UFW is blocking all even when I set rules to allow
up vote
12
down vote
favorite
3
I am using an ubuntu server, Now I am trying to enable the firewall using these commands:
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow www
ufw allow https
ufw enable
I've also tried making the ufw default deny incoming the last one but still no luck, when I enable the firewall it blocks eveything when I set the default to deny, but when I set it to allow, it works well, like the rules are ignored.
what could be causing this ?
EDIT
This is my output of iptables -L -v -n
I also tried the proposed solution but still no luck, it works fine only when I make it default allow incoming
Chain INPUT (policy DROP 30 packets, 1764 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
firewall ufw
edited Sep 19 '17 at 14:01
muru
135k20291493
asked Oct 26 '14 at 1:39
engma
163117
add a comment |
up vote
12
down vote
favorite
3
I am using an ubuntu server, Now I am trying to enable the firewall using these commands:
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow www
ufw allow https
ufw enable
I've also tried making the ufw default deny incoming the last one but still no luck, when I enable the firewall it blocks eveything when I set the default to deny, but when I set it to allow, it works well, like the rules are ignored.
what could be causing this ?
EDIT
This is my output of iptables -L -v -n
I also tried the proposed solution but still no luck, it works fine only when I make it default allow incoming
Chain INPUT (policy DROP 30 packets, 1764 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
firewall ufw
edited Sep 19 '17 at 14:01
muru
135k20291493
asked Oct 26 '14 at 1:39
engma
163117
1
Can you do me a favor? Doufw enable, then paste the output ofsudo iptables -L -v -nto your question. I'm curious what the underlyingnetfilter/iptablesstuff is actually doing with the ufw rules. :)
– Thomas Ward♦
Oct 26 '14 at 1:49
The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
– mchid
Oct 26 '14 at 2:15
Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see theiptablesdata if, with those first two lines excluded, you are still having this issue.
– Thomas Ward♦
Oct 26 '14 at 2:16
I added the output of my iptables file
– engma
Oct 26 '14 at 9:22
add a comment |
up vote
12
down vote
favorite
3
up vote
12
down vote
favorite
3
3
I am using an ubuntu server, Now I am trying to enable the firewall using these commands:
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow www
ufw allow https
ufw enable
I've also tried making the ufw default deny incoming the last one but still no luck, when I enable the firewall it blocks eveything when I set the default to deny, but when I set it to allow, it works well, like the rules are ignored.
what could be causing this ?
EDIT
This is my output of iptables -L -v -n
I also tried the proposed solution but still no luck, it works fine only when I make it default allow incoming
Chain INPUT (policy DROP 30 packets, 1764 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
firewall ufw
edited Sep 19 '17 at 14:01
muru
135k20291493
asked Oct 26 '14 at 1:39
engma
163117
I am using an ubuntu server, Now I am trying to enable the firewall using these commands:
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow www
ufw allow https
ufw enable
I've also tried making the ufw default deny incoming the last one but still no luck, when I enable the firewall it blocks eveything when I set the default to deny, but when I set it to allow, it works well, like the rules are ignored.
what could be causing this ?
EDIT
This is my output of iptables -L -v -n
I also tried the proposed solution but still no luck, it works fine only when I make it default allow incoming
Chain INPUT (policy DROP 30 packets, 1764 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
firewall ufw
firewall ufw
edited Sep 19 '17 at 14:01
muru
135k20291493
asked Oct 26 '14 at 1:39
engma
163117
edited Sep 19 '17 at 14:01
muru
135k20291493
asked Oct 26 '14 at 1:39
engma
163117
edited Sep 19 '17 at 14:01
muru
135k20291493
edited Sep 19 '17 at 14:01
muru
135k20291493
edited Sep 19 '17 at 14:01
muru
135k20291493
135k20291493
asked Oct 26 '14 at 1:39
engma
163117
asked Oct 26 '14 at 1:39
engma
163117
asked Oct 26 '14 at 1:39
engma
163117
163117
1
Can you do me a favor? Doufw enable, then paste the output ofsudo iptables -L -v -nto your question. I'm curious what the underlyingnetfilter/iptablesstuff is actually doing with the ufw rules. :)
– Thomas Ward♦
Oct 26 '14 at 1:49
The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
– mchid
Oct 26 '14 at 2:15
Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see theiptablesdata if, with those first two lines excluded, you are still having this issue.
– Thomas Ward♦
Oct 26 '14 at 2:16
I added the output of my iptables file
– engma
Oct 26 '14 at 9:22
add a comment |
1
Can you do me a favor? Doufw enable, then paste the output ofsudo iptables -L -v -nto your question. I'm curious what the underlyingnetfilter/iptablesstuff is actually doing with the ufw rules. :)
– Thomas Ward♦
Oct 26 '14 at 1:49
The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
– mchid
Oct 26 '14 at 2:15
Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see theiptablesdata if, with those first two lines excluded, you are still having this issue.
– Thomas Ward♦
Oct 26 '14 at 2:16
I added the output of my iptables file
– engma
Oct 26 '14 at 9:22
1
1
Can you do me a favor? Do
ufw enable, then paste the output of sudo iptables -L -v -n to your question. I'm curious what the underlying netfilter/iptables stuff is actually doing with the ufw rules. :)– Thomas Ward♦
Oct 26 '14 at 1:49
Can you do me a favor? Do
ufw enable, then paste the output of sudo iptables -L -v -n to your question. I'm curious what the underlying netfilter/iptables stuff is actually doing with the ufw rules. :)– Thomas Ward♦
Oct 26 '14 at 1:49
The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
– mchid
Oct 26 '14 at 2:15
The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
– mchid
Oct 26 '14 at 2:15
Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see the
iptables data if, with those first two lines excluded, you are still having this issue.– Thomas Ward♦
Oct 26 '14 at 2:16
Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see the
iptables data if, with those first two lines excluded, you are still having this issue.– Thomas Ward♦
Oct 26 '14 at 2:16
I added the output of my iptables file
– engma
Oct 26 '14 at 9:22
I added the output of my iptables file
– engma
Oct 26 '14 at 9:22
add a comment |
3 Answers
3
active
oldest
votes
up vote
12
down vote
accepted
Open a terminal and type the following commands:
Start off by doing a reset, which will remove all the existing rules:
sudo ufw reset
Next,
sudo ufw app list
This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:
sudo ufw app info OpenSSH
Here's the output:
Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.
Port:
22/tcp
To allow OpenSSH access, you can use the following rule:
sudo ufw allow 22/tcp
Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
If you want to add UDP just do this as well.
sudo ufw allow 80/udp
sudo ufw allow 443/udp
Disable and enable ufw to apply the changes:
sudo ufw disable
sudo ufw enable
To show your rules:
sudo ufw status
Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.
You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.
To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.
sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp
edited Sep 19 '17 at 14:01
Community♦
1
answered Oct 26 '14 at 2:36
mchid
22.5k25082
Thanks alot for your answer, but I want to block all the ports except for those ones, should I useufw default block incomingafter setting those rules ?
– engma
Oct 26 '14 at 9:08
@Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminalsudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
– mchid
Oct 26 '14 at 12:45
@Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
– mchid
Oct 26 '14 at 13:03
ok it only works when specify to denyoutif I saydenywithout saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
– engma
Oct 26 '14 at 13:22
@Developer106 what doesn't work, is it not blocking or not allowing?
– mchid
Oct 30 '14 at 22:48
|
show 1 more comment
up vote
2
down vote
FYI: in case others have this problem.
In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.
I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.
Here's what the top level chains should look like (on Debian 9.4).
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
answered Jul 15 at 0:46
FixItDad
212
This fixed the problem for me also.
– Technophobe01
Aug 1 at 16:33
add a comment |
up vote
0
down vote
I got the same problem, some kind of screwed config with ufw and fail2ban fu**ed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.
sudo apt-get purge ufw
sudo apt-get install ufw
edited Dec 12 at 19:02
mature
1,447422
answered Dec 12 at 16:55
Maso Mato
1
New contributor
Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Hi Maso. Did you have to do any additional configuration after reinstalling?
– Hee Jin
Dec 12 at 18:43
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f541675%2fufw-is-blocking-all-even-when-i-set-rules-to-allow%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
12
down vote
accepted
Open a terminal and type the following commands:
Start off by doing a reset, which will remove all the existing rules:
sudo ufw reset
Next,
sudo ufw app list
This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:
sudo ufw app info OpenSSH
Here's the output:
Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.
Port:
22/tcp
To allow OpenSSH access, you can use the following rule:
sudo ufw allow 22/tcp
Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
If you want to add UDP just do this as well.
sudo ufw allow 80/udp
sudo ufw allow 443/udp
Disable and enable ufw to apply the changes:
sudo ufw disable
sudo ufw enable
To show your rules:
sudo ufw status
Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.
You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.
To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.
sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp
edited Sep 19 '17 at 14:01
Community♦
1
answered Oct 26 '14 at 2:36
mchid
22.5k25082
Thanks alot for your answer, but I want to block all the ports except for those ones, should I useufw default block incomingafter setting those rules ?
– engma
Oct 26 '14 at 9:08
@Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminalsudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
– mchid
Oct 26 '14 at 12:45
@Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
– mchid
Oct 26 '14 at 13:03
ok it only works when specify to denyoutif I saydenywithout saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
– engma
Oct 26 '14 at 13:22
@Developer106 what doesn't work, is it not blocking or not allowing?
– mchid
Oct 30 '14 at 22:48
|
show 1 more comment
up vote
12
down vote
accepted
Open a terminal and type the following commands:
Start off by doing a reset, which will remove all the existing rules:
sudo ufw reset
Next,
sudo ufw app list
This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:
sudo ufw app info OpenSSH
Here's the output:
Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.
Port:
22/tcp
To allow OpenSSH access, you can use the following rule:
sudo ufw allow 22/tcp
Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
If you want to add UDP just do this as well.
sudo ufw allow 80/udp
sudo ufw allow 443/udp
Disable and enable ufw to apply the changes:
sudo ufw disable
sudo ufw enable
To show your rules:
sudo ufw status
Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.
You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.
To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.
sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp
edited Sep 19 '17 at 14:01
Community♦
1
answered Oct 26 '14 at 2:36
mchid
22.5k25082
Thanks alot for your answer, but I want to block all the ports except for those ones, should I useufw default block incomingafter setting those rules ?
– engma
Oct 26 '14 at 9:08
@Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminalsudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
– mchid
Oct 26 '14 at 12:45
@Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
– mchid
Oct 26 '14 at 13:03
ok it only works when specify to denyoutif I saydenywithout saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
– engma
Oct 26 '14 at 13:22
@Developer106 what doesn't work, is it not blocking or not allowing?
– mchid
Oct 30 '14 at 22:48
|
show 1 more comment
up vote
12
down vote
accepted
up vote
12
down vote
accepted
Open a terminal and type the following commands:
Start off by doing a reset, which will remove all the existing rules:
sudo ufw reset
Next,
sudo ufw app list
This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:
sudo ufw app info OpenSSH
Here's the output:
Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.
Port:
22/tcp
To allow OpenSSH access, you can use the following rule:
sudo ufw allow 22/tcp
Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
If you want to add UDP just do this as well.
sudo ufw allow 80/udp
sudo ufw allow 443/udp
Disable and enable ufw to apply the changes:
sudo ufw disable
sudo ufw enable
To show your rules:
sudo ufw status
Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.
You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.
To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.
sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp
edited Sep 19 '17 at 14:01
Community♦
1
answered Oct 26 '14 at 2:36
mchid
22.5k25082
Open a terminal and type the following commands:
Start off by doing a reset, which will remove all the existing rules:
sudo ufw reset
Next,
sudo ufw app list
This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:
sudo ufw app info OpenSSH
Here's the output:
Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.
Port:
22/tcp
To allow OpenSSH access, you can use the following rule:
sudo ufw allow 22/tcp
Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
If you want to add UDP just do this as well.
sudo ufw allow 80/udp
sudo ufw allow 443/udp
Disable and enable ufw to apply the changes:
sudo ufw disable
sudo ufw enable
To show your rules:
sudo ufw status
Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.
You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.
To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.
sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp
edited Sep 19 '17 at 14:01
Community♦
1
answered Oct 26 '14 at 2:36
mchid
22.5k25082
edited Sep 19 '17 at 14:01
Community♦
1
edited Sep 19 '17 at 14:01
Community♦
1
edited Sep 19 '17 at 14:01
Community♦
1
1
answered Oct 26 '14 at 2:36
mchid
22.5k25082
answered Oct 26 '14 at 2:36
mchid
22.5k25082
answered Oct 26 '14 at 2:36
mchid
22.5k25082
22.5k25082
Thanks alot for your answer, but I want to block all the ports except for those ones, should I useufw default block incomingafter setting those rules ?
– engma
Oct 26 '14 at 9:08
@Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminalsudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
– mchid
Oct 26 '14 at 12:45
@Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
– mchid
Oct 26 '14 at 13:03
ok it only works when specify to denyoutif I saydenywithout saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
– engma
Oct 26 '14 at 13:22
@Developer106 what doesn't work, is it not blocking or not allowing?
– mchid
Oct 30 '14 at 22:48
|
show 1 more comment
Thanks alot for your answer, but I want to block all the ports except for those ones, should I useufw default block incomingafter setting those rules ?
– engma
Oct 26 '14 at 9:08
@Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminalsudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751
– mchid
Oct 26 '14 at 12:45
@Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
– mchid
Oct 26 '14 at 13:03
ok it only works when specify to denyoutif I saydenywithout saying that it is for out specifically, it still doesn't work. what could be the cause of that ?
– engma
Oct 26 '14 at 13:22
@Developer106 what doesn't work, is it not blocking or not allowing?
– mchid
Oct 30 '14 at 22:48
Thanks alot for your answer, but I want to block all the ports except for those ones, should I use
ufw default block incoming after setting those rules ?– engma
Oct 26 '14 at 9:08
Thanks alot for your answer, but I want to block all the ports except for those ones, should I use
ufw default block incoming after setting those rules ?– engma
Oct 26 '14 at 9:08
@Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminal
sudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751– mchid
Oct 26 '14 at 12:45
@Developer106 No, when you enable ufw, block incoming is already set to default. You can verify this by executing the following command in an open terminal
sudo ufw status verbose. If I'm not mistaken, explicitly setting that rule will not permit your allowed ports. If you want to block all ports except those, I really suggest you check out this thread as that's exactly what they do. It is very thorough, blocking all except those and you'll have the open ports you want. ubuntuforums.org/showthread.php?t=1893751– mchid
Oct 26 '14 at 12:45
@Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
– mchid
Oct 26 '14 at 13:03
@Developer106 I added some rules to globally block all except 22, 53, 80, and 443 and deny or block every other port.
– mchid
Oct 26 '14 at 13:03
ok it only works when specify to deny
out if I say deny without saying that it is for out specifically, it still doesn't work. what could be the cause of that ?– engma
Oct 26 '14 at 13:22
ok it only works when specify to deny
out if I say deny without saying that it is for out specifically, it still doesn't work. what could be the cause of that ?– engma
Oct 26 '14 at 13:22
@Developer106 what doesn't work, is it not blocking or not allowing?
– mchid
Oct 30 '14 at 22:48
@Developer106 what doesn't work, is it not blocking or not allowing?
– mchid
Oct 30 '14 at 22:48
|
show 1 more comment
up vote
2
down vote
FYI: in case others have this problem.
In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.
I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.
Here's what the top level chains should look like (on Debian 9.4).
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
answered Jul 15 at 0:46
FixItDad
212
This fixed the problem for me also.
– Technophobe01
Aug 1 at 16:33
add a comment |
up vote
2
down vote
FYI: in case others have this problem.
In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.
I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.
Here's what the top level chains should look like (on Debian 9.4).
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
answered Jul 15 at 0:46
FixItDad
212
This fixed the problem for me also.
– Technophobe01
Aug 1 at 16:33
add a comment |
up vote
2
down vote
up vote
2
down vote
FYI: in case others have this problem.
In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.
I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.
Here's what the top level chains should look like (on Debian 9.4).
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
answered Jul 15 at 0:46
FixItDad
212
FYI: in case others have this problem.
In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.
I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.
Here's what the top level chains should look like (on Debian 9.4).
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
answered Jul 15 at 0:46
FixItDad
212
answered Jul 15 at 0:46
FixItDad
212
answered Jul 15 at 0:46
FixItDad
212
answered Jul 15 at 0:46
FixItDad
212
212
This fixed the problem for me also.
– Technophobe01
Aug 1 at 16:33
add a comment |
This fixed the problem for me also.
– Technophobe01
Aug 1 at 16:33
This fixed the problem for me also.
– Technophobe01
Aug 1 at 16:33
This fixed the problem for me also.
– Technophobe01
Aug 1 at 16:33
add a comment |
up vote
0
down vote
I got the same problem, some kind of screwed config with ufw and fail2ban fu**ed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.
sudo apt-get purge ufw
sudo apt-get install ufw
edited Dec 12 at 19:02
mature
1,447422
answered Dec 12 at 16:55
Maso Mato
1
New contributor
Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Hi Maso. Did you have to do any additional configuration after reinstalling?
– Hee Jin
Dec 12 at 18:43
add a comment |
up vote
0
down vote
I got the same problem, some kind of screwed config with ufw and fail2ban fu**ed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.
sudo apt-get purge ufw
sudo apt-get install ufw
edited Dec 12 at 19:02
mature
1,447422
answered Dec 12 at 16:55
Maso Mato
1
New contributor
Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Hi Maso. Did you have to do any additional configuration after reinstalling?
– Hee Jin
Dec 12 at 18:43
add a comment |
up vote
0
down vote
up vote
0
down vote
I got the same problem, some kind of screwed config with ufw and fail2ban fu**ed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.
sudo apt-get purge ufw
sudo apt-get install ufw
edited Dec 12 at 19:02
mature
1,447422
answered Dec 12 at 16:55
Maso Mato
1
New contributor
Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I got the same problem, some kind of screwed config with ufw and fail2ban fu**ed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.
sudo apt-get purge ufw
sudo apt-get install ufw
edited Dec 12 at 19:02
mature
1,447422
answered Dec 12 at 16:55
Maso Mato
1
New contributor
Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited Dec 12 at 19:02
mature
1,447422
edited Dec 12 at 19:02
mature
1,447422
edited Dec 12 at 19:02
mature
1,447422
1,447422
answered Dec 12 at 16:55
Maso Mato
1
New contributor
Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Dec 12 at 16:55
Maso Mato
1
answered Dec 12 at 16:55
Maso Mato
1
1
New contributor
Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Maso Mato is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Hi Maso. Did you have to do any additional configuration after reinstalling?
– Hee Jin
Dec 12 at 18:43
add a comment |
Hi Maso. Did you have to do any additional configuration after reinstalling?
– Hee Jin
Dec 12 at 18:43
Hi Maso. Did you have to do any additional configuration after reinstalling?
– Hee Jin
Dec 12 at 18:43
Hi Maso. Did you have to do any additional configuration after reinstalling?
– Hee Jin
Dec 12 at 18:43
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f541675%2fufw-is-blocking-all-even-when-i-set-rules-to-allow%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Can you do me a favor? Do
ufw enable, then paste the output ofsudo iptables -L -v -nto your question. I'm curious what the underlyingnetfilter/iptablesstuff is actually doing with the ufw rules. :)– Thomas Ward♦
Oct 26 '14 at 1:49
The first two commands are unnecessary. All you need to do is enable UFW and the default deny in allow out will apply.
– mchid
Oct 26 '14 at 2:15
Oooh, mchid is right, those're the defaults, you don't need those. Having said that, I still want to see the
iptablesdata if, with those first two lines excluded, you are still having this issue.– Thomas Ward♦
Oct 26 '14 at 2:16
I added the output of my iptables file
– engma
Oct 26 '14 at 9:22