Ubuntu
ufw package

ufw fails to add MASQUERADE rule

Bug #550976 reported by Theodotos Andreou
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Invalid
Undecided
Jamie Strandboge

Bug Description

Binary package hint: ufw

I want to enable NAT (more precisely Masquerading) and I followed the example at "man ufw-framework"

root@server:~# tail /etc/ufw/before.rules

*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

But when I run "ufw enable" I get:

root@wg:~# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init # <-- ** This is the error! **

And when I check the nat table there is nothing:

root@server:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination ion.

I am using Lucid beta server edit

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: ufw 0.30pre1-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.32-17.26-generic-pae 2.6.32.10+drm33.1
Uname: Linux 2.6.32-17-generic-pae i686
Architecture: i386
Date: Mon Mar 29 18:43:07 2010
InstallationMedia: Ubuntu-Server 10.04 "Lucid Lynx" - Beta i386 (20100317)
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: ufw

Revision history for this message
Theodotos Andreou (theodotos) wrote :
Revision history for this message
Theodotos Andreou (theodotos) wrote :

As a temporary workaround I added the following line:

iptables -t nat -A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE

...in /etc/rc.local

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better.

Can you please attach your /etc/ufw/before.rules file?

Changed in ufw (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
Theodotos Andreou (theodotos) wrote :

Thanks for replying. My /etc/ufw/before.rules:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST, be sure the MULTICAST line above is uncommented
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT

#NAT rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Theodotos,

You are missing a COMMIT line for the *filter table. Each table must have a COMMIT. Simply put on a line all by itself the word 'COMMIT' right before your '#NAT rules' comment, then it should work for you. Eg:

COMMIT
#NAT rules

Revision history for this message
Theodotos Andreou (theodotos) wrote :

You are right Jamie. Sorry for the false alarm!

Changed in ufw (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
mk (miro-mkolar) wrote :

I have two COMMITs, and masquarading still does not work; for ufw version 0.30pre1-0ubuntu2 (lucid).

Also, my /etc/ufw/sysctl.conf file had slashes instead of dots in all option names:
After ufw installation I found in it:
   net/ipv4/ip_forward=1
   net/ipv6/conf.default/forwarding=1
   etc.
instead of the correct:
   net.ipv4.ip_forward=1
   net.ipv6.conf.default.forwarding=1
   etc.

Revision history for this message
mk (miro-mkolar) wrote :

After setting DEFAULT_INPUT_POLICY="ACCEPT" (default was DROP)
in /etc/default/ufw, everything finally works.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.