You should reset ufw
to defaults and start over:
sudo ufw reset
This will disable ufw
and reset ufw
to it's installation defaults which means to
- deny all incoming and
- allow all outgoing connections.
Then just add some rules to allow incoming connections for the applications you want to use:
sudo ufw allow ssh
sudo allow http
Now you can enable ufw
sudo ufw enable
Now ufw
is running and configured to deny all incoming connections except connections to the ports needed for ssh
and http
. Outgoing connections are always allowed and this is normally desired.
You don't need to add a deny
-rule for incoming connections like in your configuration:
deny in on enp6s0 from any port 30:65535 proto tcp`
This rule is unnecessary, incoming connections are denied by default.
If you want to configure the outgoing connections more restrictive, you can add deny
-rules rather then defaulting outgoing connections to deny
, it keeps rules simpler, mostly you want outgoing connections to be allowed. Deny
-rules for outgoing connections would have to be designed carefully.
sudo ufw deny out 6773
for example would deny all outgoing connections on port 6773, any application that would need to use this port wouldn't be able to work properly anymore.
Interfaces
Using more than one interface makes things a bit more complicated. The defaults (deny in, allow out) apply to all interfaces,also rules which don't specify an interface will apply to all interfaces. You want your interfaces to behave different, so you have to add rules for each interface.
The rules in the section above need to be adapted to match your external interface (the rules in your question look like that).
Outgoing connections are allowed by default on all interfaces but not incoming connections, so you only need to add an allow in
-rule for each internal interface:
sudo allow in on "interface" from any
Rules Order
Another important thing is the rules order. When a package arrives at the interface, ufw
will check the rules,one by one. Whenever a rule matches the rule will be applied and the package denied, rejected or allowed. The rest of the rules which have not been checked at this moment are not used then. In your case I don't see much relevance of the rule order,but we always have to remind that rule order may matter.
Best Answer
I had the same problem and resolved it by using IPTABLES instead.
Example to only allow 3306 from source ip xxx.xxx.xxx.xxx:
Adds an accept for source matching our ip to line 1 of the FORWARD chain
iptables -I FORWARD 1 -p tcp -i eth0 -s xxx.xxx.xxx.xxx --dport 3306 -j ACCEPT
Drops all other connections on the FORWARD chain for that port
iptables -I FORWARD 2 -p tcp -i eth0 --dport 3306 -j DROP
Using the line numbers (1 & 2) forces the rules to be added above the ones created by docker such as:
-A FORWARD -d 0.0.0.0/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3306 -j ACCEPT