LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-07-2018, 05:05 AM   #1
postcd
Member
 
Registered: Oct 2013
Posts: 448

Rep: Reputation: Disabled
[not solved] UFW IP leak and allowing LAN connections IN/OUT


Hello, on ubuntu 16.04.4 my default iptables 1.6 policy for the INPUT & OUTPUT chain is DROP and i would like to add ACCEPT/ALLOW rule for local LAN IPs (so i can connect to lan and other LAN devices to me), i read some articles and they suggest example:

iptables -A INPUT 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT 192.168.0.0/24 -j ACCEPT

linux said:
ping: sendmsg: Operation not permitted

the reason was probably that the UFW firewall was not knowing about that rules.

So i want to ask how to allow it in UFW?

I tried: ufw allow out from 192.168.0.0/16 to 192.168.0.0/16

and it works to ping LAN IPs. Is it correct rule?

Next issue i see is if i stop ufw, then computer somehow bypass the VPN and connect directly. Even VPN is enabled (via OS built in connectivity manager, not using any vpn client).
When ufw is started, then per the ufw rules, only VPN connectivity is allowed and rest is blocked, so when i disable VPN, computer loose connectivity to the internet.

How can i prevent this IP leak during ufw being terminated/stopped/dead ?

Aim is not to allow bypassing VPN except LAN connections. Thank You

Last edited by postcd; 03-08-2018 at 01:07 AM.
 
Old 03-07-2018, 07:42 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,646

Rep: Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071
Quote:
Originally Posted by postcd View Post
Hello, on ubuntu 16.04.4 my default iptables 1.6 policy for the INPUT & OUTPUT chain is DROP and i would like to add ACCEPT/ALLOW rule for local LAN IPs (so i can connect to lan and other LAN devices to me), i read some articles and they suggest example:

iptables -A INPUT 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT 192.168.0.0/24 -j ACCEPT

linux said:
ping: sendmsg: Operation not permitted

the reason was probably that the UFW firewall was not knowing about that rules. So i want to ask how to allow it in UFW?
The same way you do in iptables (which you've been asking about for YEARS at this point). UFW is a FRONT END to iptables, and it even says so in the Ubuntu documentation. If you need to know how to allow something, you can use your YEARS of iptables experience and do so, or read the UFW documentation
https://help.ubuntu.com/community/UFW
Quote:
I tried: ufw allow out from 192.168.0.0/16 to 192.168.0.0/16

and it works to ping LAN IPs. Is it correct rule?
You tell us...your network, is that what you want it to do?? If not, then no it isn't. If so....YES.
Quote:
Next issue i see is if i stop ufw, then computer somehow bypass the VPN and connect directly. Even VPN is enabled (via OS built in connectivity manager, not using any vpn client). When ufw is started, then per the ufw rules, only VPN connectivity is allowed and rest is blocked, so when i disable VPN, computer loose connectivity to the internet.
How can i prevent this IP leak during ufw being terminated/stopped/dead ? Aim is not to allow bypassing VPN except LAN connections. Thank You
"Somehow"?? You're disabling all the rules, and (probably) have ipforwarding enabled. What do you think is going to happen?

If you don't want it to happen, then write a script or put some logic in the init scripts to shut networking off when firewall goes down.
 
Old 03-08-2018, 06:53 AM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,646

Rep: Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071Reputation: 5071
Updating your thread title to get it to show back up isn't a good thing. Things aren't solved, because you've shown zero effort of your own, and haven't answered any questions you were asked.

If you don't do those things, your thread will REMAIN unsolved until you do.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bash script to ping a range or own IP-range ugurgazi Programming 13 05-02-2016 09:08 AM
[SOLVED] How to check if a server is up / down if pinging to that machine is not allowed Vi_rod Linux - Newbie 5 09-03-2012 12:06 PM
[SOLVED] linuxbox pinging hostname.local call_krushna Linux - Server 7 06-26-2012 01:18 AM
mass pinging? stop auto-block on ping -f? dotd Linux - Newbie 8 05-23-2007 06:17 PM
Cannot ping local system when pinging system is set for static IP SkipHuffman Linux - Networking 4 08-22-2005 11:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration