6

I want to configure ufw to deny everything except the related and established connections. On iptables I usually did :

  -P INPUT DROP
  -P FORWARD DROP
  -P OUTPUT ACCEPT
  -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

I read that the next code on ufw is closely related:

 ufw default deny incoming
 ufw default deny forwarding
 ufw default allow outgoing
 ufw allow 443/tcp
 ufw allow 53/tcp
 ................

The problem is, with that ufw code I'm allowing ALL the traffic incoming from that ports. With iptables, only the established connections were allowed. How could I configure the same rules on ufw?

marttt
  • 61

3 Answers3

6

Looks like you don't need to do anything to allow RELATED/ESTABLISHED Connections.

In ver. 0.36 of UFW I'm looking at on Ubuntu Core 16.04, the rules to allow RELATED/ESTABLISHED connections are there by default.

Crack-open the before.rules rules, you'll see the job has been done for you:

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
F1Linux
  • 1,256
1

ufw is considered as a simple frontend for iptables. It does not support all the functionalities provided by iptables and filetering based on matching state of connection is not supported yet.

ufw was basically initiated so that any user can understand or edit the basic firewall rules without having to go through the complexities of iptables. You can check this ubuntu wiki to get more idea on which features are supported yet. Note that if you know iptables then there is no need for ufw.

heemayl
  • 93,925
1

Try add to /etc/ufw/before.rules

*filter
:INPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
rumanzo
  • 11