How to configure UFW to allow IP Forwarding?
I figured it out.
Edit /etc/default/ufw and set DEFAULT_FORWARD_POLICY to ACCEPT:
DEFAULT_FORWARD_POLICY="ACCEPT"
It's now possible - from ufw man page:
Rules for traffic not destined for the host itself but instead for traffic that should be routed/forwarded through the firewall should specify the route keyword before the rule (routing rules differ signifi‐ cantly from PF syntax and instead take into account netfilter FORWARD chain conventions). For example:
ufw route allow in on eth1 out on eth2This will allow all traffic routed to eth2 and coming in on eth1 to traverse the firewall.
ufw route allow in on eth0 out on eth1 to 12.34.45.67 port 80 proto tcpThis rule allows any packets coming in on eth0 to traverse the firewall out on eth1 to tcp port 80 on 12.34.45.67.
In addition to routing rules and policy, you must also setup IP forwarding. This may be done by setting the following in /etc/ufw/sysctl.conf:
net/ipv4/ip_forward=1 net/ipv6/conf/default/forwarding=1 net/ipv6/conf/all/forwarding=1then restarting the firewall:
ufw disable ufw enableBe aware that setting kernel tunables is operating system specific and ufw sysctl settings may be overridden. See the sysctl manual page for details.
if you set the DEFAULT_FORWARD_POLICY to ACCEPT in /etc/default/ufw the firewall will forward all packets regardless of the settings of the user interface.
I think the user interface is only meant for simple in/out filtering. For forwarding you need to add iptables rules in /etc/ufw/before.rules like here:
-A ufw-before-forward -i eth1 -p tcp -d 192.168.1.11 --dport 22 -j ACCEPT
You probably already have a rule that lets connections from inside out and another that lets packets from related and established tcp sessions back in.
I'm no iptables specialist, it took me a very long time to figure this out (with ip6tables, but it should be similar). Maybe this is not all it takes in your case.
Best greetings