Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Sign in to follow this  
FranceBB

UFW rules don't affect Wi-Fi hotspot (Fedora 29)

Recommended Posts

Hi,
I have Fedora 29 and a few connections listed below:
NAME UUID TYPE DEVICE >
Hotspot ad2a19b6-6347-4e48-a6f7-1446d4a96d0d wifi wlp2s0 >
pan1 0611ae9d-dd40-49b6-91bb-16d95ff21624 bridge pan1 >
tun0 447c77d6-005a-422f-b93a-ac4e40474460 tun tun0 >
uk656.nordvpn.com.udp f68bfe83-7c23-4bff-9bd8-996510849ea4 vpn enp0s20f>
virbr0 6db6a458-7832-414c-9e6f-917a3e7e494b bridge virbr0 >
Wired connection 1 9a79441a-2644-3cc9-9cb0-0376935fc0e7 ethernet enp0s20f

As you can see, "enp0s20f" is the ethernet, then there's my VPN and finally there's "wlp2s0" which is my Wi-Fi hotspot.
The idea is to basically get internet from my router, route the traffic throught the VPN and then send out a Wi-Fi hostpot signal to allow devices to connect using my VPN.
So far so good.
The problem is that I had to implement a kill switch.
To do so, I used UFW, by blocking all the incoming and outgoing connections except the ones from/to the VPN servers (I specified their ip).

To Action From
-- ------ ----
SSH ALLOW Anywhere 
224.0.0.251 mDNS ALLOW Anywhere 
Anywhere on wlp2s0 DENY Anywhere 
SSH (v6) ALLOW Anywhere (v6) 
ff02::fb mDNS ALLOW Anywhere (v6) 
Anywhere (v6) on wlp2s0 DENY Anywhere (v6) 

89.238.183.8 ALLOW OUT Anywhere 
81.92.202.17 ALLOW OUT Anywhere 
89.238.142.133 ALLOW OUT Anywhere 
Anywhere ALLOW OUT Anywhere on tun0 
81.92.203.47 ALLOW OUT Anywhere 
185.169.255.20 ALLOW OUT Anywhere 
185.195.202.28 ALLOW OUT Anywhere 
195.12.49.141 ALLOW OUT Anywhere 
185.195.202.20 ALLOW OUT Anywhere 
185.195.202.22 ALLOW OUT Anywhere 
23.226.129.171 ALLOW OUT Anywhere 
104.222.153.56 ALLOW OUT Anywhere 
185.217.69.182 ALLOW OUT Anywhere 
194.242.11.142 ALLOW OUT Anywhere 
82.102.22.91 ALLOW OUT Anywhere 
Anywhere DENY OUT Anywhere on wlp2s0 
195.12.49.141 ALLOW OUT Anywhere on wlp2s0 
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0 
Anywhere (v6) DENY OUT Anywhere (v6) on wlp2s0 



It works like a charm on my computer, but devices on my Wi-Fi Hotspot are not affected by any rule set on UFW.

I found another person with the same issue (but with Ubuntu instead of Fedora): https://askubuntu.com/questions/1032183/ufw-doesnt-work-with-hotspot

Why is that?

Thank you in advance,
Frank.

Share this post


Link to post
Share on other sites

This is the nmap output from the Fedora host:


Starting Nmap 6.47 ( http://nmap.org ) at 2018-12-18 02:28 Coordinated Universal Time
Nmap scan report for |||||||||||||||
Host is up (0.028s latency).
Not shown: 96 filtered ports
PORT STATE SERVICE
80/tcp open http
88/tcp open kerberos-sec
443/tcp open https
8080/tcp closed http-proxy
 
Nmap done: 1 IP address (1 host up) scanned in 6.12 seconds

This is the route on the host:


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    50     0        0 tun0
default         _gateway        0.0.0.0         UG    20100  0        0 enp0s20f0u5
10.8.8.0        0.0.0.0         255.255.255.0   U     50     0        0 tun0
10.42.0.0       0.0.0.0         255.255.255.0   U     600    0        0 wlp2s0
10.59.70.0      0.0.0.0         255.255.255.0   U     0      0        0 pan1
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s20f0u5
_gateway        0.0.0.0         255.255.255.255 UH    100    0        0 enp0s20f0u5
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
195.12.49.141   _gateway        255.255.255.255 UGH   100    0        0 enp0s20f0u5

I also tried with 


sudo iptables -A INPUT --src 195.12.49.141 -j ACCEPT -i wlp2s0
sudo iptables -A OUTPUT -d 195.12.49.141 -j ACCEPT -o wlp2s0

but nothing changed.

I'm now trying a different approach, which is routing all the traffic from wlp2s0 to tun0, but unfortunately, I don't know how to do that.

I tried with:

 

 sudo ip route add 10.42.0.0/24 via 0.0.0.0 dev tun0


 

but nothing happened.

 

sudo iptables -t nat -A POSTROUTING -s 10.42.0.29 -o tun0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 10.42.0.0 -o tun0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 10.42.0.1 -o tun0 -j MASQUERADE

didn't work either.

Routing wlp2s0 to the ip address of tun0 prevents devices connecting to the wifi to access internet:

 

sudo iptables -t nat -A PREROUTING -i wlp2s0 -p tcp -j DNAT --to-destination 10.8.8.0
sudo iptables -t nat -A PREROUTING -i wlp2s0 -p udp -j DNAT --to-destination 10.8.8.0

Routing wlp2s0 to the ip address of my ethernet prevents devices connecting to the wifi to access internet:

sudo iptables -t nat -A PREROUTING -i wlp2s0 -p tcp -j DNAT --to-destination 10.8.8.0
sudo iptables -t nat -A PREROUTING -i wlp2s0 -p udp -j DNAT --to-destination 10.8.8.0

Routing wlp2s0 to the external ip address of my VPN prevents devices connecting to the wifi to access internet:

 

sudo iptables -t nat -A PREROUTING -i wlp2s0 -p udp -j DNAT --to-destination 192.168.0.0
sudo iptables -t nat -A PREROUTING -i wlp2s0 -p tcp -j DNAT --to-destination 192.168.0.0


 

In other words, it's a mess.

Edited by FranceBB

Share this post


Link to post
Share on other sites

I just switched my Slackware Linux to Wifi Hotspot and it respects the iptables rules. Here are my rules, might help you if nothing else.

iptables -P OUTPUT  DROP
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -N drop_invalid
iptables -A OUTPUT -m state --state INVALID -j drop_invalid
iptables -A INPUT -m state --state INVALID -j drop_invalid
iptables -A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j drop_invalid
iptables -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY"
iptables -A drop_invalid -j DROP
iptables -N In_RULE_0
iptables -A INPUT -i wlan0 -s darkstar -j In_RULE_0
iptables -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY"
iptables -A In_RULE_0 -j DROP
iptables -N In_RULE_1
iptables -A INPUT -p icmp -m icmp --icmp-type any -j In_RULE_1
iptables -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY"
iptables -A In_RULE_1 -j DROP
iptables -N In_RULE_2
iptables -A INPUT -p tcp -m tcp --dport 43 -j In_RULE_2
iptables -A In_RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY"
iptables -A In_RULE_2 -j DROP
iptables -N In_RULE_3
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN -j In_RULE_3
iptables -A In_RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY"
iptables -A In_RULE_3 -j DROP
iptables -N In_RULE_4
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j In_RULE_4
iptables -A In_RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY"
iptables -A In_RULE_4 -j DROP
iptables -N In_RULE_5
iptables -A INPUT -p all -f -j In_RULE_5
iptables -A In_RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY"
iptables -A In_RULE_5 -j DROP
iptables -N In_RULE_6
iptables -A INPUT -p udp -m udp --dport 513 -j In_RULE_6
iptables -A In_RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY"
iptables -A In_RULE_6 -j DROP
iptables -N In_RULE_7
iptables -A INPUT -p udp -m udp --dport 33434:33524 -j In_RULE_7
iptables -A In_RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY"
iptables -A In_RULE_7 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 67 --dport 68 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 6667 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 6697 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 6881 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 6881 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 8881 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 7881 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 8881 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 25,110,143,465,587,993,995 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports 500,1701,4500 -m state --state NEW -j ACCEPT
iptables -N RULE_17
iptables -A OUTPUT -p tcp -m tcp --dport 20:21 -j RULE_17
iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -j RULE_17
iptables -A RULE_17 -j LOG --log-level info --log-prefix "RULE 17 -- ACCEPT"
iptables -A RULE_17 -j ACCEPT
iptables -N RULE_18
iptables -A OUTPUT -p 47 -j RULE_18
iptables -A INPUT -p 47 -j RULE_18
iptables -A OUTPUT -p tcp -m tcp --dport 1723 -j RULE_18
iptables -A RULE_18 -j LOG --log-level info --log-prefix "RULE 18 -- ACCEPT"
iptables -A RULE_18 -j ACCEPT
iptables -N RULE_19
iptables -A OUTPUT -p tcp -m tcp --dport 3389 -j RULE_19
iptables -A OUTPUT -p udp -m udp --dport 3389 -j RULE_19
iptables -A RULE_19 -j LOG --log-level info --log-prefix "RULE 19 -- ACCEPT"
iptables -A RULE_19 -j ACCEPT
iptables -N RULE_20
iptables -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j RULE_20
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j RULE_20
iptables -A RULE_20 -j LOG --log-level info --log-prefix "RULE 20 -- ACCEPT"
iptables -A RULE_20 -j ACCEPT
iptables -N RULE_21
iptables -A OUTPUT -p udp -m udp -j RULE_21
iptables -A INPUT -p udp -m udp -j RULE_21
iptables -A RULE_21 -j LOG --log-level info --log-prefix "RULE 21 -- DENY"
iptables -A RULE_21 -j DROP
iptables -N RULE_22
iptables -A OUTPUT -p tcp -m tcp -j RULE_22
iptables -A INPUT -p tcp -m tcp -j RULE_22
iptables -A RULE_22 -j LOG --log-level info --log-prefix "RULE 22 -- DENY"
iptables -A RULE_22 -j DROP
iptables -N RULE_23
iptables -A OUTPUT -d darkstar -j RULE_23
iptables -A INPUT -j RULE_23
iptables -A RULE_23 -j LOG --log-level info --log-prefix "RULE 23 -- DENY"
iptables -A RULE_23 -j DROP

 

Edited by PROBLEMCHYLD
  • Like 1

Share this post


Link to post
Share on other sites

My rules come from here in case you're wondering.

https://www.wilderssecurity.com/threads/tutorial-expert-linux-firewalling.376935/

Share this post


Link to post
Share on other sites

I don't get it.

What I did was:

1) Removing all the former rules

sudo iptables -F

2) Denying everything

sudo iptables -P INPUT DROP

sudo iptables -P OUTPUT DROP

sudo iptables -P FORWARD DROP

3) Accepting the loopback

sudo iptables -A INPUT -i lo -j ACCEPT

sudo iptables -A OUTPUT -o lo -j ACCEPT

4) Allowing internal networking (i.e connecting to my router)

sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT

5) Enabling openvpn port

udo iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p udp --sport 1194 -j ACCEPT

6) Enabling the VPN Server ip address

sudo iptables -A INPUT -s xxx.xx.xx.xxx -j ACCEPT
sudo iptables -A OUTPUT -d xxx.xx.xx.xxx -j ACCEPT

7) Enabling tun0, which is the internal connection to the VPN

sudo iptables -A OUTPUT -o tun+ -j ACCEPT
sudo iptables -A INPUT -i tun+ -j ACCEPT

 

It actually works for my computer and as soon as the VPN connection drops, all the traffic is blocked, which is fine, but when I share my connection using Linux as Wi-Fi hotspot, the devices connected to it can connect without VPN if tun0 goes offline, which is exactly the same situation I had before with UFW...

I need all wlp2s0 to use tun0 only as its source of traffic.

I tried with

sudo iptables -A FORWARD -i tun0 -o wlp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

but it's the same...

 

sudo ifconfig -a
enp0s20f0u5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.114  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::81d2:ca64:9358:261d  prefixlen 64  scopeid 0x20<link>
        ether 06:e1:fe:ad:3b:8a  txqueuelen 1000  (Ethernet)
        RX packets 51969  bytes 34961450 (33.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 54430  bytes 29211706 (27.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp3s0f1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 70:4d:7b:46:72:a7  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 238  bytes 20064 (19.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 238  bytes 20064 (19.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

pan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.59.70.11  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::34b6:bcff:fe0a:3f4b  prefixlen 64  scopeid 0x20<link>
        ether 36:b6:bc:0a:3f:4b  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 245  bytes 10834 (10.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.8.201  netmask 255.255.255.0  destination 10.8.8.201
        inet6 fe80::65bd:f28a:9ac:3e3a  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 1099  bytes 531983 (519.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1114  bytes 149277 (145.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:c9:d0:a4  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0-nic: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 52:54:00:c9:d0:a4  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.42.0.1  netmask 255.255.255.0  broadcast 10.42.0.255
        inet6 fe80::bca5:7f7b:cbec:5bd3  prefixlen 64  scopeid 0x20<link>
        ether e2:74:fa:a9:36:4b  txqueuelen 1000  (Ethernet)
        RX packets 25386  bytes 22922627 (21.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20010  bytes 7900762 (7.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

Edited by FranceBB

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×