[not solved yet, please help] UFW IP leak and allowing LAN connections IN/OUT

postcd

Member
Credits
89
Hello, on ubuntu 16.04.4 my default iptables 1.6 policy for the INPUT & OUTPUT chain is DROP and i would like to add ACCEPT/ALLOW rule for local LAN IPs (so i can connect to lan and other LAN devices to me), i read some articles and they suggest example:

iptables -A INPUT 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT 192.168.0.0/24 -j ACCEPT

linux said:
ping: sendmsg: Operation not permitted

the reason was probably that the UFW firewall was not knowing about that rules.

So i want to ask how to allow it in UFW?

I tried: ufw allow out from 192.168.0.0/16 to 192.168.0.0/16

and it works to ping LAN IPs. Is it correct rule?

Next issue i see is if i stop ufw, then computer somehow bypass the VPN and connect directly. Even VPN is enabled (via OS built in connectivity manager, not using any vpn client).
When ufw is started, then per the ufw rules, only VPN connectivity is allowed and rest is blocked, so when i disable VPN, computer loose connectivity to the internet.

How can i prevent this IP leak during ufw being terminated/stopped/dead ?

Aim is not to allow bypassing VPN except LAN connections. Thank You
 


jake19

New Member
Credits
66
Postcd:

You've posted this exact same thing on four other forums, where you have been asking about iptables for at least 5 yrs. UFW is the front end to iptables, and theres documentation on it on the Ubuntu website.

As far as what is the 'correct' rule, how would we know? You've not said anything about your network configuration, your VPN setup (even what KIND of VPN), or what your real goal is, since you've stated at least three different questions. So:

1. "So I want to ask how to allow it in UFW?" - Same way you do in iptables, since that's all UFW is. Read their docs, or use what you know of iptables to do it.
2. "and it works to ping LAN IPs. Is it correct rule?" - Is it? Do you want to be able to ping them or not? Seems like you can answer this one yourself.
3. "How can i prevent this IP leak during ufw being terminated/stopped/dead?" - Lots of ways. Putting code into an init script comes to mind, since if the process is stopped via a service stop command, it'll then also bring down VPN. Put a script to check connectivity to somewhere, and if its not found, drop VPN/networking. Lots of ways.
 

jake19

New Member
Credits
66
Changing the title to say "not solved yet" doesn't provide any additional information. And it makes folks alot less likely to try to help you.

Again, this is 5 yrs you're working with iptables. UFW is a front end. So:

  • Want to know how UFW works? Read the docs, because no one else is going to read them for you
  • "Is it correct rule?" Good question...IS IT?
  • You can prevent access by writing a script. Go do so.
Not alot we can help you with if you won't even try to help yourself.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Top