ufw route allow in on wg0 out on wg0 to 10.0.0.6/32

iptables ufw wireguard ip6tables debian-10

Solution 1:

It's expected behavior. Try using something other than ping to test. For example, if you have a webserver running on port 80 of 10.0.0.13, try running curl 10.0.0.13 on your home server (10.0.0.6).

Your UFW command, ufw route allow in on wg0 out on wg0 to 10.0.0.6/32, is correct. It will allow all incoming packets sent to the host's wg0 interface that are destined for 10.0.0.6 to be forwarded out the wg0 interface to 10.0.0.6. UFW also automatically sets up a firewall rule that allows the reverse for already-established connections (ie forward packets back from 10.0.0.6 to the original source of the established connection).

UFW also always allows certain ICMP packets types (such as type 8, "echo request", used by ping requests) to be forwarded through all of the host's interfaces. So, regardless of any UFW rules you set, your entry node will forward packets from ping to any other hosts to which it can connect.

To stop UFW from forwarding (IPv4) ping packets by default, edit the /etc/ufw/before.rules file, and comment out (ie add a # to the start of) this line:

#-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

For ping over IPv6, edit the /etc/ufw/before6.rules file, and comment out these lines:

#-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
#-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

Then restart UFW (eg sudo systemctl restart ufw).

Use sudo iptables-save | grep -i forward to check the iptables (IPv4) rules that now apply to your FORWARD chain. Before commenting out the above line, the output will look like this:

:FORWARD DROP [0:0]
:ufw-after-forward - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-reject-forward - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-track-forward - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-logging-forward - [0:0]
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-skip-to-policy-forward -j DROP
-A ufw-user-forward -d 10.0.0.6/32 -i wg0 -o wg0 -j ACCEPT

After commenting out the line and restarting UFW, the output should no longer list the -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT rule.

Related

Windows Server 2008 R2 64bit Screen Frozen and Remote Desktop Freezes but Server Continues Working
IIS and SQL Server Windows authentication in a django application
Where do I create google-managed SSL certificate for kubernetes cluster deployment?
Accessing VM from Google Cloud Function
Orchestrator is not available with fresh Rook instance
How to configure a DNS server by YAST2
Restore of mysql dump looks different on ubuntu 20.04
How to get the nearest subdirectory of a file as output in PowerShell?
server room specification standards
EC2: Relatively small network out spikes cause 100% CPU usage
How to reinstall or download the original Ubuntu icons folder?
How To Uninstall ProtonVPN