ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    UFW or IPTABLES

    Scheduled Pinned Locked Moved Solved IT Discussion
    ubuntuufwiptables
    8 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch
      last edited by JaredBusch

      I setup an Ant Media server for someone last week. All working except for the iptables redirect rule not surviving a reboot.

      The native tomcat (i think) server uses port 5443 for https by default. The guide says if you want to use port 443, you should not fuck with the web server settings and instead use this iptables rule.

      sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5443

      The rule works perfectly. The problem is it does not survive a reboot. I used ufw to configure the firewall as this is Ubuntu 20 (Yes the appliance install uses the LTS, just went with recommended appliance in Vultr).

      I assume the problem is that the manual command is not saved. I can deal with that, sudo iptables-save is built for that. But I first checked with sudo iptables -L (or -S) and I do not see the manual rule. Port 5443 is only referenced once. In the main allow.

      jbusch@RTSP:~$ sudo iptables -L | grep 5443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5443
jbusch@RTSP:~$ sudo iptables -S | grep 5443
-A ufw-user-input -p tcp -m tcp --dport 5443 -j ACCEPT

      So, I did not issue the save command. Any recommendations?

      1 1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch
        last edited by JaredBusch

        Ah my lack of raw iptables skill shows.. I thought -L showed everything, but is does not.
        Specifying the nat table shows it.

        jbusch@BowWowRTSP:~$ sudo iptables -t nat -L 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 5443

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

        So now, that I see where it is, I used sudo iptables-save rebooted, and all good.

        1 Reply Last reply Reply Quote 4
        • JaredBuschJ JaredBusch has marked this topic as solved on
        • 1
          1337 @JaredBusch
          last edited by 1337

          @JaredBusch
          I think ufw can collide with manual rule entering because ufw handles persistantency on it's own.

          A few years back debian & ubuntu also switched to nftables. So rules written in iptables format works but are obsolete.

          So I think the current recommendation is to either stick to ufw or firewall-cmd or just use nft directly.

          1 JaredBuschJ 3 Replies Last reply Reply Quote 0
          • 1
            1337 @1337
            last edited by

            @Pete-S said in UFW or IPTABLES:

            @JaredBusch
            I think ufw can collide with manual rule entering because ufw handles persistantency on it's own.

            A few years back debian & ubuntu also switched to nftables. So rules written in iptables format works but are obsolete.

            So I think the current recommendation is to either stick to ufw or firewall-cmd or just use nft directly.

            Just checked and according to linode the following or newer uses nftables:

            • Debian 10 (Buster)
            • Ubuntu 20.10 (Groovy Gorilla)
            • CentOS 8
            • Fedora 32
            1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @1337
              last edited by

              @Pete-S said in UFW or IPTABLES:

              @JaredBusch
              I think ufw can collide with manual rule entering because ufw handles persistantency on it's own.

              UFW does add it's own chains. But, I could find no examples of how to do that same command with UFW.

              1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch @1337
                last edited by

                @Pete-S said in UFW or IPTABLES:

                So I think the current recommendation is to either stick to ufw or firewall-cmd or just use nft directly.

                I try to. This was the first time I've had a need to go outside the box of ufw or firewall-cmd to use direct iptables in years.

                1 2 Replies Last reply Reply Quote 1
                • 1
                  1337 @JaredBusch
                  last edited by 1337

                  @JaredBusch said in UFW or IPTABLES:

                  @Pete-S said in UFW or IPTABLES:

                  So I think the current recommendation is to either stick to ufw or firewall-cmd or just use nft directly.

                  I try to. This was the first time I've had a need to go outside the box of ufw or firewall-cmd to use direct iptables in years.

                  Looks like you have to add it in ufw config file etc/ufw/before.rules since there is no command for it.

                  *nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5443
COMMIT

                  https://www.arubacloud.com/tutorial/how-to-manage-and-forward-ports-with-ufw-on-ubuntu-18-04.aspx

                  With firewalld you can do:

                  firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone=public--add-forward-port=port=443:proto=tcp:toport=5443

                  https://linoxide.com/how-to-configure-firewall-with-firewalld/

                  1 Reply Last reply Reply Quote 1
                  • 1
                    1337 @JaredBusch
                    last edited by

                    @JaredBusch said in UFW or IPTABLES:

                    @Pete-S said in UFW or IPTABLES:

                    So I think the current recommendation is to either stick to ufw or firewall-cmd or just use nft directly.

                    I try to. This was the first time I've had a need to go outside the box of ufw or firewall-cmd to use direct iptables in years.

                    Yes, it's only when you need more control.

                    I've looked into this before and it wasn't not super obvious how all these tools interact. But nowadays ufw and firewalld are services to manage nftables. nftables itself manages the netfilter packet filtering mechanism in the kernel.

                    The ability to use iptables are just for legacy reasons and they're converted to nftables rules behind the scenes.

                    Since ufw (canonical project) and firewalld (redhat project) where initiated when iptables was used, I'm not sure their existence is warranted in the same way. At least not by sysadmins.

                    I'm looking at setting firewall rules automatically in a project and it seems like using nftables directly makes the most sense. That said I have to learn nftables first 🙂

                    1 Reply Last reply Reply Quote 0
                    • 1 / 1
                    • First post
                      Last post