Join Log in
Score:0
DmitrySemenov avatar Ubuntu

wireguard + ufw = unable to limit access to specific port

nc flag
DmitrySemenov

So I'm trying to limit access to port 5432 (postgres) by using ufw and unable to do so. The connection is allowed still

sudo ufw deny 5432/tcp
sudo ufw route deny in on wg0 from 10.0.10.2

root@vpn-prod:/home/ubuntu# ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
51820/udp                  ALLOW IN    Anywhere                  
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
51820/udp (v6)             ALLOW IN    Anywhere (v6)             

5432/tcp                   DENY OUT    Anywhere                  
5432/tcp (v6)              DENY OUT    Anywhere (v6)             

Anywhere                   DENY FWD    10.0.10.2 on wg0

so I'm connect from wireguard client to server. From there there is internal IP 10.120.0.149 that runs postgres.

Below is tcpdump on the server:

root@vpn-prod:/var/log# sudo tcpdump -envi wg0: net 10.120.0.0/16
tcpdump: listening on wg0:, link-type RAW (Raw IP), capture size 262144 bytes
21:36:18.948194 ip: (tos 0x0, ttl 64, id 23874, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.10.2.37056 > 10.120.0.149.5432: Flags [S], cksum 0xd974 (correct), seq 3860575203, win 64860, options [mss 1380,sackOK,TS val 2547481248 ecr 0,nop,wscale 7], length 0
21:36:18.948370 ip: (tos 0x0, ttl 254, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    10.120.0.149.5432 > 10.0.10.2.37056: Flags [S.], cksum 0x7eb2 (correct), seq 888276479, ack 3860575204, win 28960, options [mss 1460,sackOK,TS val 2284266370 ecr 2547481248,nop,wscale 10], length 0
21:36:18.979477 ip: (tos 0x0, ttl 64, id 23875, offset 0, flags [DF], proto TCP (6), length 52)
    10.0.10.2.37056 > 10.120.0.149.5432: Flags [.], cksum 0x1c88 (correct), ack 1, win 507, options [nop,nop,TS val 2547481279 ecr 2284266370], length 0
21:36:18.986946 ip: (tos 0x0, ttl 64, id 23876, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.10.2.37056 > 10.120.0.149.5432: Flags [P.], cksum 0x0167 (correct), seq 1:9, ack 1, win 507, options [nop,nop,TS val 2547481287 ecr 2284266370], length 8
21:36:18.987075 ip: (tos 0x0, ttl 254, id 35821, offset 0, flags [DF], proto TCP (6), length 52)
    10.120.0.149.5432 > 10.0.10.2.37056: Flags [.], cksum 0x1e30 (correct), ack 9, win 29, options [nop,nop,TS val 2284266408 ecr 2547481287], length 0

I see nothing in ufw.log for ips: 10.0.10.2 (wireguard peer) or 10.120.0.149 (postgres) It looks like ufw is doing nothing for traffic on wg0 interface

root@vpn-prod:/var/log# ip -brief a s
lo               UNKNOWN        127.0.0.1/8 ::1/128 
ens5             UP             10.120.101.242/22 fe80::30:deff:feb2:dc11/64 
wg0              UNKNOWN        10.0.10.1/32

root@vpn-prod:/var/log# wg show
interface: wg0
  public key: HIDDEN
  private key: (hidden)
  listening port: 51820

peer: HIDDEN....=
  preshared key: (hidden)
  endpoint: 71.200.111.100:51820
  allowed ips: 10.0.10.2/32
  latest handshake: 55 seconds ago
  transfer: 56.29 KiB received, 143.69 KiB sent
  persistent keepalive: every 25 seconds

my iptables

root@vpn-prod:/var/log# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6139  581K ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 6139  581K ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  373 39936 ACCEPT     all  --  wg0    *       0.0.0.0/0            0.0.0.0/0           
  271  125K ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  271  125K ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4792  999K ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4792  999K ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  188 13856 ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  188 13856 ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  188 13856 ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  188 13856 ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
    0     0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
    0     0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   26  2241 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  271  125K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  262 22619 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 5819  555K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    9   252 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    9   252 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
   36  2310 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
   13  1012 ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
   13  1012 ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   37  2751 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   40  3296 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  262 22619 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 4342  962K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  188 13856 ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2    56 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT INVALID] "
    2    56 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   13  1012 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  106  6360 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
   81  7412 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  wg0    *       10.0.10.2            0.0.0.0/0           

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5432
root@vpn-prod:/var/log#

wg0.conf on the server

root@vpn-prod:/var/log# cat /etc/wireguard/wg0.conf 
[Interface]
Address = 10.0.10.1/32
PrivateKey = HIDDEN

ListenPort = 51820
PostUp = sysctl -w -q net.ipv4.ip_forward=1
PostUp = sysctl -w -q net.ipv6.conf.all.forwarding=1
PostUp = iptables -P FORWARD DROP
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostUp = ip6tables -P FORWARD DROP
PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostDown = sysctl -w -q net.ipv4.ip_forward=0
PostDown = sysctl -w -q net.ipv6.conf.all.forwarding=0
PostDown = iptables -P FORWARD ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
PostDown = ip6tables -P FORWARD ACCEPT
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens5 -j MASQUERADE

[Peer]
# friendly_name = my-desktop
PublicKey = HIDDEN
PresharedKey = HIDDEN
AllowedIPs = 10.0.10.2/32
PersistentKeepalive = 25

root@vpn-prod:/var/log#

I also tried the following, but it didn't work either:

ufw route deny in on wg0 to 10.120.0.0/16 from any
ufw route deny to 10.120.0.0/16 from any
ufw route deny in on ens5 to 10.120.0.0/16 from any
63
0 + 0
ufw
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.