UFW doesn't seem to manage iptables
Here's what I first started with in ufw:
sudo ufw status verbose Status: active
Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip To Action From
-- ------ ---- 6xxx/tcp ALLOW IN Anywhere
(6xxx is my ssh port, obviously not posted here.) But I find that I can browse the default Apache page at 54plymouth.net; that is, access to 80 is permitted. I then explicitly added a deny to ufw (which didn’t work):
sudo ufw status verbose Status: active
Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip To Action From
-- ------ ---- 6xxx/tcp ALLOW IN Anywhere
80/tcp (Apache) DENY IN Anywhere
Each time I disabled/enabled ufw to reset the rules. I'm not sure what things mean in iptables, but here’s what's in it:
ACCEPT tcp -- anywhere anywhere tcp dpt:http /* User defined open TCP port */ ctstate NEW ACCEPT tcp -- anywhere anywhere tcp dpt:https /* User defined open TCP port */ ctstate NEW
DROP tcp -- anywhere anywhere tcp dpt:http /* 'dapp_Apache' */
I'm guessing the two ACCEPTs are taking precedence over the DROP, which suggests it's the one I added, given the common Apache reference.
So - what do I have to do, to make iptables track exclusively what's declared in ufw as allowed/denied?
-Dan
Hi, Dan. Sorry that you're having trouble sorting out the UFW. The order of the rules does matter, as you suspected, so you'd need to move that DROP up for it to happen before the accepts. Beyond that, make sure you aren't seeing a cached page (with the usual browser clearing), and consider running a port scan as well. Hope that helps!