Locked out after ufw enabled

Question

Locked out after ufw enabled

networking

forum:mrichman 8 years, 4 months ago

I've enabled both SSH and HTTP in ufw.

After doing sudo ufw enable, I'm effectively locked out except for Lish.

Here's my listening daemons:

sudo netstat -lvpnut

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 4387/mysqld

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4385/sshd

tcp6 0 0 :::80 :::* LISTEN 11543/apache2

tcp6 0 0 :::22 :::* LISTEN 4385/sshd

Once I disable ufw, I can ssh back in.

Here's sudo ufw status verbose with ufw enabled:

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), disabled (routed)

New profiles: skip

To Action From

– ------ ----

22 ALLOW IN Anywhere

80 ALLOW IN Anywhere

22 (v6) ALLOW IN Anywhere (v6)

80 (v6) ALLOW IN Anywhere (v6)

What am I doing wrong? Is it "Default: deny (incoming)" ?

Thanks,

Mark

10 Replies

forum:EmmaT · Answer 1 · July 29, 2016, 7:31 a.m.

forum:EmmaT 8 years, 3 months ago

Your ufw rules should be located in /lib/ufw/user.rules config file. Modify that file so that somewhere between ### RULES ### and ### END RULES ### section there are the following entries:

### tuple ### allow any 21966 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 21966 -j ACCEPT

Additionally make sure that your /etc/ssh/sshd_config file has Port 21966 entry(instead of port 22).

forum:mrichman · Answer 2 · July 29, 2016, 8:05 a.m.

forum:mrichman 8 years, 3 months ago

This doesn't explain anything. What is port 21966 for? Why am I being locked out?

Reposting answers from serverfault.com is not helpful.

forum:Vance · Answer 3 · July 31, 2016, 1:27 a.m.

forum:Vance 8 years, 3 months ago

You are correct; port 22 is the one you should be concerned about. The "default deny" shouldn't be a problem, since there is a specific ufw rule permitting incoming traffic to port 22.

Is it possible you're running something else that is creating firewall rules? Running the command iptables -nvL as root will show you the current complete set of firewall rules.

forum:mrichman · Answer 4 · July 31, 2016, 8:03 a.m.

forum:mrichman 8 years, 3 months ago

Here's my output of iptables -nvL:

Chain INPUT (policy ACCEPT 170K packets, 18M bytes)

pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 222K packets, 386M bytes)

pkts bytes target prot opt in out source destination

Chain DOCKER (0 references)

pkts bytes target prot opt in out source destination

Chain DOCKER-ISOLATION (0 references)

pkts bytes target prot opt in out source destination

2360 18M RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-after-forward (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-after-input (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-after-logging-forward (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-after-logging-input (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-after-logging-output (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-after-output (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-before-forward (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-before-input (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-before-logging-forward (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-before-logging-input (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-before-logging-output (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-before-output (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-reject-forward (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-reject-input (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-reject-output (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-track-forward (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-track-input (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-track-output (0 references)

pkts bytes target prot opt in out source destination

forum:Vance · Answer 5 · July 31, 2016, 7:51 p.m.

forum:Vance 8 years, 3 months ago

Hmm, according to that your firewall is allowing everything. It appears that you may be running things under Docker; my suspicion is that it is somehow interfering, but I am not very familiar with it.

forum:mrichman · Answer 6 · Aug. 1, 2016, 9:34 a.m.

forum:mrichman 8 years, 3 months ago

Sorry, I grabbed the output with ufw disabled. Here it is with ufw enabled:

Chain INPUT (policy DROP 1 packets, 60 bytes)

pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain DOCKER (0 references)

pkts bytes target prot opt in out source destination

Chain DOCKER-ISOLATION (0 references)

pkts bytes target prot opt in out source destination

2360 18M RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-after-forward (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-after-input (0 references)

pkts bytes target prot opt in out source destination

0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137

0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138

0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139

0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445

0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67

0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68

0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (0 references)

pkts bytes target prot opt in out source destination

0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (0 references)

pkts bytes target prot opt in out source destination

0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (0 references)

pkts bytes target prot opt in out source destination

0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-after-output (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-before-forward (0 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8

0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-input (0 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68

0 0 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353

0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900

0 0 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-logging-forward (0 references)

pkts bytes target prot opt in out source destination

0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "

Chain ufw-before-logging-input (0 references)

pkts bytes target prot opt in out source destination

0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "

Chain ufw-before-logging-output (0 references)

pkts bytes target prot opt in out source destination

0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "

Chain ufw-before-output (0 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT all – * lo 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

0 0 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-logging-allow (0 references)

pkts bytes target prot opt in out source destination

0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)

pkts bytes target prot opt in out source destination

0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "[UFW AUDIT INVALID] "

0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)

pkts bytes target prot opt in out source destination

0 0 RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST

0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST

0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-reject-forward (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-reject-input (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-reject-output (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-skip-to-policy-forward (0 references)

pkts bytes target prot opt in out source destination

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)

pkts bytes target prot opt in out source destination

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-track-forward (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-track-input (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-track-output (0 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-user-forward (1 references)

pkts bytes target prot opt in out source destination

Chain ufw-user-input (1 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80

Chain ufw-user-limit (0 references)

pkts bytes target prot opt in out source destination

0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "

0 0 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-logging-forward (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-user-logging-input (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-user-logging-output (0 references)

pkts bytes target prot opt in out source destination

Chain ufw-user-output (1 references)

pkts bytes target prot opt in out source destination

forum:EmmaT · Answer 7 · Aug. 3, 2016, 7:07 a.m.

forum:EmmaT 8 years, 3 months ago

Your ufw rules should be located in /lib/ufw/user.rules config file. Modify that file so that somewhere between ### RULES ### and ### END RULES ### section there are the following entries:

### tuple ### allow any 21966 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 21966 -j ACCEPT

Additionally make sure that your /etc/ssh/sshd_config file has Port 21966 entry(instead of port 22).

forum:mrichman · Answer 8 · Aug. 3, 2016, 7:22 a.m.

forum:mrichman 8 years, 3 months ago

Can we ban "EmmaT"? It's clearly a spammer, bot, or just an idiot.

forum:mkorsak · Answer 9 · Aug. 4, 2016, 11:19 a.m.

forum:mkorsak 8 years, 3 months ago

You're right, outta' here

forum:Vance · Answer 10 · Aug. 6, 2016, 4:35 p.m.

forum:Vance 8 years, 3 months ago

~~@mrichman:~~

Chain ufw-before-input (0 references)

The "0 references" is a problem; there should be a rule referencing this and the other ufw chains. Since there is none, the default drop policy is dropping all traffic.

This is what the built-in chains INPUT, FORWARD, and OUTPUT look like on a Ubuntu 14.04 server for me:

Chain INPUT (policy DROP 788 packets, 48720 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  27M 1771M ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  27M 1771M ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
32204 2458K ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
32012 2448K ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
32012 2448K ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
32012 2448K ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 7 packets, 280 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  20M   99G ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  20M   99G ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
84174 6217K ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
84174 6217K ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
84174 6217K ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
84174 6217K ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

I'm not sure why you would have this problem; ufw automatically set up the correct rules for me. Maybe running dpkg-reconfigure ufw or purging and re-installing ufw would work? Or maybe you've installed another piece of software that is modifying the iptables rules? Sorry, that's about the best I can offer.

Compute

Storage

Networking

Databases

Services

Developer Tools

Industries

Pricing

Community

Engage With Us

Locked out after ufw enabled

10 Replies

Reply

Tips: