UFW is blocking all even when I set rules to allow

Question

I am using an ubuntu server, Now I am trying to enable the firewall using these commands:

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow www
ufw allow https
ufw enable

I've also tried making the ufw default deny incoming the last one but still no luck, when I enable the firewall it blocks eveything when I set the default to deny, but when I set it to allow, it works well, like the rules are ignored. what could be causing this ?

EDIT

This is my output of iptables -L -v -n I also tried the proposed solution but still no luck, it works fine only when I make it default allow incoming

Chain INPUT (policy DROP 30 packets, 1764 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-after-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-after-input (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
    0     0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
    0     0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-after-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-before-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain ufw-before-input (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
    0     0 ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain ufw-before-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-before-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-before-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-before-output (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain ufw-reject-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-reject-input (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-reject-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain ufw-track-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-track-input (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-track-output (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443
Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

score 24 · Accepted Answer · edited Sep 19 '17 at 14:01

Open a terminal and type the following commands:

Start off by doing a reset, which will remove all the existing rules:

sudo ufw reset

Next,

sudo ufw app list

This will list the available application profiles, such as, OpenSSH and others. To get info on an app, type the following command like in this example:

sudo ufw app info OpenSSH

Here's the output:

Profile: OpenSSH
Title: Secure shell server, an rshd replacement
Description: OpenSSH is a free implementation of the Secure Shell protocol.

Port:
  22/tcp

To allow OpenSSH access, you can use the following rule:

sudo ufw allow 22/tcp

Unlike Debian, www and https are not usually included as app profiles, however, we know these operate on ports 80 and 443 so use the following commands:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

If you want to add UDP just do this as well.

sudo ufw allow 80/udp
sudo ufw allow 443/udp

Disable and enable ufw to apply the changes:

sudo ufw disable
sudo ufw enable

To show your rules:

sudo ufw status

Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info.

You can add these rules to globally block all ports except 22, 53, 80, and 443. I've added port 53 to allow DNS requests. If you don't need to make DNS queries, just modify the rules accordingly.

To set these block rules for incoming only, you would use sudo ufw deny in 1:22/tcp for example. Alternatively, set for outgoing sudo ufw deny out 1:22/tcp and so on.

sudo ufw deny 1:21/tcp
sudo ufw deny 1:21/udp
sudo ufw deny 23:52/tcp
sudo ufw deny 23:52/udp
sudo ufw deny 54:79/tcp
sudo ufw deny 54:79/udp
sudo ufw deny 81:442/tcp
sudo ufw deny 81:442/udp
sudo ufw deny 444:65535/tcp
sudo ufw deny 444:65535/udp

score 13 · Answer 2 · answered Jul 15 '18 at 00:46

FYI: in case others have this problem.

In the detailed iptables output I noticed the ufw rules are missing in the INPUT, OUTPUT, and FORWARD chains. My system ended up like this when I ran iptables -F to remove my custom FW rules after enabling ufw at some point. It appears that ufw does not add the top level rules back in if some of its own chains already exist in iptables.

I ended up un-installing ufw, rebooting, ran 'iptables -F' (to remove previous iptables rules that were still active), then reinstalling and configuring ufw. The top level ufw rules are now back. The uninstall /reinstall may not have been necessary. Just removing all ufw rules from iptables by disabling ufw and rebooting may have done the trick.

Here's what the top level chains should look like (on Debian 9.4).

Chain INPUT (policy DROP)
target     prot opt source               destination         
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-forward  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0

score 3 · Answer 3 · edited Oct 05 '22 at 18:37

3

I got the same problem, some kind of screwed config with ufw and fail2ban messed up the iptables chain. Everything was blocked as soon as I started ufw - even with no rules in the ufw chain itself. ufw reset did not help. I completely reinstalled it, this worked out.

sudo apt-get purge ufw
sudo apt-get install ufw

edited Oct 05 '22 at 18:37

pbhj

3,364

answered Dec 12 '18 at 16:55

Maso Mato

31

Jack · Answer 4 · 2023-12-09T01:21:59.680

The reason in my case

After digging in for a while, I found out the direct reason why ufw allow not taking effect.

The issue is in the iptables.

The rule REJECT all in INPUT is above the chain reference ufw-before-input.
And the exact rule created by ufw allow is locate in chain ufw-user-input.
The chain reference hierarchy is INPUT <-- ufw-before-input <-- ufw-user-input.

Solution

The Solution is moving ufw-before-input above REJECT all link.

Write the output of iptables-save to a file: iptables-save > /tmp/iptables.txt
Edit this file with a text editor, move the line you want.
Reload the file: iptables-restore < /tmp/iptables.txt

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http       
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere 
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere 
...
Chain ufw-before-input (1 references)
...
ufw-user-input  all  --  anywhere             anywhere

...
Chain ufw-user-input (1 references)
target     prot opt source               destination

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8080

score 1 · Answer 5 · answered Aug 22 '19 at 23:26

1

For me this issue was solved by setting the rule from

sudo ufw default deny outgoing
sudo ufw default allow outgoing

That is the only thing that worked, not allowing port 53, allowing dns, etc.

answered Aug 22 '19 at 23:26

james-see

254
2
9

UFW is blocking all even when I set rules to allow

EDIT

5 Answers5

The reason in my case

The issue is in the iptables.

Solution

Linked