Reply
Highlighted
New Member
Posts: 1
Registered: ‎08-08-2018

persistent iptables rules on USG pro 4

Hi!

I need to redirect a esternal site (ip: xxx.xxx.xxx.xxx) to a internal ip (ip: yyy.yyy.yyy.yyy),

I'm using this iptables rules on USG and it works fine, but when i restart the USG this rules ar lost.

"

sudo iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 80  -j DNAT --to-destination yyy.yyy.yyy.yyy

sudo iptables -t nat -A POSTROUTING -j MASQUERADE

"

I have tried this on the controller (cloud Key) :

/srv/unifi/data/sites/default/config.properties

config.system_cfg.MAC_ADRESS_USG.1=iptables.status=enabled
config.system_cfg.MAC_ADRESS_USG.2=iptables.1.cmd=-t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to-destination yyy.yyy.yyy.yyy
config.system_cfg.MAC_ADRESS_USG.3=iptables.2.cmd=-t nat -A POSTROUTING -j MASQUERADE

 

But it does not work

 

Help, please

 

J.F.

Ubiquiti Employee
Posts: 1,211
Registered: ‎02-28-2017
Kudos: 357
Solutions: 119

Re: persistent iptables rules on USG pro 4

Configuring iptables manually on the USG won't stick post reprovision or reboot you'll have to use configuration mode in EdgeOS and pair that with a config.gateway.json file.

If you SSH to the USG and type:

configure
set service nat rule 4000 type destination
set service nat rule 4000 protocol tcp
set service nat rule 4000 destination port 80
set service nat rule 4000 destination address x.x.x.x
set service nat rule 4000 inside-address y.y.y.y
set service nat rule 4000 inbound-interface <interface>

and for the masquerade rule

set service nat rule 5500 type masquerade
set service nat rule 5500 outbound-interface <interface>
set service nat rule 5500 source address x.x.x.x/x
commit;save;exit

I wouldn't worry about reading the config.gateway.json article until you have a working solution in EdgeOS. You can check to see if your rule is getting hit with:

show nat statistics
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
Reply