touch-packages team mailing list archive

Thread
Date
[Bug 881137] Re: UFW does not clean iptables setting from /etc/ufw/before.rules

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Sam Stoelinga <881137@xxxxxxxxxxxxxxxxxx>
Date: Sun, 08 Feb 2015 05:10:22 -0000
Reply-to: Bug 881137 <881137@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Just had the same bug after executing sudo ufw reload 4 times, this is
how my iptables -t nat looks like:

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
RETURN     all  --  192.168.122.0/24     224.0.0.0/24        
RETURN     all  --  192.168.122.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    
MASQUERADE  all  --  10.0.20.0/24         0.0.0.0/0           
MASQUERADE  all  --  10.0.20.0/24         0.0.0.0/0           
MASQUERADE  all  --  10.0.20.0/24         0.0.0.0/0           
MASQUERADE  all  --  10.0.20.0/24         0.0.0.0/0

I've added the following line to /etc/ufw/before.rules:
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 10.0.20.0/24 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT

Version: ufw --version
ufw 0.34~rc-0ubuntu2
Copyright 2008-2012 Canonical Ltd.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/881137

Title:
  UFW does not clean iptables setting from /etc/ufw/before.rules

Status in ufw package in Ubuntu:
  Won't Fix

Bug description:
  Adding some additional settings to /etc/ufw/before.rules is not
  deleted when ufw is stopped.

  I added these lines at top of file /etc/ufw/before.rules

  *nat
  :POSTROUTING ACCEPT [0:0]
  -A POSTROUTING -o eth0 -j MASQUERADE
  COMMIT

  Then I reloaded ufw firewall with command: ufw reload. Output from
  iptables-save

  $ iptables-save -t nat
  *nat
  :PREROUTING ACCEPT [4:478]
  :INPUT ACCEPT [4:478]
  :OUTPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  -A POSTROUTING -o eth0 -j MASQUERADE 
  COMMIT

  Then I reloaded ufw firewall again:

  $ iptables-save -t nat
  *nat
  :PREROUTING ACCEPT [4:478]
  :INPUT ACCEPT [4:478]
  :OUTPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  -A POSTROUTING -o eth0 -j MASQUERADE 
  -A POSTROUTING -o eth0 -j MASQUERADE 
  COMMIT

  And ufw reload again

  $ iptables-save -t nat
  *nat
  :PREROUTING ACCEPT [4:478]
  :INPUT ACCEPT [4:478]
  :OUTPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  -A POSTROUTING -o eth0 -j MASQUERADE 
  -A POSTROUTING -o eth0 -j MASQUERADE 
  -A POSTROUTING -o eth0 -j MASQUERADE
  COMMIT

  And again and postrouting is never deleted when ufw is stopped and
  added again when stared. Same happen if I stop ufw firewall with: $
  stop ufw. nat lines are not cleaned.

  UFW should remove all iptables settings specified in config files
  after ufw is stopped! This can be dangerous if apt-get is updating
  some ufw files and scripts needs to reload ufw (some lines will be
  more times).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/881137/+subscriptions