0

Going down the ubuntu 20.04 server route and using UFW. Steps so far (from a clean install) Network Layout attached

networking configured with netplan - YAML file below - question here is do I need the default g/w for the 192.168.1.0/24 network, which in this case is 192.168.1.1

network:
  ethernets:
    enp2s0:
      addresses:
      - 192.168.1.230/24
      gateway4: 192.168.1.1
      nameservers:
        addresses:
        - 192.168.1.1
        search: []
    enx000acd394549:
      addresses:
      - 192.168.10.230/24
      nameservers:
        addresses: []
        search: []
  version: 2

/etc/ufw/sysctl.conf - un comment net_ipv4_ip_forward=1

ufw allow 22 (for ssh) access
ufw disable && ufw enable

from a machine connected to the 192.168.10.x/24 as the test machine, can ping both side of the router, and ssh into it, but cannot ping beyond that.

checking the output of ufw status verbose:

root@router:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
22 (v6)                    ALLOW IN    Anywhere (v6)

Routing is disabled.

Change the DEFAULT_FORWARD_POLICY is /etc/default/ufw from "DROP" to "ACCEPT"

 ufw default allow forward

ping still does not work from the 192.168.10.x/24 network to 192.168.1.x/24 network.

need to update the rules to allow the network in question through the firewall, a bit over the top here, but let's get it to work first....

ufw allow from 192.168.10.0/24 to any
ufw allow from 192.168.1.0/24 to any

re-run status:

root@router:~# ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
Anywhere                   ALLOW IN    192.168.10.0/24
Anywhere                   ALLOW IN    192.168.1.0/24
22 (v6)                    ALLOW IN    Anywhere (v6)

still no change...

I've checked the before.rules in the ufw and there is an allowance to ICMP packets as below:

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

I've had a tail -f on /var/log/ufw.log running in the background and no UFW BLOCK's showing - just a lot of audits, appreciate any thoughts you may have.

many thanks,

Improve this question
3
  • it's not clear, what is the question ? you are unable to connect ? ufw is pretty straight forward, you don't need any of these really
    – Giorgos Saridakis
    Commented Oct 31, 2023 at 9:54
  • Morning, thanks for replying, I attached a network diagram, the question is why can't I ping from the 192.168.10.0/24 network to the 192.168.1.0/24 network.
    – philn
    Commented Oct 31, 2023 at 10:10
  • Fixed it - I had missed something in the /etc/ufw/before.rules to allow the ping the cross the router: Added before *filter: *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through enp2s0 - which in this case is the outbound interface from internal network -A POSTROUTING -s 192.168.10.0/24 -o enp2s0 -j MASQUERADE -A POSTROUTING -s 192.168.1.0/24 -o enx000acd394549 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't # be processed COMMIT
    – philn
    Commented Oct 31, 2023 at 16:37

1 Answer 1

Reset to default
0

Need to add the following to /etc/ufw/before.rules

*nat
:POSTROUTING ACCEPT [0:0]

    # Forward traffic through enp2s0 - which in this case is the outbound interface from internal network
    -A POSTROUTING -s 192.168.10.0/24 -o enp2s0 -j MASQUERADE
    
    # don't delete the 'COMMIT' line or these nat table rules won't
    # be processed
    COMMIT

The soure network is 192.168.10.0 and the outbound network interface is enp2s0 in this case - copied from /etc/netplan/00xyxhx.yaml

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .