ufw forward rules after the filter is applied?

[darkod]

I spoke too fast.

The ufw-before-forward rules are tried to be applied, but I think I am getting the syntax wrong. On boot it reports a problem with before.rules.

I thought something like:
-A ufw-before-forward -s IP1 --dport <port> -j ACCEPT

should work. Any thoughts?

EDIT: OK, got it. The --dport and --sport don't work unless you use -p tcp. Only then the modules get loaded. So it should be something like:
-A ufw-before-forward -p tcp -s IP1 --dport <port> -j ACCEPT
-A ufw-before-forward -p tcp --dport <port> -j DROP

[collisionystm]

Be sure to include UDP in there as well

-A ufw-before-forward -p tcp -s IP1 --dport <port> -j ACCEPT
-A ufw-before-forward -p tcp --dport <port> -j DROP
-A ufw-before-forward -p udp -s IP1 --dport <port> -j ACCEPT
-A ufw-before-forward -p udp --dport <port> -j DROP

[Doug S]

Be sure to include UDP in there as well

-A ufw-before-forward -p tcp -s IP1 --dport <port> -j ACCEPT
-A ufw-before-forward -p tcp --dport <port> -j DROP
-A ufw-before-forward -p udp -s IP1 --dport <port> -j ACCEPT
-A ufw-before-forward -p udp --dport <port> -j DROP

Only if required. Not needed for web stuff on port 80.

[kevdog]

Not knocking ufw, but I guess I'll just take a cheap shot -- this would have been a lot more straight forward to do directly with just iptables, however I'm very glad you got it working. There are always multiple ways to skin a cat!

[JKyleOKC]

I absolutely have to agree with you, kevdog. The "uncomplicated" ufw creates 31 user-defined chains in the filter table, most of which actually do nothing at all (they're apparently there to provide for almost any advanced operations a user might want to add). Contrast this with just three that are there in raw iptables.

I've been attempting to draw up a flow chart of what ufw actually does, in order to better assist folk who want to use it -- but the deeper I dig into it, the less impressed I am with its approach...

[darkod]

While you are both right, I have to say iptables looks scary to a beginner. And I am a total beginner at this, as you can tell.

It might be doing things the complicated way, but in a way the rules look straightforward and understandable in before.rules. Hell, I managed to get it going with almost no clue what I am doing, just logic, and help from the forum.

On the other hand, as opposed to before.rules, when I did iptables -L during one of my tries, I couldn't figure out anything (almost). Which doesn't mean you don't know what is going on with just one look.

[Ms. Daisy]

JKyleOKC, I'd be very interested in seeing that flow chart if you get it done.

[collisionystm]

It seems to make a mess of iptables also.

See here it lists my port redirect several times when performing an iptables-save

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

[JKyleOKC]

JKyleOKC, I'd be very interested in seeing that flow chart if you get it done.

I'll definitely pass it along if I ever get it finished. Right now it's only a text file, edited from iptables-restore output to determine the flow route, and already I've found duplication similar to that reported by collisionystm above although not nearly so much.

darkod: Use whatever works for you! I'm glad you did get it figured out, and once you have a configuration that works it ought to stay that way without any need for additional tweaking no matter how you got there.

The documentation in the "man" pages for both iptables and ufw makes them look far more complicated than they really are in practice, mostly because of the huge number of options available. Most of those for iptables are never used in the majority of installations, but front ends such as ufw still have to allow for them. Just keep in mind Einstein's dictum: "Everything should be as simple as possible, but no simpler." Far too many software simplifiers forget that rule and go too far...

[darkod]

While we are on the subject, would something like this work:
http://www.linode.com/wiki/index.php..._ubuntu_server

Mainly the part about adding iptables-restore to /etc/network/interfaces. This is another thing confusing about iptables, how come the rules don't load automatically at boot unless you take action yourself?

Also, please look at the sample configuration file in the link in the middle of the article. Does it look OK from syntax point of view? I am not talking about what the actual rules block or accept, only about the syntax.

If you would like to do something like this, can you follow this tutorial?