UFW denying all incoming access even where rules allow

crypted · 05-15-2018, 06:56 AM

18.04 upgrade made me learn a lot namely now having to convert all of my old PGL based rules into UFW and my own iptables. Neat!

I have a script setting up the firewall. Everything is correctly allowed. However, it ufw disables everything no matter what the rules say...

I attempted to skate any problems by moving the SSH allow line to be after the deny incoming line just to test. This did not help.

If anyone can help me get ufw to follow the rules provided it would be most appreciated.

Quote:

Status: active

To Action From
-- ------ ----
Anywhere ALLOW 192.168.1.0/24
Anywhere ALLOW 10.0.0.0/24
Anywhere ALLOW 192.168.1.224

443/tcp ALLOW Anywhere
123 ALLOW Anywhere
22/tcp ALLOW Anywhere
53 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
500 ALLOW Anywhere
900 ALLOW Anywhere
922 ALLOW Anywhere
1194 ALLOW Anywhere
1680 ALLOW Anywhere
1723 ALLOW Anywhere
2710 ALLOW Anywhere
3000 ALLOW Anywhere
3333 ALLOW Anywhere
3900:65534/tcp ALLOW Anywhere
3900:65534/udp ALLOW Anywhere
5900/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
123 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
53 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
500 (v6) ALLOW Anywhere (v6)
900 (v6) ALLOW Anywhere (v6)
922 (v6) ALLOW Anywhere (v6)
1194 (v6) ALLOW Anywhere (v6)
1680 (v6) ALLOW Anywhere (v6)
1723 (v6) ALLOW Anywhere (v6)
2710 (v6) ALLOW Anywhere (v6)
3000 (v6) ALLOW Anywhere (v6)
3333 (v6) ALLOW Anywhere (v6)
3900:65534/tcp (v6) ALLOW Anywhere (v6)
3900:65534/udp (v6) ALLOW Anywhere (v6)
5900/tcp (v6) ALLOW Anywhere (v6) ywhere (v6) 1»

Quote:

sudo ufw allow from 192.168.1.0/24
sudo ufw allow from 10.0.0.0/24
sudo ufw allow from 192.168.1.224
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 123
sudo ufw allow ufw-fileserver
sudo ufw allow openssh-server
sudo ufw allow ufw-directoryserver
sudo ufw allow ufw-webserver
sudo ufw allow 22/tcp
sudo ufw allow 53
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 500
sudo ufw allow 900
sudo ufw allow 922
sudo ufw allow 1194
sudo ufw allow 1680
sudo ufw allow 1723
sudo ufw allow 2710
sudo ufw allow 3000
sudo ufw allow 3333
sudo ufw allow 3900:65534/tcp
sudo ufw allow 3900:65534/udp

sudo ufw default reject incoming
sudo ufw default allow outgoing

# added below to try and not lose system access if reject running last was causig issue
# but fails still when enabled so not an issue i guess
sudo ufw allow 22/tcp
sudo ufw allow 5900/tcp

sudo ufw enable

frankbell · 05-15-2018, 08:13 PM

Since UFW is a front-end for iptables, please post the output of

Code:

iptables -L

Be sure to surround it with "code" tags, which become available when you click the "Go Advanced" button below the "compose post" window.

crypted · 05-19-2018, 07:59 AM

Well, I kept UFW disabled and at some point after a number of reboots and continued system tweaks to get the new install where I need it PGL started loading fine and so all my rules and filters seem to be operational. At this point I'm thinking it's wise not to break what seems no longer broken for the sake of getting on a UFW bandwagon.

Thanks for the input. I'll come back to this should the PGL old iptable method break down.