[not solved] UFW IP leak and allowing LAN connections IN/OUT
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
[not solved] UFW IP leak and allowing LAN connections IN/OUT
Hello, on ubuntu 16.04.4 my default iptables 1.6 policy for the INPUT & OUTPUT chain is DROP and i would like to add ACCEPT/ALLOW rule for local LAN IPs (so i can connect to lan and other LAN devices to me), i read some articles and they suggest example:
iptables -A INPUT 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT 192.168.0.0/24 -j ACCEPT
linux said:
ping: sendmsg: Operation not permitted
the reason was probably that the UFW firewall was not knowing about that rules.
So i want to ask how to allow it in UFW?
I tried: ufw allow out from 192.168.0.0/16 to 192.168.0.0/16
and it works to ping LAN IPs. Is it correct rule?
Next issue i see is if i stop ufw, then computer somehow bypass the VPN and connect directly. Even VPN is enabled (via OS built in connectivity manager, not using any vpn client).
When ufw is started, then per the ufw rules, only VPN connectivity is allowed and rest is blocked, so when i disable VPN, computer loose connectivity to the internet.
How can i prevent this IP leak during ufw being terminated/stopped/dead ?
Aim is not to allow bypassing VPN except LAN connections. Thank You
Hello, on ubuntu 16.04.4 my default iptables 1.6 policy for the INPUT & OUTPUT chain is DROP and i would like to add ACCEPT/ALLOW rule for local LAN IPs (so i can connect to lan and other LAN devices to me), i read some articles and they suggest example:
iptables -A INPUT 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT 192.168.0.0/24 -j ACCEPT
linux said:
ping: sendmsg: Operation not permitted
the reason was probably that the UFW firewall was not knowing about that rules. So i want to ask how to allow it in UFW?
The same way you do in iptables (which you've been asking about for YEARS at this point). UFW is a FRONT END to iptables, and it even says so in the Ubuntu documentation. If you need to know how to allow something, you can use your YEARS of iptables experience and do so, or read the UFW documentation https://help.ubuntu.com/community/UFW
Quote:
I tried: ufw allow out from 192.168.0.0/16 to 192.168.0.0/16
and it works to ping LAN IPs. Is it correct rule?
You tell us...your network, is that what you want it to do?? If not, then no it isn't. If so....YES.
Quote:
Next issue i see is if i stop ufw, then computer somehow bypass the VPN and connect directly. Even VPN is enabled (via OS built in connectivity manager, not using any vpn client). When ufw is started, then per the ufw rules, only VPN connectivity is allowed and rest is blocked, so when i disable VPN, computer loose connectivity to the internet.
How can i prevent this IP leak during ufw being terminated/stopped/dead ? Aim is not to allow bypassing VPN except LAN connections. Thank You
"Somehow"?? You're disabling all the rules, and (probably) have ipforwarding enabled. What do you think is going to happen?
If you don't want it to happen, then write a script or put some logic in the init scripts to shut networking off when firewall goes down.
Updating your thread title to get it to show back up isn't a good thing. Things aren't solved, because you've shown zero effort of your own, and haven't answered any questions you were asked.
If you don't do those things, your thread will REMAIN unsolved until you do.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.