How to configure UFW to allow IP Forwarding?

firewall iptables ufw ip-forward

111,308

Solution 1

I figured it out.

Edit /etc/default/ufw and set DEFAULT_FORWARD_POLICY to ACCEPT:

DEFAULT_FORWARD_POLICY="ACCEPT"

Solution 2

It's now possible - from ufw man page:

Rules for traffic not destined for the host itself but instead for traffic that should be routed/forwarded through the firewall should specify the route keyword before the rule (routing rules differ signifi‐ cantly from PF syntax and instead take into account netfilter FORWARD chain conventions). For example:
     ufw route allow in on eth1 out on eth2
This will allow all traffic routed to eth2 and coming in on eth1 to traverse the firewall.
     ufw route allow in on eth0 out on eth1 to 12.34.45.67 port 80 proto tcp
This rule allows any packets coming in on eth0 to traverse the firewall out on eth1 to tcp port 80 on 12.34.45.67.

In addition to routing rules and policy, you must also setup IP forwarding. This may be done by setting the following in /etc/ufw/sysctl.conf:
     net/ipv4/ip_forward=1
     net/ipv6/conf/default/forwarding=1
     net/ipv6/conf/all/forwarding=1
then restarting the firewall:
     ufw disable
     ufw enable
Be aware that setting kernel tunables is operating system specific and ufw sysctl settings may be overridden. See the sysctl manual page for details.

Solution 3

if you set the DEFAULT_FORWARD_POLICY to ACCEPT in /etc/default/ufw the firewall will forward all packets regardless of the settings of the user interface.

I think the user interface is only meant for simple in/out filtering. For forwarding you need to add iptables rules in /etc/ufw/before.rules like here:

-A ufw-before-forward -i eth1 -p tcp -d 192.168.1.11 --dport 22 -j ACCEPT

You probably already have a rule that lets connections from inside out and another that lets packets from related and established tcp sessions back in.

I'm no iptables specialist, it took me a very long time to figure this out (with ip6tables, but it should be similar). Maybe this is not all it takes in your case.

Best greetings

Solution 4

This ufw command worked for me nicely: sudo ufw default allow FORWARD

To be sure the change is applied: sudo service ufw restart

View more solutions

111,308

Stephen RC

Senior developer at Defiant / Wordfence, security analyst, Tolkien fan, and general geek.

Updated on September 18, 2022

Comments

Stephen RC 3 months
I have UFW, OpenVPN and Virtualbox installed on my home server. I have a host-only network for my virtual machine guests (vboxnet0) set up with the IP range 10.0.1.0, and another IP range of 10.0.0.0 configured on the other end of the OpenVPN connection.

IP Forwarding is configured on the host, so when UFW is disabled they can talk to each other without any issues. However, I'd like to run UFW as this host will be web-accessible and I'd like some access control.

How can I configure UFW to allow this sort of traffic?

I've tried various combinations of: ufw allow allow in|out on vboxnet0|tun0 with no success.

My UFW rules are:
```
[email protected]:~# ufw status
Status: active
To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
Anywhere                   ALLOW       10.0.0.0/16
Anywhere on vboxnet0       ALLOW       Anywhere
Anywhere on tun0           ALLOW       Anywhere
Anywhere                   ALLOW OUT   Anywhere on vboxnet0
Anywhere                   ALLOW OUT   Anywhere on tun0
```
Any help would be greatly appreciated.
Marcus Downing over 9 years

Is there any way of allowing only it to forward specific ports, not setting it to ACCEPT everything?
Minh Danh over 5 years

I guess you need to restart ufw after editing the file: service ufw restart
ColinM over 4 years

This gives an "Invalid syntax" error. Docs say "DIRECTION is one of incoming, outgoing or routed".
baptx over 4 years

@ColinM this worked for me on Xubuntu 16.04.5 LTS
patricktokeeffe almost 4 years

FORWARD works like alias for routed on Ubuntu
logion over 3 years

For those of us wanting to allow tcp traffic between OpenVPN clients on an OpenVPN server, this works. For example: ufw route allow in on tun0 out on tun0
Joril about 3 years

For the record ufw route is present since version 0.34
creekorful over 2 years

This should be the newly accepted answer
Johnny Utahh over 2 years

Does this enable all IP forwarding (and thus bypassing all these steps: ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux), or does it simply enable ufw to be IP-forwarding friendly... or something else?
RomanK about 2 years

Changing default policy can be done from CLI with sudo ufw default allow routed