Iptables Rule – Adding an Iptables Rule That UFW Can’t Create in Ubuntu

iptablesUbuntuufw

UFW is working really well for me except in the cases where it doesn't…

I want to be able to add another rule manually that will be applied on boot?

where should i put this rule?
how should I make it start at boot?
how do I make it play nicely with UFW?

Best Answer

According to this Ubuntu wiki page (scroll down to "Advanced Functionality"), you can achieve what you want by putting your own iptables rules into the following files:

/etc/ufw/before.rules
/etc/ufw/after.rules

The before file is evaluated before any ufw rules are applied; the after file is evaluated after. (There are also corresponding before6 and after6 rules files, for your ip6tables rules.)

These rules files are expected to be in iptables-restore-compatible syntax, presumably because ufw simply loads them using iptables-restore. Finally, note that you need to stop and restart ufw after you make any changes to the rules files.

Related Solutions

UFW/IPTables – How to Securely Allow Authenticated Git Access with GitHub

You're trying to connect with SSH, and that (appears to be) allowed, so it's time to diagnose the problem. I like to add a LOG rule just before I drop any packets, so I know exactly what's being dropped. Otherwise, a bit of tcpdump action should identify the traffic that's not going anywhere. Once you know what's being dropped, it's a trivial matter to add the necessary rules to allow it.

Ubuntu – UFW Firewall Rules ordering

If you're interested in reordering your UFW rules, this is one way to do it.

$ sudo ufw status numbered

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[ 2] 80                         ALLOW IN    Anywhere
[ 3] 443                        ALLOW IN    Anywhere
[ 4] 22 (v6)                    ALLOW IN    Anywhere (v6)
[ 5] 80 (v6)                    ALLOW IN    Anywhere (v6)
[ 6] 443 (v6)                   ALLOW IN    Anywhere (v6)
[ 7] Anywhere                   DENY IN     [ip-to-block]

Say you accidentally added a rule to the end, but you wanted up top.

First you will have remove it from the bottom (7) and add it back.

$ sudo ufw delete 7

Note, be careful of removing multiple rules one after another, their position can change!

Add back your rule to the very top (1):

$ sudo ufw insert 1 deny from [ip-to-block] to any

Best Answer

Related Solutions

UFW/IPTables – How to Securely Allow Authenticated Git Access with GitHub

Ubuntu – UFW Firewall Rules ordering

Related Topic