TLDR: I'm trying to block SSH connections to a server; the server itself is connected to a ubuntu router with UFW on it, but external SSH connections to the server aren't getting denied, UFW doesn't work.
Some context: I've been trying to set up a Linux network with QEMU/KVM in virt-manager. There is a router with UFW on it, which connects via interfaces to a guest network (192.168.150.0/24), an isolated network (192.168.100.0/24), and the Internet (192.168.144.0/24). The UFW rules on the router are:
~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
192.168.100.102 22 DENY IN Anywhere
192.168.144.0/24 22 ALLOW IN Anywhere
192.168.150.0/24 ALLOW IN Anywhere
Anywhere ALLOW IN 192.168.150.0/24
192.168.150.0/24 ALLOW IN 192.168.100.0/24
192.168.100.0/24 ALLOW IN 192.168.150.0/24
In the isolated network, there is a server with an IP address of 192.168.100.102. I've scanned it with nmap from the guest network (which is 192.168.150.0/24) to find any open ports, and found out that SSH was opened:
~$ nmap -p 0-65535 192.168.100.102
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-22 13:35
Nmap scan report for 192.168.100.102
Host is up (0.00015s latency).
Not shown: 65535 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
I restarted UFW and iptables, it didn't work.
sudo ufw reload
sudo service iptables restart
I added some NAT rules to the beginning of the /etc/ufw/before.rules file when I set up the network; maybe they are the issue?
# NAT table rules
*nat
:PREROUTING ACCEPT [150:14925]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [131:11640]
-A POSTROUTING -s 192.168.150.0/24 -j MASQUERADE
COMMIT
