I have previously added some netfilter rules via iptables. I'd now like to manage these rules through ufw and to simplify things I wanted to get rid of the current rules and start afresh as if I was using ufw from the start.
I ran sudo iptables --flush
to remove all the current rules, then sudo ufw allow 22
to allow ssh and sudo ufw enable
. I was then booted out of my ssh session so the rule clearly hadn't worked.
I connected back with a console session and compared sudo iptables -L -v
to a different server that was working with ufw and I noticed that the top INPUT chain on this server was empty, whereas the working server had:
Chain INPUT (policy DROP 77 packets, 3613 bytes)
pkts bytes target prot opt in out source destination
3842 682K ufw-before-logging-input all -- any any anywhere anywhere
3842 682K ufw-before-input all -- any any anywhere anywhere
422 32270 ufw-after-input all -- any any anywhere anywhere
422 32270 ufw-after-logging-input all -- any any anywhere anywhere
422 32270 ufw-reject-input all -- any any anywhere anywhere
422 32270 ufw-track-input all -- any any anywhere anywhere
It looks as though the flush had cleared out some default rules that ufw had applied to the INPUT chain, is this a correct assumption? If so, a) how do I repair the situation and b) how do I do this process correctly?
Best Answer
It turned out that my suspicion was correct and
sudo iptables --flush
had wiped out ufw's INPUT chain rules which called it's own custom chains. For whatever reason (still unknown to me), ufw wasn't putting these back in when it was enabled.To get ufw to put these rules back in, I had to remove all the ufw chains from iptables, and then enable ufw. I did that like this:
When I enabled ufw after that, it set up the iptables correctly ..