LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-25-2013, 07:56 PM   #1
smells_of_elderberries
LQ Newbie
 
Registered: Dec 2006
Posts: 25

Rep: Reputation: 0
Question UFW blocking certain incoming requests and not sure why


Hi,

I'm a firewall beginner, so please be kind.

I'm running UFW (Uncomplicated/Ubuntu FireWall) on a computer acting as a Privoxy server for my LAN and have set it up as follows (only the relevant info is given):
Code:
ufw allow from <my network range>/28 to any app Privoxy
"Privoxy" is defined as follows:
Code:
[Privoxy]
title=Privoxy, a filtering proxy server
description=Privoxy is a free and open-source ad- and cookie-blocking proxy.
ports=8118
I'm noticing a large number of [UFW BLOCK] entries of the following type:
Code:
[UFW BLOCK] IN=eth0 OUT= MAC=<REDACTED> SRC=<REDACTED> DST=<REDACTED> LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=37797 DF PROTO=TCP SPT=60505 DPT=8118 WINDOW=8192 RES=0x00 ACK FIN URGP=0
The Source Port varies, but only between 598xx - 60xxx.

I've determined that the Source IP address is one of my devices, and that I was probably using it to listen to a BBC iPlayer radio show at the time. The Source IP address lies within the range permitted by the Firewall rule. The Destination IP address and port is Privoxy, so nothing untoward there.

So, why is UFW blocking these incoming requests? If the Source IP Address, Destination Port and Destination IP Address are all valid, shouldn't UFW let these requests through?
 
Old 03-26-2013, 02:16 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,293
Blog Entries: 54

Rep: Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855
Quote:
Originally Posted by smells_of_elderberries View Post
I'm a firewall beginner, so please be kind.
You're at LQ. We're always kind.


Quote:
Originally Posted by smells_of_elderberries View Post
(..) why is UFW blocking these incoming requests? If the Source IP Address, Destination Port and Destination IP Address are all valid, shouldn't UFW let these requests through?
May have something to do with flags but until we see your 'iptables-save' output we won't know.
 
Old 03-26-2013, 05:20 PM   #3
smells_of_elderberries
LQ Newbie
 
Registered: Dec 2006
Posts: 25

Original Poster
Rep: Reputation: 0
Quote:
May have something to do with flags but until we see your 'iptables-save' output we won't know.
Aha. Ok. Just tell me how to access the information you require, and I'll post it.
 
Old 03-26-2013, 05:37 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,293
Blog Entries: 54

Rep: Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855
Running
Code:
sudo which iptables-save
should show you and if it resides in for examle /sbin you could run
Code:
sudo /sbin/iptables-save > /tmp/iptables.txt 2>&1
which would redirect the output to the file "/tmp/iptables.txt" which you can then attach to your reply. Do check for and if necessary obfuscate any external (not LAN range) IP addresses before posting.
 
Old 03-26-2013, 09:15 PM   #5
smells_of_elderberries
LQ Newbie
 
Registered: Dec 2006
Posts: 25

Original Poster
Rep: Reputation: 0
Thanks for the quick replies. Here's the content you asked for:

Code:
# Generated by iptables-save v1.4.8 on Wed Mar 27 02:11:06 2013
*nat
:PREROUTING ACCEPT [21914:1984541]
:POSTROUTING ACCEPT [97272:27241495]
:OUTPUT ACCEPT [161685:35387937]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Wed Mar 27 02:11:06 2013
# Generated by iptables-save v1.4.8 on Wed Mar 27 02:11:06 2013
*filter
:INPUT DROP [5:2585]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [11:536]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input 
-A INPUT -j ufw-before-input 
-A INPUT -j ufw-after-input 
-A INPUT -j ufw-after-logging-input 
-A INPUT -j ufw-reject-input 
-A INPUT -j ufw-track-input 
-A FORWARD -j ufw-before-logging-forward 
-A FORWARD -j ufw-before-forward 
-A FORWARD -j ufw-after-forward 
-A FORWARD -j ufw-after-logging-forward 
-A FORWARD -j ufw-reject-forward 
-A OUTPUT -j ufw-before-logging-output 
-A OUTPUT -j ufw-before-output 
-A OUTPUT -j ufw-after-output 
-A OUTPUT -j ufw-after-logging-output 
-A OUTPUT -j ufw-reject-output 
-A OUTPUT -j ufw-track-output 
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input 
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input 
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input 
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input 
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input 
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input 
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input 
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " 
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " 
-A ufw-before-forward -j ufw-user-forward 
-A ufw-before-input -i lo -j ACCEPT 
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny 
-A ufw-before-input -m state --state INVALID -j DROP 
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT 
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT 
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
-A ufw-before-input -j ufw-not-local 
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT 
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT 
-A ufw-before-input -j ufw-user-input 
-A ufw-before-output -o lo -j ACCEPT 
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A ufw-before-output -j ufw-user-output 
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " 
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN 
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " 
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN 
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN 
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN 
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny 
-A ufw-not-local -j DROP 
-A ufw-skip-to-policy-forward -j DROP 
-A ufw-skip-to-policy-input -j DROP 
-A ufw-skip-to-policy-output -j ACCEPT 
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT 
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 8118 -m comment --comment "\'dapp_Privoxy\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p udp -m udp --dport 8118 -m comment --comment "\'dapp_Privoxy\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p udp -m udp --dport 123 -m comment --comment "\'dapp_NTPD\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 32400 -m comment --comment "\'dapp_plexmediaserver\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p udp -m udp --dport 32400 -m comment --comment "\'dapp_plexmediaserver\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 2049 -m comment --comment "\'dapp_NFSv4\'" -j ACCEPT 
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] " 
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable 
-A ufw-user-limit-accept -j ACCEPT 
COMMIT
# Completed on Wed Mar 27 02:11:06 2013
 
Old 03-27-2013, 02:12 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,293
Blog Entries: 54

Rep: Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855
Make sure you still have the previous rule set file (if anything fails you can load it similarly) and reload rule set below like this:
Code:
echo 'cat smells_of_elderberries.ufw1.txt > /sbin/iptables-restore' > /tmp/iptables.sh
sudo /tmp/iptables.sh
*The only thing this does is change the logging rule tags so it becomes easier to see which block rule actually logs this. All other rules remain the same.

Code:
# Generated by iptables-save v1.4.8 on Wed Mar 27 02:11:06 2013
*nat
:PREROUTING ACCEPT [21914:1984541]
:POSTROUTING ACCEPT [97272:27241495]
:OUTPUT ACCEPT [161685:35387937]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Wed Mar 27 02:11:06 2013
# Generated by iptables-save v1.4.8 on Wed Mar 27 02:11:06 2013
*filter
:INPUT DROP [5:2585]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [11:536]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input 
-A INPUT -j ufw-before-input 
-A INPUT -j ufw-after-input 
-A INPUT -j ufw-after-logging-input 
-A INPUT -j ufw-reject-input 
-A INPUT -j ufw-track-input 
-A FORWARD -j ufw-before-logging-forward 
-A FORWARD -j ufw-before-forward 
-A FORWARD -j ufw-after-forward 
-A FORWARD -j ufw-after-logging-forward 
-A FORWARD -j ufw-reject-forward 
-A OUTPUT -j ufw-before-logging-output 
-A OUTPUT -j ufw-before-output 
-A OUTPUT -j ufw-after-output 
-A OUTPUT -j ufw-after-logging-output 
-A OUTPUT -j ufw-reject-output 
-A OUTPUT -j ufw-track-output 
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input 
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input 
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input 
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input 
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input 
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input 
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input 
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UALF BLOCK] " 
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UALI BLOCK] " 
-A ufw-before-forward -j ufw-user-forward 
-A ufw-before-input -i lo -j ACCEPT 
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny 
-A ufw-before-input -m state --state INVALID -j DROP 
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT 
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT 
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
-A ufw-before-input -j ufw-not-local 
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT 
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT 
-A ufw-before-input -j ufw-user-input 
-A ufw-before-output -o lo -j ACCEPT 
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A ufw-before-output -j ufw-user-output 
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " 
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN 
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[ULD BLOCK] " 
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN 
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN 
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN 
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny 
-A ufw-not-local -j DROP 
-A ufw-skip-to-policy-forward -j DROP 
-A ufw-skip-to-policy-input -j DROP 
-A ufw-skip-to-policy-output -j ACCEPT 
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT 
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 8118 -m comment --comment "\'dapp_Privoxy\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p udp -m udp --dport 8118 -m comment --comment "\'dapp_Privoxy\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p udp -m udp --dport 123 -m comment --comment "\'dapp_NTPD\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 32400 -m comment --comment "\'dapp_plexmediaserver\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p udp -m udp --dport 32400 -m comment --comment "\'dapp_plexmediaserver\'" -j ACCEPT 
-A ufw-user-input -s 172.x.x.x/28 -p tcp -m tcp --dport 2049 -m comment --comment "\'dapp_NFSv4\'" -j ACCEPT 
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UUL BLOCK] " 
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable 
-A ufw-user-limit-accept -j ACCEPT 
COMMIT
# Completed on Wed Mar 27 02:11:06
 
Old 03-31-2013, 05:53 PM   #7
smells_of_elderberries
LQ Newbie
 
Registered: Dec 2006
Posts: 25

Original Poster
Rep: Reputation: 0
Sorry for not responding sooner. Truth is I didn't fully understand your last response. So to clarify:

1) I copy the code at the end of your post into a file called "smells_of_elderberries.ufw1.txt" (or whatever)

2) On the server, do:
Quote:
echo 'cat smells_of_elderberries.ufw1.txt > /sbin/iptables-restore' > /tmp/iptables.sh
3) Then do:
Quote:
sudo /tmp/iptables.sh
What then? I'm not clear on what running this shell script will do, or what I should do with any result.

From what you say, once I've done that I should then return my settings to their original settings by repeating step 1 above, only replacing the text file with one that contains the code I myself posted in post 5 above.

Is that right?
 
Old 03-31-2013, 07:17 PM   #8
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Are you certain your subnet is a /28? I'm guessing (since your IPs start with 172) you're probably in the RFC 1918 space, where subnetting to /24 is far more common. If the SRC host is not within the /28 (i.e., wrong subnetting) you might have some not allowed in to Privoxy.
 
Old 04-01-2013, 11:53 AM   #9
smells_of_elderberries
LQ Newbie
 
Registered: Dec 2006
Posts: 25

Original Poster
Rep: Reputation: 0
I just tried increasing the subnet range to /24, but tail -f /var/log/syslog still shows UFW blocking requests to port 8118.

Thanks though.
 
Old 04-01-2013, 04:41 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,293
Blog Entries: 54

Rep: Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855
Quote:
Originally Posted by smells_of_elderberries View Post
What then? I'm not clear on what running this shell script will do, or what I should do with any result.
The script will run the command
Code:
cat smells_of_elderberries.ufw1.txt > /sbin/iptables-restore
which loads the rule set into memory (activates it). The only change in the rule set is the logging text. That's done so you can see which rule actually blocks traffic.


Quote:
Originally Posted by smells_of_elderberries View Post
From what you say, once I've done that I should then return my settings to their original settings by repeating step 1 above, only replacing the text file with one that contains the code I myself posted in post 5 above. Is that right?
No, once you restore settings (say by running the backup rule set with
Code:
cat /tmp/iptables.txt > /sbin/iptables-restore
) you'll void the changes. For more see your newest thread.
 
Old 04-02-2013, 06:19 PM   #11
smells_of_elderberries
LQ Newbie
 
Registered: Dec 2006
Posts: 25

Original Poster
Rep: Reputation: 0
Quote:
For more see your newest thread.
I didn't think there was any overlap in the threads, but I suppose it makes sense to start using iptables directly and see whether, once the rules I need are in place, the same problems occur.

I'll consider this thread closed unless I decide that iptables really isn't for me.

Thanks for the assist.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LinkSys Router BEFSR41 - no incoming requests handled AngTheo789 Linux - Hardware 1 10-31-2009 05:14 AM
Routing incoming requests to different IP anthill Linux - Networking 1 09-18-2007 11:37 PM
Forward incoming requests to another server ajaimes Linux - Networking 4 06-04-2007 01:43 PM
apache track incoming, outgoing requests real-time dtra Linux - Networking 1 07-18-2005 07:19 AM
HELP with incoming requests guild Linux - Networking 2 09-19-2003 11:46 AM


All times are GMT -5. The time now is 09:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration