ufw blocking apt and dns

Question

I installed ufw on my Debian system like the following:

# aptitude install ufw
# ufw limit 22
# ufw allow 80
# ufw allow 443
# ufw enable
# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
20                         LIMIT       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere

A simple ping google.com fails, also any aptitude install will fail. I searched serverfault for answers. One solution was to allow port 53 for DNS - didn't help. Or ufw allow out 1024:65535/udp together with port 53 - didn't help.

What worked was to allow my DNS server like ufw allow from [DNS IP]; but that's no solution if you ask me.

apt-get and aptitude are all blocked by ufw. Couldn't find anything on how to allow installing new things. A ufw log entry example:

Aug 12 17:31:08 host kernel: [535454.665168] [UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=0.0.0.0 DST=0.0.0.0 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=41343 WINDOW=14480 RES=0x00 ACK SYN URGP=0

Any ideas?

Is it voted down because the person who voted my question down doesn't know the answer? — Fleshgrinder, Aug 12 '12 at 17:28
I'd look for something like this, since it just interfaces with iptables: `iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT` — tacotuesday, Aug 18 '12 at 01:28
@nojak Post it as an answer and I accept it as the correct one. This works like a charm! — Fleshgrinder, Aug 22 '12 at 14:17
As for DNS, also see [UFW is blocking DNS](https://unix.stackexchange.com/questions/131332/ufw-is-blocking-dns). It might help. — rugk, Mar 17 '17 at 22:37

score 5 · Accepted Answer · answered Aug 22 '12 at 15:34

5

You need to add the following into iptables, as ufw just interfaces with it.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

answered Aug 22 '12 at 15:34

tacotuesday

1,349
1
14
26

This is the first answer after hours of searching to fix the issue. Thanks. – Razick Feb 21 '14 at 21:20

score 0 · Answer 2 · answered Nov 02 '14 at 07:24

What worked for me, using Ubuntu here (14.04 and 14.10 at the time of this writing), comes from the following article: http://rene.bz/securing-your-web-server-blocking-outbound-connections/

iptables -A ufw-before-output -m owner --uid-owner root -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A ufw-before-output -m owner --uid-owner root -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

It might not be an ideal solution. But it does enable me to authorize apt commands on a per-user basis.

score 0 · Answer 3 · answered Feb 01 '15 at 23:48

0

I had an issue with pptpd + ufw - requests to DNS were blocked even if I allow 53 port. Have you tried to open /etc/default/ufw and change the option "DEFAULT_FORWARD_POLICY" from "DROP" to "ACCEPT"? It did the trick for me.

answered Feb 01 '15 at 23:48

Ivan Linko

111
2

score 0 · Answer 4 · answered Nov 16 '15 at 18:20

These rules helped me to successfully get rate limiting on SSH, allow in/out http and https, enable git, and have apt and aptitude working no problem:

ufw default deny incoming
ufw default deny outgoing
ufw limit ssh
ufw allow svn
ufw allow git
ufw allow out http
ufw allow in http 
ufw allow out https
ufw allow in https
ufw allow out 53
ufw logging on
ufw enable

Note: I did initiate these rules with a ufw reset FIRST in order to start fresh.

ufw blocking apt and dns

4 Answers4