Assign a static IP to interface ens192:
user@machine:~$ vim /etc/network/interfaces ... allow-hotplug ens192 iface ens192 inet static address 192.168.192.192/24 gateway 192.168.192.1 dns-nameservers 126.96.36.199 dns-search mydomain.com ...
IP Masquerading can be achieved using custom ufw rules. This is possible because the current back-end for ufw is
iptables-restore with the rules files located in
/etc/ufw/*.rules. These files are a great place to add legacy iptables rules used without ufw, and rules that are more network gateway or bridge related.
The rules are split into two different files, rules that should be executed before ufw command line rules, and rules that are executed after ufw command line rules.
First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in
/etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:
/etc/ufw/sysctl.conf and uncomment:
Now add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:
Step1: allow forwarding
vim /etc/sysctrl.d/local.conf net.ipv4.ip_forward=1
Step2: on the network address translation table, after we have figured out the routing of a packet on output eth0 (the external), replace the return address information with our own so the return packets come to us. Also, remember that we did this (like a lookup table that remembers this connection).
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Allow packets that want to come from eth1 (the internal interface) to go out eth0 (the external interface).
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Use that lookup table we had from before to see if the packet arriving on the external interface actually belongs to a connection that was already initiated from the internal.
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT