UFW doesn't seem to manage iptables

Avatar
  • updated
  • Answered

Here's what I first started with in ufw:

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
6xxx/tcp ALLOW IN Anywhere

(6xxx is my ssh port, obviously not posted here.)  But I find that I can browse the default Apache page at 54plymouth.net; that is, access to 80 is permitted.  I then explicitly added a deny to ufw (which didn’t work):

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To                         Action      From
--                         ------      ----
6xxx/tcp                   ALLOW IN    Anywhere
80/tcp (Apache)            DENY IN     Anywhere

Each time I disabled/enabled ufw to reset the rules.  I'm not sure what things mean in iptables, but here’s what's in it:

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http /* User defined open TCP port */ ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https /* User defined open TCP port */ ctstate NEW
DROP       tcp  --  anywhere             anywhere             tcp dpt:http /* 'dapp_Apache' */

I'm guessing the two ACCEPTs are taking precedence over the DROP, which suggests it's the one I added, given the common Apache reference.

So - what do I have to do, to make iptables track exclusively what's declared in ufw as allowed/denied?

-Dan

Pinned replies
Avatar
Ronnie H.
  • Answer
  • Answered

Hi, Dan. Sorry that you're having trouble sorting out the UFW. The order of the rules does matter, as you suspected, so you'd need to move that DROP up for it to happen before the accepts. Beyond that, make sure you aren't seeing a cached page (with the usual browser clearing), and consider running a port scan as well. Hope that helps!

Avatar
Ronnie H.
  • Answer
  • Answered

Hi, Dan. Sorry that you're having trouble sorting out the UFW. The order of the rules does matter, as you suspected, so you'd need to move that DROP up for it to happen before the accepts. Beyond that, make sure you aren't seeing a cached page (with the usual browser clearing), and consider running a port scan as well. Hope that helps!