Solved UFW or IPTABLES
-
I setup an Ant Media server for someone last week. All working except for the
iptables
redirect rule not surviving a reboot.The native
tomcat
(i think) server uses port 5443 forhttps
by default. The guide says if you want to use port 443, you should not fuck with the web server settings and instead use thisiptables
rule.sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5443
The rule works perfectly. The problem is it does not survive a reboot. I used
ufw
to configure the firewall as this is Ubuntu 20 (Yes the appliance install uses the LTS, just went with recommended appliance in Vultr).I assume the problem is that the manual command is not saved. I can deal with that,
sudo iptables-save
is built for that. But I first checked withsudo iptables -L
(or-S
) and I do not see the manual rule. Port 5443 is only referenced once. In the main allow.jbusch@RTSP:~$ sudo iptables -L | grep 5443 ACCEPT tcp -- anywhere anywhere tcp dpt:5443 jbusch@RTSP:~$ sudo iptables -S | grep 5443 -A ufw-user-input -p tcp -m tcp --dport 5443 -j ACCEPT
So, I did not issue the save command. Any recommendations?
-
Ah my lack of raw
iptables
skill shows.. I thought-L
showed everything, but is does not.
Specifying thenat
table shows it.jbusch@BowWowRTSP:~$ sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 5443 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination
So now, that I see where it is, I used
sudo iptables-save
rebooted, and all good. -
-
@JaredBusch
I think ufw can collide with manual rule entering because ufw handles persistantency on it's own.A few years back debian & ubuntu also switched to nftables. So rules written in iptables format works but are obsolete.
So I think the current recommendation is to either stick to
ufw
orfirewall-cmd
or just usenft
directly. -
@Pete-S said in UFW or IPTABLES:
@JaredBusch
I think ufw can collide with manual rule entering because ufw handles persistantency on it's own.A few years back debian & ubuntu also switched to nftables. So rules written in iptables format works but are obsolete.
So I think the current recommendation is to either stick to
ufw
orfirewall-cmd
or just usenft
directly.Just checked and according to linode the following or newer uses nftables:
- Debian 10 (Buster)
- Ubuntu 20.10 (Groovy Gorilla)
- CentOS 8
- Fedora 32
-
@Pete-S said in UFW or IPTABLES:
@JaredBusch
I think ufw can collide with manual rule entering because ufw handles persistantency on it's own.UFW does add it's own chains. But, I could find no examples of how to do that same command with UFW.
-
@Pete-S said in UFW or IPTABLES:
So I think the current recommendation is to either stick to
ufw
orfirewall-cmd
or just usenft
directly.I try to. This was the first time I've had a need to go outside the box of
ufw
orfirewall-cmd
to use directiptables
in years. -
@JaredBusch said in UFW or IPTABLES:
@Pete-S said in UFW or IPTABLES:
So I think the current recommendation is to either stick to
ufw
orfirewall-cmd
or just usenft
directly.I try to. This was the first time I've had a need to go outside the box of
ufw
orfirewall-cmd
to use directiptables
in years.Looks like you have to add it in ufw config file
etc/ufw/before.rules
since there is no command for it.*nat :PREROUTING ACCEPT [0:0] -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5443 COMMIT
https://www.arubacloud.com/tutorial/how-to-manage-and-forward-ports-with-ufw-on-ubuntu-18-04.aspx
With firewalld you can do:
firewall-cmd --zone=public --add-masquerade firewall-cmd --zone=public--add-forward-port=port=443:proto=tcp:toport=5443
https://linoxide.com/how-to-configure-firewall-with-firewalld/
-
@JaredBusch said in UFW or IPTABLES:
@Pete-S said in UFW or IPTABLES:
So I think the current recommendation is to either stick to
ufw
orfirewall-cmd
or just usenft
directly.I try to. This was the first time I've had a need to go outside the box of
ufw
orfirewall-cmd
to use directiptables
in years.Yes, it's only when you need more control.
I've looked into this before and it wasn't not super obvious how all these tools interact. But nowadays
ufw
andfirewalld
are services to manage nftables. nftables itself manages the netfilter packet filtering mechanism in the kernel.The ability to use iptables are just for legacy reasons and they're converted to nftables rules behind the scenes.
Since ufw (canonical project) and firewalld (redhat project) where initiated when iptables was used, I'm not sure their existence is warranted in the same way. At least not by sysadmins.
I'm looking at setting firewall rules automatically in a project and it seems like using nftables directly makes the most sense. That said I have to learn nftables first