You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2023-12-27 03:44:40
- gcb
- Member
- Registered: 2014-02-12
- Posts: 213
ufw, nftables, Host is unreachablet.
struggling a bit with this. tired already so mostly documenting what i'm seeing in case it is obvious to anyone.
I had firewalld (with iptables) but never used it on a host (was installed as a dependency of iproute2). removed it. and installed my usual iptables-nft package.
Just because, i ran `iptables-legacy -F` `iptables-legacy -X`... and proceeded to a reboot and installing `ufw` and adding a few rules and `ufw enable` (and making sure it is enabled --now in systemd, it is)
well, port 22 is weird now. If i have it open, it works fine If sshd is listening, otherwise i get "Connection refused".
If I have it closed (`ufw deny 22/tcp`), it times out.
all the other ports, are useless.
# ufw allow 222
# nc -l 222
... clients say "Host is unreachable"
# edit /etc/ssh/sshd_options, Port 222, systemctl restart sshd
... clients say "Host is unreachable"on the other end all I get is "Host is unreachable"
# ufw status
Status: active
To Action From
-- ------ ----
6881/tcp ALLOW Anywhere
6880/tcp ALLOW Anywhere
222/tcp ALLOW Anywhere
22/tcp DENY Anywhere
6881/tcp (v6) ALLOW Anywhere (v6)
6880/tcp (v6) ALLOW Anywhere (v6)
222/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) DENY Anywhere (v6) (started to close 22 to test)
# nft list tables
table ip filter
table ip6 filter
table inet filterI think it was this 'inet' table that is causing me trouble. What is the correct way to flush everything and start over? Or this part of the ufw magic? not really familiar with it.
# nft list table inet filter
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iifname "lo" accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
tcp dport 22 accept comment "allow sshd"
meta pkttype host limit rate 5/second burst 5 packets counter packets 144 bytes 6432 reject with icmpx admin-prohibited
counter packets 3870 bytes 171830
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}# nft list table ip filter
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain ufw-before-logging-input {
}
chain ufw-before-logging-output {
}
chain ufw-before-logging-forward {
}
chain ufw-before-input {
iifname "lo" counter packets 88 bytes 6880 accept
xt match "conntrack" counter packets 12864 bytes 18585080 accept
xt match "conntrack" counter packets 0 bytes 0 jump ufw-logging-deny
xt match "conntrack" counter packets 0 bytes 0 drop
ip protocol icmp xt match "icmp" counter packets 0 bytes 0 accept
ip protocol icmp xt match "icmp" counter packets 0 bytes 0 accept
ip protocol icmp xt match "icmp" counter packets 0 bytes 0 accept
ip protocol icmp xt match "icmp" counter packets 0 bytes 0 accept
udp sport 67 udp dport 68 counter packets 0 bytes 0 accept
counter packets 30 bytes 1704 jump ufw-not-local
ip daddr 224.0.0.251 udp dport 5353 counter packets 0 bytes 0 accept
ip daddr 239.255.255.250 udp dport 1900 counter packets 0 bytes 0 accept
counter packets 30 bytes 1704 jump ufw-user-input
}
chain ufw-before-output {
oifname "lo" counter packets 88 bytes 6880 accept
xt match "conntrack" counter packets 9182 bytes 1071819 accept
counter packets 230 bytes 30425 jump ufw-user-output
}
chain ufw-before-forward {
xt match "conntrack" counter packets 0 bytes 0 accept
ip protocol icmp xt match "icmp" counter packets 0 bytes 0 accept
ip protocol icmp xt match "icmp" counter packets 0 bytes 0 accept
ip protocol icmp xt match "icmp" counter packets 0 bytes 0 accept
ip protocol icmp xt match "icmp" counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw-user-forward
}
chain ufw-after-input {
udp dport 137 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
udp dport 138 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
tcp dport 139 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
tcp dport 445 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
udp dport 67 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
udp dport 68 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
xt match "addrtype" counter packets 0 bytes 0 jump ufw-skip-to-policy-input
}
chain ufw-after-output {
}
chain ufw-after-forward {
}
chain ufw-after-logging-input {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 xt target "LOG"
}
chain ufw-after-logging-output {
}
chain ufw-after-logging-forward {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 xt target "LOG"
}
chain ufw-reject-input {
}
chain ufw-reject-output {
}
chain ufw-reject-forward {
}
chain ufw-track-input {
}
chain ufw-track-output {
ip protocol tcp xt match "conntrack" counter packets 157 bytes 9420 accept
ip protocol udp xt match "conntrack" counter packets 68 bytes 20765 accept
}
chain ufw-track-forward {
}
chain INPUT {
type filter hook input priority filter; policy drop;
counter packets 12982 bytes 18593664 jump ufw-before-logging-input
counter packets 12982 bytes 18593664 jump ufw-before-input
counter packets 0 bytes 0 jump ufw-after-input
counter packets 0 bytes 0 jump ufw-after-logging-input
counter packets 0 bytes 0 jump ufw-reject-input
counter packets 0 bytes 0 jump ufw-track-input
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 9500 bytes 1109124 jump ufw-before-logging-output
counter packets 9500 bytes 1109124 jump ufw-before-output
counter packets 230 bytes 30425 jump ufw-after-output
counter packets 230 bytes 30425 jump ufw-after-logging-output
counter packets 230 bytes 30425 jump ufw-reject-output
counter packets 230 bytes 30425 jump ufw-track-output
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump ufw-before-logging-forward
counter packets 0 bytes 0 jump ufw-before-forward
counter packets 0 bytes 0 jump ufw-after-forward
counter packets 0 bytes 0 jump ufw-after-logging-forward
counter packets 0 bytes 0 jump ufw-reject-forward
counter packets 0 bytes 0 jump ufw-track-forward
}
chain ufw-logging-deny {
xt match "conntrack" limit rate 3/minute burst 10 packets counter packets 0 bytes 0 return
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 xt target "LOG"
}
chain ufw-logging-allow {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 xt target "LOG"
}
chain ufw-skip-to-policy-input {
counter packets 0 bytes 0 drop
}
chain ufw-skip-to-policy-output {
counter packets 0 bytes 0 accept
}
chain ufw-skip-to-policy-forward {
counter packets 0 bytes 0 drop
}
chain ufw-not-local {
xt match "addrtype" counter packets 30 bytes 1704 return
xt match "addrtype" counter packets 0 bytes 0 return
xt match "addrtype" counter packets 0 bytes 0 return
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 jump ufw-logging-deny
counter packets 0 bytes 0 drop
}
chain ufw-user-input {
tcp dport 6881 counter packets 0 bytes 0 accept
tcp dport 6880 counter packets 0 bytes 0 accept
tcp dport 222 counter packets 0 bytes 0 accept
tcp dport 22 counter packets 20 bytes 1200 drop
}
chain ufw-user-output {
}
chain ufw-user-forward {
}
chain ufw-user-logging-input {
}
chain ufw-user-logging-output {
}
chain ufw-user-logging-forward {
}
chain ufw-user-limit {
limit rate 3/minute burst 5 packets counter packets 0 bytes 0 xt target "LOG"
counter packets 0 bytes 0 xt target "REJECT"
}
chain ufw-user-limit-accept {
counter packets 0 bytes 0 accept
}
}Offline
#2 2023-12-27 03:59:37
- gcb
- Member
- Registered: 2014-02-12
- Posts: 213
Re: ufw, nftables, Host is unreachablet.
that table doesn't seem to be from ufw, but from nft itself.
And indeed it seem to be the problem. If i add the new ports there it works fine. I mean, works at all, differently from ufw pie in the sky.
$ pacman -Ql nftables | grep etc
nftables /etc/nftables.confjust dropping all tables and restarting ufw got things back to normal...
# ufw disable
# <comment that nftables.conf file>
# nft delete table inet filter
# nft delete table ip filter
# nft delete table ip6 filter
# ufw enableOffline
#3 2023-12-27 04:00:53
- gcb
- Member
- Registered: 2014-02-12
- Posts: 213
Re: ufw, nftables, Host is unreachablet.
So, keeping this open as to understand how am I supposed to use a sane firewall on arch? it seems that every package tries to install a default set of rules and one is a dependency of another... it doesn't seem right. The confusion wasn't even that I had old iptables, it was just that I installed the recommended nftable package for ufw.
Offline
#4 2023-12-27 10:05:10
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 76,048
Offline
Pages: 1