Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd, 2017 please sign up again. Thanks!

[not solved yet, please help] UFW IP leak and allowing LAN connections IN/OUT

Discussion in 'Linux Networking' started by postcd, Mar 7, 2018.

  1. postcd

    postcd New Member

    Joined:
    Jul 8, 2017
    Messages:
    17
    Likes Received:
    1
    Hello, on ubuntu 16.04.4 my default iptables 1.6 policy for the INPUT & OUTPUT chain is DROP and i would like to add ACCEPT/ALLOW rule for local LAN IPs (so i can connect to lan and other LAN devices to me), i read some articles and they suggest example:

    iptables -A INPUT 192.168.0.0/24 -j ACCEPT
    iptables -A OUTPUT 192.168.0.0/24 -j ACCEPT

    linux said:
    ping: sendmsg: Operation not permitted

    the reason was probably that the UFW firewall was not knowing about that rules.

    So i want to ask how to allow it in UFW?

    I tried: ufw allow out from 192.168.0.0/16 to 192.168.0.0/16

    and it works to ping LAN IPs. Is it correct rule?

    Next issue i see is if i stop ufw, then computer somehow bypass the VPN and connect directly. Even VPN is enabled (via OS built in connectivity manager, not using any vpn client).
    When ufw is started, then per the ufw rules, only VPN connectivity is allowed and rest is blocked, so when i disable VPN, computer loose connectivity to the internet.

    How can i prevent this IP leak during ufw being terminated/stopped/dead ?

    Aim is not to allow bypassing VPN except LAN connections. Thank You


     
  2. jake19

    jake19 New Member

    Joined:
    Jul 10, 2017
    Messages:
    3
    Likes Received:
    1
    Postcd:

    You've posted this exact same thing on four other forums, where you have been asking about iptables for at least 5 yrs. UFW is the front end to iptables, and theres documentation on it on the Ubuntu website.

    As far as what is the 'correct' rule, how would we know? You've not said anything about your network configuration, your VPN setup (even what KIND of VPN), or what your real goal is, since you've stated at least three different questions. So:

    1. "So I want to ask how to allow it in UFW?" - Same way you do in iptables, since that's all UFW is. Read their docs, or use what you know of iptables to do it.
    2. "and it works to ping LAN IPs. Is it correct rule?" - Is it? Do you want to be able to ping them or not? Seems like you can answer this one yourself.
    3. "How can i prevent this IP leak during ufw being terminated/stopped/dead?" - Lots of ways. Putting code into an init script comes to mind, since if the process is stopped via a service stop command, it'll then also bring down VPN. Put a script to check connectivity to somewhere, and if its not found, drop VPN/networking. Lots of ways.
     
  3. jake19

    jake19 New Member

    Joined:
    Jul 10, 2017
    Messages:
    3
    Likes Received:
    1
    Changing the title to say "not solved yet" doesn't provide any additional information. And it makes folks alot less likely to try to help you.

    Again, this is 5 yrs you're working with iptables. UFW is a front end. So:

    • Want to know how UFW works? Read the docs, because no one else is going to read them for you
    • "Is it correct rule?" Good question...IS IT?
    • You can prevent access by writing a script. Go do so.
    Not alot we can help you with if you won't even try to help yourself.
     

Share This Page