UFW not.... working?

[doonze]

Ok, got Debian 9.1 running on my PI 2. I run this machine thought a VPN, and wanted to ensure that only traffic can flow through tun0 and over my local LAN. (it's headless, so losing SSH is not ok.) But thing is, it's doing NOTHING. Here's the script I used to set it up:

Code: Select all

sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any
sudo ufw allow out 1197/udp
sudo ufw allow ssh
sudo ufw allow in from 192.168.0.1/24
sudo ufw allow out from 192.168.0.1/24
sudo ufw enable

Here's my output of

Code: Select all

sudo ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere on tun0 ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
Anywhere ALLOW IN 192.168.0.0/24
Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)
22/tcp (v6) ALLOW IN Anywhere (v6)

Anywhere ALLOW OUT Anywhere on tun0
1197/udp ALLOW OUT Anywhere
Anywhere ALLOW OUT 192.168.0.0/24
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
1197/udp (v6) ALLOW OUT Anywhere (v6)

iptables shows lots of ufw stuff after I did this. However, when I turn tun0 off, everything works just like normal. I can get my ip and apt-get fine even with tun0 no longer active. I've googled around and got nada.... Anyone got any ideas???

[steve_v]

What are you trying to achieve here?
Post the actual iptables rules, I don't speak this newfangled "UFW" stuff.
Presumably, it's just falling back on the route through 192.168.0.x (this is your LAN?). If the PI is on that subnet too, then that traffic is allowed.

[doonze]

Yeah, I was following a guide. And they were not showing the right stuff. I finally figured it out, by removing all rules and adding them back one by one then testing. My main problem was this:

Code: Select all

sudo ufw allow out from 192.168.0.1/24

If I had thought it through real good, I would have realized I was telling it to let all traffic OUT from my pi on 192.168.0.XXX. DUH!!!!! So yeah, it wasn't blocking anything. So what I did instead was create these rules:

Code: Select all

sudo ufw allow out from 192.168.0.0/24 to 192.168.0.0/24
sudo ufw allow in from 192.168.0.1/24 to 190.168.0.0/24

So in effect I'm telling it to allow any traffic in and out from any address on my LAN. (192.168.0.xxx)

I at first was having issues with my nfs mounts, and fixed them by doing a to and from using the exact IP's of my pi and nfs server. I tried opening just the correct ports (according to google searches) but got no where. I think my fix above would have taken care of it, but I'll play with it another day. I have it working now, and don't feel like chancing breaking it. I added the to and from all LAN addresses last. So I already had nfs working by having the ip directly. I'll remove the direct ips and test it, but not today.

So now I have internet only though tun0, my vpn. If that drops for any reason, I have no internet at all. I do however have full connection on my LAN no matter what. That's what I wanted. Mission accomplished.

Thanks for the help however!