ubuntuusers.de

ufw blockt trotz freigabe

Status: Ungelöst | Ubuntu-Version: Ubuntu 20.04 (Focal Fossa)
Antworten |

lexnared

Anmeldungsdatum:
11. März 2022

Beiträge: 1

Hallo!

Ich habe schon Zahlreiche Probleme mit diesem Forum lösen können. Danke dafür.

Nun ist es aber soweit das ich leider mit meinem know how nicht mehr weiterkomme.

Trotz nach meiner Meinung nach korrekten Einstellungen der UFW, lese ich immer wieder in der ufw.log das der Port. IP's für source und destination wurden absichtlich offen gehalten, da ich schritt für schritt die Firewall schärfer machen möchte.

Hier ein Auszug aus der log

Mar 11 20:25:57 nextcloudpi kernel: [53732.710046] [UFW BLOCK] IN=eth0 OUT= MAC=XXXXX SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar 11 20:32:37 nextcloudpi kernel: [  155.274066] [UFW BLOCK] IN=eth0 OUT= MAC=XXXXX SRC=192.168.1.4 DST=192.168.1.30 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=25256 DF PROTO=TCP SPT=53601 DPT=2010 WINDOW=591 RES=0x00 ACK FIN URGP=0

Ich habe mit sudo ufw allow in on eth0 from 192.168.1.4 den Datenverkehr für die IP geöffnet, dennoch wird der port 2010 gesperrt Nachträglich habe ich dan den Port 2010 einzeln geöffnet. Fehler bleibt leider bestehen.

Bitte um Untertützung wo hier der Fehler liegt

Die Ausgabe sudo ufw status numbered

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] Anywhere on eth0           ALLOW FWD   10.6.0.0/24 on wg0
[ 2] 2127/udp                   ALLOW IN    Anywhere                   # allow-wireguard
[ 3] 3353                       ALLOW IN    Anywhere
[ 4] 80/tcp                     ALLOW IN    Anywhere
[ 5] 443/tcp                    ALLOW IN    Anywhere
[ 6] 4443/tcp                   ALLOW IN    Anywhere
[ 7] DNS                        ALLOW IN    Anywhere
[ 8] Samba                      ALLOW IN    Anywhere
[ 9] 2049                       ALLOW IN    Anywhere
[10] 8087                       ALLOW IN    Anywhere
[11] 8081                       ALLOW IN    Anywhere
[12] Anywhere on eth0           ALLOW IN    192.168.1.4
[13] 1882                       ALLOW IN    Anywhere
[14] 2010                       ALLOW IN    Anywhere
[15] 61991                      ALLOW IN    Anywhere
[16] 3353 (v6)                  ALLOW IN    Anywhere (v6)
[17] 80/tcp (v6)                ALLOW IN    Anywhere (v6)
[18] 443/tcp (v6)               ALLOW IN    Anywhere (v6)
[19] 4443/tcp (v6)              ALLOW IN    Anywhere (v6)
[20] DNS (v6)                   ALLOW IN    Anywhere (v6)
[21] Samba (v6)                 ALLOW IN    Anywhere (v6)
[22] 2049 (v6)                  ALLOW IN    Anywhere (v6)
[23] 8087 (v6)                  ALLOW IN    Anywhere (v6)
[24] 2127/udp (v6)              ALLOW IN    Anywhere (v6)              # allow-wireguard
[25] 8081 (v6) on lo            ALLOW IN    Anywhere (v6)
[26] 1882 (v6)                  ALLOW IN    Anywhere (v6)
[27] 2010 (v6)                  ALLOW IN    Anywhere (v6)
[28] 61991 (v6)                 ALLOW IN    Anywhere (v6)

Die user.rules

*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###

### tuple ### route:allow any any 0.0.0.0/0 any 10.6.0.0/24 in_wg0!out_eth0
-A ufw-user-forward -i wg0 -o eth0 -s 10.6.0.0/24 -j ACCEPT

### tuple ### allow udp 2127 0.0.0.0/0 any 0.0.0.0/0 in comment=616c6c6f772d776972656775617264
-A ufw-user-input -p udp --dport 2127 -j ACCEPT

### tuple ### allow any 3353 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 3353 -j ACCEPT
-A ufw-user-input -p udp --dport 3353 -j ACCEPT

### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in

Ausgabe von sudo iptables -nvx -L

Chain INPUT (policy ACCEPT 8 packets, 288 bytes)
    pkts      bytes target     prot opt in     out     source               destination
  225093 114338682 ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  225093 114338682 ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
     104     7050 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       8      288 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       8      288 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       8      288 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 42 packets, 3088 bytes)
    pkts      bytes target     prot opt in     out     source               destination
  227407 108057964 ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  227407 108057964 ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    2032   110802 ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    2032   110802 ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    2032   110802 ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    2032   110802 ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-logging-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-before-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
  209619 105404222 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   14950  8855434 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
      44     1760 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
      44     1760 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
     480    77266 ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0
     116    54866 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
     364    22400 ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination
  209619 105404222 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
   15756  2542940 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    2032   110802 ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
       0        0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-after-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
       0        0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
       0        0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
      96     6762 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-after-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-reject-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-reject-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-track-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination
    1783    92716 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
     207    14998 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-track-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-logging-deny (2 references)
    pkts      bytes target     prot opt in     out     source               destination
      24      960 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-logging-allow (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-skip-to-policy-input (7 references)
    pkts      bytes target     prot opt in     out     source               destination
      96     6762 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-not-local (1 references)
    pkts      bytes target     prot opt in     out     source               destination
     254    13888 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
     124    55154 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
     102     8224 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
       0        0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-user-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:2127
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3353
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3353
       1       60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
       1       44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4443
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* 'dapp_DNS' */
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* 'dapp_DNS' */
       6     1462 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 137,138 /* 'dapp_Samba' */
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 139,445 /* 'dapp_Samba' */
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2049
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:2049
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8087
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8087
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8081
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8081
      41     2132 ACCEPT     all  --  eth0   *       192.168.1.4          0.0.0.0/0
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1882
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1882
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2010
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:2010
      87     5220 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:61991
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:61991

Chain ufw-user-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  wg0    eth0    10.6.0.0/24          0.0.0.0/0

Chain ufw-user-logging-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-limit (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

–––––––--UPDATE-–––––––-

Ich habe mir mal die log von fail2ban angesehen. Tatsächlich stand hier in der ufwban die IP-Adresse 192.168.1.4 als banned drin. Ich habe diese nun entfernt und warte mal einen Tag ab, ob weitere Einträge in der log stattfinden.

Antworten |