How to configure UFW to allow IP Forwarding?

firewall iptables ufw ip-forward

I have UFW, OpenVPN and Virtualbox installed on my home server. I have a host-only network for my virtual machine guests (vboxnet0) set up with the IP range 10.0.1.0, and another IP range of 10.0.0.0 configured on the other end of the OpenVPN connection.

IP Forwarding is configured on the host, so when UFW is disabled they can talk to each other without any issues. However, I'd like to run UFW as this host will be web-accessible and I'd like some access control.

How can I configure UFW to allow this sort of traffic?

I've tried various combinations of: ufw allow allow in|out on vboxnet0|tun0 with no success.

My UFW rules are:

root@gimli:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
Anywhere                   ALLOW       10.0.0.0/16
Anywhere on vboxnet0       ALLOW       Anywhere
Anywhere on tun0           ALLOW       Anywhere

Anywhere                   ALLOW OUT   Anywhere on vboxnet0
Anywhere                   ALLOW OUT   Anywhere on tun0

Any help would be greatly appreciated.


It's now possible - from ufw man page:

Rules for traffic not destined for the host itself but instead for traffic that should be routed/forwarded through the firewall should specify the route keyword before the rule (routing rules differ signifi‐ cantly from PF syntax and instead take into account netfilter FORWARD chain conventions). For example:

     ufw route allow in on eth1 out on eth2

This will allow all traffic routed to eth2 and coming in on eth1 to traverse the firewall.

     ufw route allow in on eth0 out on eth1 to 12.34.45.67 port 80 proto tcp

This rule allows any packets coming in on eth0 to traverse the firewall out on eth1 to tcp port 80 on 12.34.45.67.

In addition to routing rules and policy, you must also setup IP forwarding. This may be done by setting the following in /etc/ufw/sysctl.conf:

     net/ipv4/ip_forward=1
     net/ipv6/conf/default/forwarding=1
     net/ipv6/conf/all/forwarding=1

then restarting the firewall:

     ufw disable
     ufw enable

Be aware that setting kernel tunables is operating system specific and ufw sysctl settings may be overridden. See the sysctl manual page for details.


I figured it out.

Edit /etc/default/ufw and set DEFAULT_FORWARD_POLICY to ACCEPT:

DEFAULT_FORWARD_POLICY="ACCEPT"

if you set the DEFAULT_FORWARD_POLICY to ACCEPT in /etc/default/ufw the firewall will forward all packets regardless of the settings of the user interface.

I think the user interface is only meant for simple in/out filtering. For forwarding you need to add iptables rules in /etc/ufw/before.rules like here:

-A ufw-before-forward -i eth1 -p tcp -d 192.168.1.11 --dport 22 -j ACCEPT

You probably already have a rule that lets connections from inside out and another that lets packets from related and established tcp sessions back in.

I'm no iptables specialist, it took me a very long time to figure this out (with ip6tables, but it should be similar). Maybe this is not all it takes in your case.

Best greetings


This ufw command worked for me nicely: sudo ufw default allow FORWARD

To be sure the change is applied: sudo service ufw restart

Related

How do I open Ubuntu Software Center via Terminal?
Hide text on system load indicator
Tips for getting to grips with the command line [closed]
How to check "apt-get upgrade" status after losing ssh connection?
Increase verbosity of running rsync process?
How can I tell if my hourly cron job has run?
How do I split a "/proc/*/environ" file in separate lines?
Error message "500 OOPS: vsftpd: refusing to run with writable root inside chroot()" - keep user jailed
Permission denied when downloading with transmission daemon
How to add bookmark to Nautilus 3.6?
systemd-resolve high cpu usage after update to 17.04
How can I direct a pipe input to ls command?