다음 구성으로 UFW를 사용하여 NAT를 활성화할 수 있습니다.
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.141.0/24 -o ens192 -j MASQUERADE
COMMIT
활성화하고 싶다면TCPMSS, 다음 명령을 수동으로 실행해야 합니다.
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
UFW 구성에서 이것을 어떻게 설정합니까?
답변1
다음 구성에서는 예상대로 작동합니다.
/etc/ufw/after.rules마지막 줄 앞에 다음 줄을 추가합니다 COMMIT.
-A ufw-after-forward -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
예:
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
# End required lines
# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
# don't log noisy broadcast
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
# TCPMSS rule
-A ufw-after-forward -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT