Ubuntu: UFW not blocking although DROP policy



Question:

On Ubuntu 16.04, I installed ufw and configured it so it has the following status (sudo ufw status verbose):

Status: active  Logging: on (full)  Default: deny (incoming), allow (outgoing), deny (routed)  New profiles: skip    To                         Action      From  --                         ------      ----  80,443/tcp (Nginx Full)    ALLOW IN    Anywhere  995/tcp (Dovecot Secure POP3) ALLOW IN    Anywhere  993/tcp (Dovecot Secure IMAP) ALLOW IN    Anywhere  22/tcp (OpenSSH)           ALLOW IN    Anywhere  25/tcp (Postfix)           ALLOW IN    Anywhere  465/tcp (Postfix SMTPS)    ALLOW IN    Anywhere  9522/tcp (hinext)          ALLOW IN    Anywhere  9522,9523/tcp (hinext)     ALLOW IN    Anywhere  9524/tcp (test)            ALLOW IN    Anywhere  9522/tcp (hinext (v6))     ALLOW IN    Anywhere (v6)  9522,9523/tcp (hinext (v6)) ALLOW IN    Anywhere (v6)  9524/tcp (test (v6))       ALLOW IN    Anywhere (v6)  

As can be seen, the port 8822 is NOT in the list and therefore should be blocked by the default policy (which is deny for the incoming chain).

BUT: I can open an SSH connection to port 8822 from the outside world to my SSH server listening on ports 22 and 8822.

Why can traffic to port 8822 traverse the ufw firewall without being dropped?

For further diagnostic info, iptables-save -c says this:

# Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018  *raw  :PREROUTING ACCEPT [622500:111511726]  :OUTPUT ACCEPT [631989:135819596]  COMMIT  # Completed on Tue Apr 24 23:55:19 2018  # Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018  *mangle  :PREROUTING ACCEPT [622500:111511726]  :INPUT ACCEPT [622500:111511726]  :FORWARD ACCEPT [0:0]  :OUTPUT ACCEPT [631989:135819596]  :POSTROUTING ACCEPT [631989:135819596]  COMMIT  # Completed on Tue Apr 24 23:55:19 2018  # Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018  *nat  :PREROUTING ACCEPT [46994:2923568]  :POSTROUTING ACCEPT [7607:511281]  :OUTPUT ACCEPT [7607:511281]  COMMIT  # Completed on Tue Apr 24 23:55:19 2018  # Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018  *filter  :INPUT ACCEPT [63:5355]  :FORWARD ACCEPT [0:0]  :OUTPUT ACCEPT [0:0]  :VZ_FORWARD - [0:0]  :VZ_INPUT - [0:0]  :VZ_OUTPUT - [0:0]  :ufw-after-forward - [0:0]  :ufw-after-input - [0:0]  :ufw-after-logging-forward - [0:0]  :ufw-after-logging-input - [0:0]  :ufw-after-logging-output - [0:0]  :ufw-after-output - [0:0]  :ufw-before-forward - [0:0]  :ufw-before-input - [0:0]  :ufw-before-logging-forward - [0:0]  :ufw-before-logging-input - [0:0]  :ufw-before-logging-output - [0:0]  :ufw-before-output - [0:0]  :ufw-logging-allow - [0:0]  :ufw-logging-deny - [0:0]  :ufw-not-local - [0:0]  :ufw-reject-forward - [0:0]  :ufw-reject-input - [0:0]  :ufw-reject-output - [0:0]  :ufw-skip-to-policy-forward - [0:0]  :ufw-skip-to-policy-input - [0:0]  :ufw-skip-to-policy-output - [0:0]  :ufw-track-forward - [0:0]  :ufw-track-input - [0:0]  :ufw-track-output - [0:0]  :ufw-user-forward - [0:0]  :ufw-user-input - [0:0]  :ufw-user-limit - [0:0]  :ufw-user-limit-accept - [0:0]  :ufw-user-logging-forward - [0:0]  :ufw-user-logging-input - [0:0]  :ufw-user-logging-output - [0:0]  :ufw-user-output - [0:0]  [622500:111511726] -A INPUT -j VZ_INPUT  [491972:96179570] -A INPUT -j ufw-before-logging-input  [491972:96179570] -A INPUT -j ufw-before-input  [21445:1425920] -A INPUT -j ufw-after-input  [17022:1199401] -A INPUT -j ufw-after-logging-input  [17022:1199401] -A INPUT -j ufw-reject-input  [17022:1199401] -A INPUT -j ufw-track-input  [0:0] -A FORWARD -j VZ_FORWARD  [0:0] -A FORWARD -j ufw-before-logging-forward  [0:0] -A FORWARD -j ufw-before-forward  [0:0] -A FORWARD -j ufw-after-forward  [0:0] -A FORWARD -j ufw-after-logging-forward  [0:0] -A FORWARD -j ufw-reject-forward  [0:0] -A FORWARD -j ufw-track-forward  [631989:135819596] -A OUTPUT -j VZ_OUTPUT  [478124:111192792] -A OUTPUT -j ufw-before-logging-output  [478124:111192792] -A OUTPUT -j ufw-before-output  [4466:322671] -A OUTPUT -j ufw-after-output  [4466:322671] -A OUTPUT -j ufw-after-logging-output  [4466:322671] -A OUTPUT -j ufw-reject-output  [4466:322671] -A OUTPUT -j ufw-track-output  [23:1823] -A VZ_INPUT -p tcp -m tcp --dport 80 -j ACCEPT  [5136:565736] -A VZ_INPUT -p tcp -m tcp --dport 22 -j ACCEPT  [4:172] -A VZ_INPUT -p tcp -m tcp --dport 25 -j ACCEPT  [4:172] -A VZ_INPUT -p tcp -m tcp --dport 110 -j ACCEPT  [6:304] -A VZ_INPUT -p tcp -m tcp --dport 53 -j ACCEPT  [2:115] -A VZ_INPUT -p udp -m udp --dport 53 -j ACCEPT  [410:19580] -A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT  [39:3651] -A VZ_INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT  [1:44] -A VZ_INPUT -p tcp -m tcp --dport 8880 -j ACCEPT  [3:152] -A VZ_INPUT -p tcp -m tcp --dport 8443 -j ACCEPT  [8:470] -A VZ_INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -j ACCEPT  [0:0] -A VZ_INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p udp -j ACCEPT  [17:2105] -A VZ_OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT  [4940:995587] -A VZ_OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT  [4:214] -A VZ_OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT  [4:192] -A VZ_OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT  [6:240] -A VZ_OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT  [0:0] -A VZ_OUTPUT -p udp -m udp --sport 53 -j ACCEPT  [3888:279384] -A VZ_OUTPUT -p tcp -j ACCEPT  [39:2831] -A VZ_OUTPUT -p udp -j ACCEPT  [0:0] -A VZ_OUTPUT -p tcp -m tcp --sport 8880 -j ACCEPT  [0:0] -A VZ_OUTPUT -p tcp -m tcp --sport 8443 -j ACCEPT  [0:0] -A VZ_OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -j ACCEPT  [0:0] -A VZ_OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p udp -j ACCEPT  [5:391] -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input  [0:0] -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input  [16:700] -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input  [1936:99244] -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input  [0:0] -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input  [0:0] -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input  [0:0] -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input  [0:0] -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] "  [63:5355] -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] "  [0:0] -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] "  [0:0] -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT  [0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT  [0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT  [0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT  [0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT  [0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT  [0:0] -A ufw-before-forward -j ufw-user-forward  [10789:9641505] -A ufw-before-input -i lo -j ACCEPT  [252164:53646696] -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT  [3048:131944] -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny  [3048:131944] -A ufw-before-input -m conntrack --ctstate INVALID -j DROP  [0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT  [0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT  [0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT  [0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT  [21:952] -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT  [0:0] -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT  [22062:1348553] -A ufw-before-input -j ufw-not-local  [0:0] -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT  [0:0] -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT  [22062:1348553] -A ufw-before-input -j ufw-user-input  [0:0] -A ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] "  [327:39433] -A ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] "  [10:3444] -A ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] "  [10789:9641505] -A ufw-before-output -o lo -j ACCEPT  [277561:60253281] -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT  [1888:133952] -A ufw-before-output -j ufw-user-output  [0:0] -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] "  [29:1244] -A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] "  [29:1244] -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] "  [22062:1348553] -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN  [0:0] -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN  [0:0] -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN  [0:0] -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny  [0:0] -A ufw-not-local -j DROP  [0:0] -A ufw-skip-to-policy-forward -j DROP  [1957:100335] -A ufw-skip-to-policy-input -j DROP  [0:0] -A ufw-skip-to-policy-output -j ACCEPT  [1:60] -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT  [1746:126492] -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT  [526:29104] -A ufw-user-input -p tcp -m multiport --dports 80,443 -m comment --comment "\'dapp_Nginx%20Full\'" -j ACCEPT  [76:3832] -A ufw-user-input -p tcp -m tcp --dport 995 -m comment --comment "\'dapp_Dovecot%20Secure%20POP3\'" -j ACCEPT  [8:372] -A ufw-user-input -p tcp -m tcp --dport 993 -m comment --comment "\'dapp_Dovecot%20Secure%20IMAP\'" -j ACCEPT  [9724:581800] -A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT  [61:3500] -A ufw-user-input -p tcp -m tcp --dport 25 -m comment --comment "\'dapp_Postfix\'" -j ACCEPT  [10:456] -A ufw-user-input -p tcp -m tcp --dport 465 -m comment --comment "\'dapp_Postfix%20SMTPS\'" -j ACCEPT  [0:0] -A ufw-user-input -p tcp -m tcp --dport 9522 -m comment --comment "\'dapp_hinext\'" -j ACCEPT  [1:52] -A ufw-user-input -p tcp -m multiport --dports 9522,9523 -m comment --comment "\'dapp_hinext\'" -j ACCEPT  [5:256] -A ufw-user-input -p tcp -m tcp --dport 9524 -m comment --comment "\'dapp_test\'" -j ACCEPT  [0:0] -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "  [0:0] -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable  [0:0] -A ufw-user-limit-accept -j ACCEPT  COMMIT  # Completed on Tue Apr 24 23:55:19 2018  


Solution:1

I restarted the firewall with sudo service ufw restart. After that, port 8822 was blocked by usw - as it should be.

Furthermore, the iptables-save also tells me the desired story: see this excerpt:

*filter  :INPUT DROP [6:320]  :FORWARD DROP [0:0]  :OUTPUT ACCEPT [0:0]  

Notice the "DROP" default policy, whereas in my initial post I noticed an "ACCEPT" default policy which I didn't understand.

So, restarting ufw apparently did the trick.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »