networking - Block All Traffic on Specific Interface - Ask Ubuntu


i trying block traffic on specific interface (which external wireless) except browsing using ufw:

 sudo ufw enable  sudo ufw deny out on wlx00252245ed96  sudo ufw allow out on wlx00252245ed96 any port 80 proto tcp   sudo ufw allow out on wlx00252245ed96 any port 80 proto udp  sudo ufw allow out on wlx00252245ed96 any port 443 proto tcp   sudo ufw allow out on wlx00252245ed96 any port 443 proto udp

however, still can not browsing! missing something?

here ufw status:

~$ sudo ufw status status: active                          action      --                         ------      ---- anywhere                   deny out    anywhere on wlx00252245ed96 anywhere                   allow out   80/tcp on wlx00252245ed96  anywhere                   allow out   80/udp on wlx00252245ed96  anywhere                   allow out   443/tcp on wlx00252245ed96 anywhere                   allow out   443/udp on wlx00252245ed96 anywhere (v6)              deny out    anywhere (v6) on wlx00252245ed96 anywhere (v6)              allow out   80/tcp (v6) on wlx00252245ed96 anywhere (v6)              allow out   80/udp (v6) on wlx00252245ed96 anywhere (v6)              allow out   443/tcp (v6) on wlx00252245ed96 anywhere (v6)              allow out   443/udp (v6) on wlx00252245ed96

and here iptables -l -v:

chain input (policy drop 1 packets, 32 bytes)  pkts bytes target     prot opt in     out     source               destination           2329  780k accept     udp  --  ens33      anywhere             anywhere             udp dpt:bootps     0     0 accept     tcp  --  ens33      anywhere             anywhere             tcp dpt:bootps   232 14695 accept     udp  --  ens33      anywhere             anywhere             udp dpt:domain     0     0 accept     tcp  --  ens33      anywhere             anywhere             tcp dpt:domain 13379 3073k ufw-before-logging-input   --         anywhere             anywhere             13379 3073k ufw-before-input   --         anywhere             anywhere               787  782k ufw-after-input   --         anywhere             anywhere               761  779k ufw-after-logging-input   --         anywhere             anywhere               761  779k ufw-reject-input   --         anywhere             anywhere               761  779k ufw-track-input   --         anywhere             anywhere              chain forward (policy drop 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination          10621 1128k accept      --     ens33   anywhere             10.42.0.0/24         state related,established   845 89027 accept      --  ens33      10.42.0.0/24         anywhere                 0     0 accept      --  ens33  ens33   anywhere             anywhere                 0     0 reject      --     ens33   anywhere             anywhere             reject-with icmp-port-unreachable     0     0 reject      --  ens33      anywhere             anywhere             reject-with icmp-port-unreachable     8   528 ufw-before-logging-forward   --         anywhere             anywhere                 8   528 ufw-before-forward   --         anywhere             anywhere                 8   528 ufw-after-forward   --         anywhere             anywhere                 8   528 ufw-after-logging-forward   --         anywhere             anywhere                 8   528 ufw-reject-forward   --         anywhere             anywhere                 8   528 ufw-track-forward   --         anywhere             anywhere              chain output (policy accept 1 packets, 48 bytes)  pkts bytes target     prot opt in     out     source               destination          22932 2072k ufw-before-logging-output   --         anywhere             anywhere             22932 2072k ufw-before-output   --         anywhere             anywhere               920  162k ufw-after-output   --         anywhere             anywhere               920  162k ufw-after-logging-output   --         anywhere             anywhere               920  162k ufw-reject-output   --         anywhere             anywhere               920  162k ufw-track-output   --         anywhere             anywhere              chain ufw-after-forward (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-after-input (1 references)  pkts bytes target     prot opt in     out     source               destination              6   468 ufw-skip-to-policy-input  udp  --         anywhere             anywhere             udp dpt:netbios-ns     1   229 ufw-skip-to-policy-input  udp  --         anywhere             anywhere             udp dpt:netbios-dgm     0     0 ufw-skip-to-policy-input  tcp  --         anywhere             anywhere             tcp dpt:netbios-ssn     0     0 ufw-skip-to-policy-input  tcp  --         anywhere             anywhere             tcp dpt:microsoft-ds     0     0 ufw-skip-to-policy-input  udp  --         anywhere             anywhere             udp dpt:bootps     0     0 ufw-skip-to-policy-input  udp  --         anywhere             anywhere             udp dpt:bootpc     0     0 ufw-skip-to-policy-input   --         anywhere             anywhere             addrtype match dst-type broadcast  chain ufw-after-logging-forward (1 references)  pkts bytes target     prot opt in     out     source               destination              0     0 log         --         anywhere             anywhere             limit: avg 3/min burst 10 log level warning prefix "[ufw block] "  chain ufw-after-logging-input (1 references)  pkts bytes target     prot opt in     out     source               destination              1    32 log         --         anywhere             anywhere             limit: avg 3/min burst 10 log level warning prefix "[ufw block] "  chain ufw-after-logging-output (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-after-output (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-before-forward (1 references)  pkts bytes target     prot opt in     out     source               destination              0     0 accept      --         anywhere             anywhere             ctstate related,established     0     0 accept     icmp --         anywhere             anywhere             icmp destination-unreachable     0     0 accept     icmp --         anywhere             anywhere             icmp source-quench     0     0 accept     icmp --         anywhere             anywhere             icmp time-exceeded     0     0 accept     icmp --         anywhere             anywhere             icmp parameter-problem     0     0 accept     icmp --         anywhere             anywhere             icmp echo-request     0     0 ufw-user-forward   --         anywhere             anywhere              chain ufw-before-input (1 references)  pkts bytes target     prot opt in     out     source               destination             49  3100 accept      --  lo         anywhere             anywhere                 5   803 accept      --         anywhere             anywhere             ctstate related,established     0     0 ufw-logging-deny   --         anywhere             anywhere             ctstate invalid     0     0 drop        --         anywhere             anywhere             ctstate invalid     0     0 accept     icmp --         anywhere             anywhere             icmp destination-unreachable     0     0 accept     icmp --         anywhere             anywhere             icmp source-quench     0     0 accept     icmp --         anywhere             anywhere             icmp time-exceeded     0     0 accept     icmp --         anywhere             anywhere             icmp parameter-problem     0     0 accept     icmp --         anywhere             anywhere             icmp echo-request     1   360 accept     udp  --         anywhere             anywhere             udp spt:bootps dpt:bootpc     8   729 ufw-not-local   --         anywhere             anywhere                 0     0 accept     udp  --         anywhere             224.0.0.251          udp dpt:mdns     0     0 accept     udp  --         anywhere             239.255.255.250      udp dpt:1900     8   729 ufw-user-input   --         anywhere             anywhere              chain ufw-before-logging-forward (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-before-logging-input (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-before-logging-output (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-before-output (1 references)  pkts bytes target     prot opt in     out     source               destination             49  3100 accept      --     lo      anywhere             anywhere                13  2099 accept      --         anywhere             anywhere             ctstate related,established    67  8696 ufw-user-output   --         anywhere             anywhere              chain ufw-logging-allow (0 references)  pkts bytes target     prot opt in     out     source               destination              0     0 log         --         anywhere             anywhere             limit: avg 3/min burst 10 log level warning prefix "[ufw allow] "  chain ufw-logging-deny (2 references)  pkts bytes target     prot opt in     out     source               destination              0     0 return      --         anywhere             anywhere             ctstate invalid limit: avg 3/min burst 10     0     0 log         --         anywhere             anywhere             limit: avg 3/min burst 10 log level warning prefix "[ufw block] "  chain ufw-not-local (1 references)  pkts bytes target     prot opt in     out     source               destination              0     0 return      --         anywhere             anywhere             addrtype match dst-type local     1    32 return      --         anywhere             anywhere             addrtype match dst-type multicast     7   697 return      --         anywhere             anywhere             addrtype match dst-type broadcast     0     0 ufw-logging-deny   --         anywhere             anywhere             limit: avg 3/min burst 10     0     0 drop        --         anywhere             anywhere              chain ufw-reject-forward (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-reject-input (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-reject-output (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-skip-to-policy-forward (0 references)  pkts bytes target     prot opt in     out     source               destination              0     0 drop        --         anywhere             anywhere              chain ufw-skip-to-policy-input (7 references)  pkts bytes target     prot opt in     out     source               destination              7   697 drop        --         anywhere             anywhere              chain ufw-skip-to-policy-output (0 references)  pkts bytes target     prot opt in     out     source               destination              0     0 accept      --         anywhere             anywhere              chain ufw-track-forward (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-track-input (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-track-output (1 references)  pkts bytes target     prot opt in     out     source               destination              0     0 accept     tcp  --         anywhere             anywhere             ctstate new     6  1968 accept     udp  --         anywhere             anywhere             ctstate new  chain ufw-user-forward (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-user-input (1 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-user-limit (0 references)  pkts bytes target     prot opt in     out     source               destination              0     0 log         --         anywhere             anywhere             limit: avg 3/min burst 5 log level warning prefix "[ufw limit block] "     0     0 reject      --         anywhere             anywhere             reject-with icmp-port-unreachable  chain ufw-user-limit-accept (0 references)  pkts bytes target     prot opt in     out     source               destination              0     0 accept      --         anywhere             anywhere              chain ufw-user-logging-forward (0 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-user-logging-input (0 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-user-logging-output (0 references)  pkts bytes target     prot opt in     out     source               destination           chain ufw-user-output (1 references)  pkts bytes target     prot opt in     out     source               destination             59  6632 drop        --     wlx00252245ed96  anywhere             anywhere                 0     0 accept     tcp  --     wlx00252245ed96  anywhere             anywhere             tcp spt:http     0     0 accept     udp  --     wlx00252245ed96  anywhere             anywhere             udp spt:http     0     0 accept     tcp  --     wlx00252245ed96  anywhere             anywhere             tcp spt:https     0     0 accept     udp  --     wlx00252245ed96  anywhere             anywhere             udp spt:https

there @ least 2 problems. first, overall deny rule precedes specific allow rules, , therefore never hit allow rules. second, allow rules based on source port, need based on destination port.

as side note, wanting do not need udp.

for proper operation, there potentially other issues. example, need allow port 53 dns services (both tcp , udp).

so (and disclaimer, not use ufw, iptables, guessing @ syntax):

sudo ufw allow out on wlx00252245ed96 port 80 proto tcp sudo ufw allow out on wlx00252245ed96 port 443 proto tcp sudo ufw deny out on wlx00252245ed96

in iptables want allow rules (on test computer. can not drop rule example because break test computer):

chain output (policy accept 55 packets, 3244 bytes)     pkts      bytes target     prot opt in     out     source               destination        0        0 accept     tcp  --  *      enp9s0  0.0.0.0/0            0.0.0.0/0            tcp dpt:80        0        0 accept     tcp  --  *      enp9s0  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Comments

Post a Comment

Popular posts from this blog

download - Firefox cannot save files (most of the time), how to solve? - Super User

this not full duplicate of this question or this question , though base question same. however, questions have no answers. for on half year have problems downloading files firefox. when click on download link, download dialog opened asking me do, save or open it. immediately, there error/warning pop-up (twice, can see 1 @ first) ok button. looks this message : "c:\users\%user%\appdata\local\temp\wbbdv9k8.zip.part not saved because source file not read. try again later or contact server administrator." replace '%user%' name of user trying download. after closing pop-up, download dialog disappears , have minimize firefox , open again, see other pop-up. downloading exact same file internet explorer work, not desired. i tried solutions here . tried solutions here . tried disabling extensions. tried fixing permissions on temp folder. tried making files , folder in profile directory non-readonly. tried running firefox administrator. tried ...
Read more

windows - "-2146893807 NTE_NOT_FOUND" when repair certificate store - Super User

i try repair certificate store in windows 10 doing c:\windows\system32>certutil -store -user ‎330000019dba8d5dddb98062a900000000019d "personal" certutil: -store command failed: 0x80090011 (-2146893807 nte_not_found) certutil: object not found. i have double check mmc, certificate details serial number of certificate. still fail repair certificate store. can please help? i getting same error when trying export pfx. turns out had export c:\cert.pfx instead of cert.pfx (it trying export file cert store ( cert:\localmachine\my ).
Read more