ufw fails to add MASQUERADE rule

Bug #550976 reported by Theodotos Andreou on 2010-03-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Undecided
Jamie Strandboge

Bug Description

Binary package hint: ufw

I want to enable NAT (more precisely Masquerading) and I followed the example at "man ufw-framework"

root@server:~# tail /etc/ufw/before.rules

*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

But when I run "ufw enable" I get:

root@wg:~# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init # <-- ** This is the error! **

And when I check the nat table there is nothing:

root@server:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination ion.

I am using Lucid beta server edit

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: ufw 0.30pre1-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.32-17.26-generic-pae 2.6.32.10+drm33.1
Uname: Linux 2.6.32-17-generic-pae i686
Architecture: i386
Date: Mon Mar 29 18:43:07 2010
InstallationMedia: Ubuntu-Server 10.04 "Lucid Lynx" - Beta i386 (20100317)
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: ufw

Theodotos Andreou (theodotos) wrote :
Theodotos Andreou (theodotos) wrote :

As a temporary workaround I added the following line:

iptables -t nat -A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE

...in /etc/rc.local

Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better.

Can you please attach your /etc/ufw/before.rules file?

Changed in ufw (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Theodotos Andreou (theodotos) wrote :

Thanks for replying. My /etc/ufw/before.rules:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST, be sure the MULTICAST line above is uncommented
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT

#NAT rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

Jamie Strandboge (jdstrand) wrote :

Theodotos,

You are missing a COMMIT line for the *filter table. Each table must have a COMMIT. Simply put on a line all by itself the word 'COMMIT' right before your '#NAT rules' comment, then it should work for you. Eg:

COMMIT
#NAT rules

Theodotos Andreou (theodotos) wrote :

You are right Jamie. Sorry for the false alarm!

Changed in ufw (Ubuntu):
status: Incomplete → Invalid
mk (miro-mkolar) wrote :

I have two COMMITs, and masquarading still does not work; for ufw version 0.30pre1-0ubuntu2 (lucid).

Also, my /etc/ufw/sysctl.conf file had slashes instead of dots in all option names:
After ufw installation I found in it:
   net/ipv4/ip_forward=1
   net/ipv6/conf.default/forwarding=1
   etc.
instead of the correct:
   net.ipv4.ip_forward=1
   net.ipv6.conf.default.forwarding=1
   etc.

mk (miro-mkolar) wrote :

After setting DEFAULT_INPUT_POLICY="ACCEPT" (default was DROP)
in /etc/default/ufw, everything finally works.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers