1

I've got Ubuntu 16.04 and OpenVPN installed and seems to be working fine. But when I check firewall rules using "sudo ufw status", then I see this:

Status: active

To Action From -- ------ ---- 80 ALLOW Anywhere
443 ALLOW Anywhere
53 ALLOW Anywhere
465 ALLOW Anywhere
25 ALLOW Anywhere
110 ALLOW Anywhere
995 ALLOW Anywhere
143 ALLOW Anywhere
993 ALLOW Anywhere
10025 ALLOW Anywhere
10024 ALLOW Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
53 (v6) ALLOW Anywhere (v6)
465 (v6) ALLOW Anywhere (v6)
25 (v6) ALLOW Anywhere (v6)
110 (v6) ALLOW Anywhere (v6)
995 (v6) ALLOW Anywhere (v6)
143 (v6) ALLOW Anywhere (v6)
993 (v6) ALLOW Anywhere (v6)
10025 (v6) ALLOW Anywhere (v6)
10024 (v6) ALLOW Anywhere (v6)

Port 1194 isn't mentioned at all! But I use netstat command "root@mail:~# netstat -anlp |grep 1194" I get this:

udp        0      0 0.0.0.0:1194            0.0.0.0:*                           1142/openvpn    

Also I have this file, created by the OpenVPN script here /etc/systemd/system/openvpn-iptables.service and I see this in it:


  [Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to xx.249.16.253
ExecStart=/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to xx.249.16.253
ExecStop=/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

So my question is... if port 1194 is open (is it?) with these IPTABLES rules, then why I don't see it in ufw status?

papakota
  • 81
  • 1
  • 9
  • `ufw` shows only the ufw configuration and any rules inserted directly in your firewall configuration (with `iptables` directly or another tool such as docker) without going through ufw are NOT displayed. - also see https://serverfault.com/q/696182/37681 – HBruijn Sep 19 '19 at 07:54

1 Answers1

3

I expect that the confusion is coming because you are using both UFW and IPTABLES. UFW is a front-end for iptables, but if you add rules outside it I expect that it can't recognises those rules.

Thus you are not seeing the iptables rules injected to handle your OpenVPN connection.

I expect if you list the iptables rules you will see them. Try

  /sbin/iptables -vnL

To show the IPTables and UFW rules (but in the IPTABLES form)

davidgo
  • 5,964
  • 2
  • 21
  • 38
  • And what exactly should I type in the terminal? sudo iptables -vnL? And how to incorporate /sbin/ into the command? – papakota Sep 19 '19 at 05:03
  • "sudo /sbin/iptables -vnL" should do if you are not already root – davidgo Sep 19 '19 at 10:07
  • Probably this line in a very long output of that command is what you were asking for? ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 So does it mean that port 1194 udp is open for OpenVPN outside of UFW control? – papakota Sep 19 '19 at 11:14
  • Yes, that command will allow UDP traffic on port 1194 in and out your device. I fully expect that is outside UFW control, but I can't advise with total certainty without knowing what chain it is in. – davidgo Sep 19 '19 at 22:24