UFW blocking certain incoming requests and not sure why
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
UFW blocking certain incoming requests and not sure why
Hi,
I'm a firewall beginner, so please be kind.
I'm running UFW (Uncomplicated/Ubuntu FireWall) on a computer acting as a Privoxy server for my LAN and have set it up as follows (only the relevant info is given):
Code:
ufw allow from <my network range>/28 to any app Privoxy
"Privoxy" is defined as follows:
Code:
[Privoxy]
title=Privoxy, a filtering proxy server
description=Privoxy is a free and open-source ad- and cookie-blocking proxy.
ports=8118
I'm noticing a large number of [UFW BLOCK] entries of the following type:
The Source Port varies, but only between 598xx - 60xxx.
I've determined that the Source IP address is one of my devices, and that I was probably using it to listen to a BBC iPlayer radio show at the time. The Source IP address lies within the range permitted by the Firewall rule. The Destination IP address and port is Privoxy, so nothing untoward there.
So, why is UFW blocking these incoming requests? If the Source IP Address, Destination Port and Destination IP Address are all valid, shouldn't UFW let these requests through?
(..) why is UFW blocking these incoming requests? If the Source IP Address, Destination Port and Destination IP Address are all valid, shouldn't UFW let these requests through?
May have something to do with flags but until we see your 'iptables-save' output we won't know.
should show you and if it resides in for examle /sbin you could run
Code:
sudo /sbin/iptables-save > /tmp/iptables.txt 2>&1
which would redirect the output to the file "/tmp/iptables.txt" which you can then attach to your reply. Do check for and if necessary obfuscate any external (not LAN range) IP addresses before posting.
*The only thing this does is change the logging rule tags so it becomes easier to see which block rule actually logs this. All other rules remain the same.
Code:
# Generated by iptables-save v1.4.8 on Wed Mar 27 02:11:06 2013
*nat
:PREROUTING ACCEPT [21914:1984541]
:POSTROUTING ACCEPT [97272:27241495]
:OUTPUT ACCEPT [161685:35387937]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 27 02:11:06 2013
# Generated by iptables-save v1.4.8 on Wed Mar 27 02:11:06 2013
*filter
:INPUT DROP [5:2585]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [11:536]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UALF BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UALI BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[ULD BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 8118 -m comment --comment "\'dapp_Privoxy\'" -j ACCEPT
-A ufw-user-input -s 172.x.x.x/28 -p udp -m udp --dport 8118 -m comment --comment "\'dapp_Privoxy\'" -j ACCEPT
-A ufw-user-input -s 172.x.x.x/28 -p udp -m udp --dport 123 -m comment --comment "\'dapp_NTPD\'" -j ACCEPT
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 32400 -m comment --comment "\'dapp_plexmediaserver\'" -j ACCEPT
-A ufw-user-input -s 172.x.x.x/28 -p udp -m udp --dport 32400 -m comment --comment "\'dapp_plexmediaserver\'" -j ACCEPT
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 2049 -m comment --comment "\'dapp_NFSv4\'" -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UUL BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Wed Mar 27 02:11:06
What then? I'm not clear on what running this shell script will do, or what I should do with any result.
From what you say, once I've done that I should then return my settings to their original settings by repeating step 1 above, only replacing the text file with one that contains the code I myself posted in post 5 above.
Are you certain your subnet is a /28? I'm guessing (since your IPs start with 172) you're probably in the RFC 1918 space, where subnetting to /24 is far more common. If the SRC host is not within the /28 (i.e., wrong subnetting) you might have some not allowed in to Privoxy.
which loads the rule set into memory (activates it). The only change in the rule set is the logging text. That's done so you can see which rule actually blocks traffic.
Quote:
Originally Posted by smells_of_elderberries
From what you say, once I've done that I should then return my settings to their original settings by repeating step 1 above, only replacing the text file with one that contains the code I myself posted in post 5 above. Is that right?
No, once you restore settings (say by running the backup rule set with
Code:
cat /tmp/iptables.txt > /sbin/iptables-restore
) you'll void the changes. For more see your newest thread.
I didn't think there was any overlap in the threads, but I suppose it makes sense to start using iptables directly and see whether, once the rules I need are in place, the same problems occur.
I'll consider this thread closed unless I decide that iptables really isn't for me.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.