Configure UFW to allow only established and related conections (on IPv4)

networking firewall iptables ufw

7,976

Solution 1

Looks like you don't need to do anything to allow RELATED/ESTABLISHED Connections.

In ver. 0.36 of UFW I'm looking at on Ubuntu Core 16.04, the rules to allow RELATED/ESTABLISHED connections are there by default.

Crack-open the before.rules rules, you'll see the job has been done for you:

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Solution 2

ufw is considered as a simple frontend for iptables. It does not support all the functionalities provided by iptables and filetering based on matching state of connection is not supported yet.

ufw was basically initiated so that any user can understand or edit the basic firewall rules without having to go through the complexities of iptables. You can check this ubuntu wiki to get more idea on which features are supported yet. Note that if you know iptables then there is no need for ufw.

Solution 3

Try add to /etc/ufw/before.rules

*filter
:INPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

7,976

marttt

Updated on September 18, 2022

Comments

marttt over 1 year
I want to configure ufw to deny everything except the related and established connections. On iptables I usually did :
```
  -P INPUT DROP
  -P FORWARD DROP
  -P OUTPUT ACCEPT
  -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
```
I read that the next code on ufw is closely related:
```
 ufw default deny incoming
 ufw default deny forwarding
 ufw default allow outgoing
 ufw allow 443/tcp
 ufw allow 53/tcp
 ................
```
The problem is, with that ufw code I'm allowing ALL the traffic incoming from that ports. With iptables, only the established connections were allowed. How could I configure the same rules on ufw?
marttt about 9 years

I know iptables, the problem is that NetworkManager conflicts with iptables. I try every solution listed at: help.ubuntu.com/community/… But the issue persists.... :(
heemayl about 9 years

@marttt: your problem with iptables is that you can't save-restore the rules?
moi almost 6 years

My /etc/ufw/before.rules contains the following lines: ``` # quickly process packets for which we already have a connection -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ``` Shouldn't this have the desired effect?