufw status verbose
# Output (if disabled)
Status: inactive
# Output (if activated)
systemctl status ufw
● ufw.service - Uncomplicated firewall
Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2022-08-16 04:07:48 UTC; 40min ago
Docs: man:ufw(8)
Main PID: 2432 (code=exited, status=0/SUCCESS)
CPU: 5ms
Aug 16 04:07:48 ip-10-0-0-172 systemd[1]: Starting Uncomplicated firewall...
Aug 16 04:07:48 ip-10-0-0-172 ufw-init[2436]: Firewall already started, use 'force-reload'
Aug 16 04:07:48 ip-10-0-0-172 systemd[1]: Finished Uncomplicated firewall.
Activate UFW
# ssh 세션을 유지
sudo systemctl start ufw
sudo systemctl enable ufw
sudo ufw allow ssh
sudo ufw enable
Activate Forward Policy
sudo vim /etc/default/ufw
# Drop을 ACCEPT로 변경
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"
sudo vim /etc/ufw/sysctl.conf
# 주석처리 해제
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
Add PreRouting & PostRouting
sudo vim /etc/ufw/before.rules
기존에 존재하는 파일이며 새로 작성한 부분은 10 ~ 16 라인입니다.
1 #
2 # rules.before
3 #
4 # Rules that should be run before the ufw command line added rules. Custom
5 # rules should be added to one of these chains:
6 # ufw-before-input
7 # ufw-before-output
8 # ufw-before-forward
9
10 # NAT
11 *nat
12 :PREROUTING ACCEPT [0:0]
13
14 -A PREROUTING -i eth1 -p tcp --dport 33306 -j DNAT --to-destination 10.0.3.56:3306
15 -A PREROUTING -i eth0 -p tcp --dport 33306 -j DNAT --to-destination 10.0.3.56:3306
16 -A POSTROUTING -j MASQUERADE
17
18 COMMIT
19
20 # Don't delete these required lines, otherwise there will be errors
21 *filter
22 :ufw-before-input - [0:0]
23 :ufw-before-output - [0:0]
24 :ufw-before-forward - [0:0]
25 :ufw-not-local - [0:0]
26 # End required lines
27
28
29 # allow all on loopback
30 -A ufw-before-input -i lo -j ACCEPT
31 -A ufw-before-output -o lo -j ACCEPT
32
33 # quickly process packets for which we already have a connection
34 -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
35 -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
36 -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
37
38 # drop INVALID packets (logs these in loglevel medium and higher)
39 -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
40 -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
41
42 # ok icmp codes for INPUT
43 -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
44 -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
45 -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
46 -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
47
48 # ok icmp code for FORWARD
49 -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
50 -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
51 -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
52 -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
53
54 # allow dhcp client to work
55 -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
56
57 #
58 # ufw-not-local
59 #
60 -A ufw-before-input -j ufw-not-local
61
62 # if LOCAL, RETURN
63 -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
64
65 # if MULTICAST, RETURN
66 -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
67
68 # if BROADCAST, RETURN
69 -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
70
71 # all other non-local packets are dropped
72 -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
73 -A ufw-not-local -j DROP
74
75 # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
76 # is uncommented)
77 -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
78
79 # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
80 # is uncommented)
81 -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
82
83
84 # don't delete the 'COMMIT' line or these rules won't be processed
85 COMMIT
Rules Apply
sudo ufw disable && ufw enable
Check Condition
sudo iptables -t nat -L -v
# Output
Chain PREROUTING (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
19 1152 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth1 any anywhere 33.220.152.112 tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:33306 to:10.0.3.56:3306
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 280 packets, 20564 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eth1 10.0.3.56 anywhere
0 0 MASQUERADE all -- any eth0 10.0.3.56 anywhere
0 0 MASQUERADE all -- any eth1 10.0.3.56 anywhere
0 0 MASQUERADE all -- any eth0 10.0.3.56 anywhere
239 18798 MASQUERADE all -- any any anywhere anywhere
0 0 MASQUERADE all -- any eth1 anywhere anywhere
0 0 MASQUERADE all -- any any anywhere anywhere
0 0 MASQUERADE all -- any any anywhere anywhere
재부팅시 적용안 될 때
- 재부팅시 ufw에서 EC2 인터페이스 인식 오류가 발생할 수 있습니다.
인터페이스 종류 상관없이 nat 설정을 강제합니다.
sudo iptables -A POSTROUTING -t nat -j MASQUERADE