I have an Ubuntu 22.04 server with OpenVPN running and I want to filter access between clients on the tun0 interface with UFW.
As far as I know this all has to do with the FORWARDING chain within UFW.
Managing rules like allow SSH on the INPUT chain works properly.
/etc/defaults/ufw
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=no
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"
# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"
# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=yes
#
# IPT backend
#
# only enable if using iptables backend
#IPT_SYSCTL=/etc/ufw/sysctl.conf
# Extra connection tracking modules to load. IPT_MODULES should typically be
# empty for new installations and modules added only as needed. See
# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can
# be found in net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
# nf_conntrack_sane: sane support
IPT_MODULES=""
sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
1394/udp ALLOW Anywhere
10.24.0.101 DENY FWD 10.24.0.100 on tun0
10.24.0.100 DENY FWD 10.24.0.101 on tun0
iptables -L ufw-user-forward
Chain ufw-user-forward (1 references)
target prot opt source destination
DROP all -- 10.24.0.100 10.24.0.101
DROP all -- 10.24.0.101 10.24.0.100
ping 10.24.0.101 from 10.24.0.100
PING 10.24.0.101 (10.24.0.101) 56(84) bytes of data.
64 bytes from 10.24.0.101: icmp_seq=1 ttl=127 time=9.04 ms
64 bytes from 10.24.0.101: icmp_seq=2 ttl=127 time=11.1 ms
dmesg | grep tun0
614.626053] [UFW AUDIT] IN=tun0 OUT=tun0 MAC= SRC=10.24.0.100 DST=10.24.0.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=6816 DF PROTO=ICMP TYPE=8 CODE=0 ID=39 SEQ=1
no matter what I do/try, there is no filtering at all on the tun0 interface.
EDIT:
Just found out that is UFW related, when using iptables and iptables only, filtering is working on the FORWARDING interface.
I want to use UFW tho....
