ufw route allow in on wg0 out on wg0 to 10.0.0.6/32
Solution 1:
It's expected behavior. Try using something other than ping
to test. For example, if you have a webserver running on port 80
of 10.0.0.13
, try running curl 10.0.0.13
on your home server (10.0.0.6
).
Your UFW command, ufw route allow in on wg0 out on wg0 to 10.0.0.6/32
, is correct. It will allow all incoming packets sent to the host's wg0
interface that are destined for 10.0.0.6
to be forwarded out the wg0
interface to 10.0.0.6
. UFW also automatically sets up a firewall rule that allows the reverse for already-established connections (ie forward packets back from 10.0.0.6
to the original source of the established connection).
UFW also always allows certain ICMP packets types (such as type 8, "echo request", used by ping
requests) to be forwarded through all of the host's interfaces. So, regardless of any UFW rules you set, your entry node will forward packets from ping
to any other hosts to which it can connect.
To stop UFW from forwarding (IPv4) ping
packets by default, edit the /etc/ufw/before.rules
file, and comment out (ie add a #
to the start of) this line:
#-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
For ping
over IPv6, edit the /etc/ufw/before6.rules
file, and comment out these lines:
#-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
#-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
Then restart UFW (eg sudo systemctl restart ufw
).
Use sudo iptables-save | grep -i forward
to check the iptables
(IPv4) rules that now apply to your FORWARD
chain. Before commenting out the above line, the output will look like this:
:FORWARD DROP [0:0]
:ufw-after-forward - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-reject-forward - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-track-forward - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-logging-forward - [0:0]
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-skip-to-policy-forward -j DROP
-A ufw-user-forward -d 10.0.0.6/32 -i wg0 -o wg0 -j ACCEPT
After commenting out the line and restarting UFW, the output should no longer list the -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
rule.