How to allow traffic from a specific IP for a specific port in UFW?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







1















I use private networking on Digital Ocean between a load balancer and a webserver (nginx/node). I want the webserver to block all incoming traffic on all ports, except two things:




  1. Allow SSH from anywhere

  2. Allow HTTP on port 80 only from the loadbalancer IP


I have tried to achieve this with the following ufw commands:



ufw enable
ufw default deny
ufw deny http
ufw deny https
ufw allow ssh
ufw allow from loadbalancer.private.ip to any port 80
ufw allow from loadbalancer.public.ip to any port 80


The result of ufw status verbose shows this:



Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
80 DENY IN Anywhere
443 DENY IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN loadbalancer.private.ip
80 ALLOW IN loadbalancer.public.ip
80 (v6) DENY IN Anywhere (v6)
443 (v6) DENY IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)


The website is not responding and only showing nginx 504 gateway time-out. If I type ufw allow http the site is available. So my above setup must be blocking out the loadbalancer. What is wrong?










share|improve this question















migrated from stackoverflow.com Jan 21 '17 at 18:42


This question came from our site for professional and enthusiast programmers.



















  • @ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!

    – nidaros
    Jan 22 '17 at 12:35











  • You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.

    – Thomas Ward
    Jan 22 '17 at 12:41




















1















I use private networking on Digital Ocean between a load balancer and a webserver (nginx/node). I want the webserver to block all incoming traffic on all ports, except two things:




  1. Allow SSH from anywhere

  2. Allow HTTP on port 80 only from the loadbalancer IP


I have tried to achieve this with the following ufw commands:



ufw enable
ufw default deny
ufw deny http
ufw deny https
ufw allow ssh
ufw allow from loadbalancer.private.ip to any port 80
ufw allow from loadbalancer.public.ip to any port 80


The result of ufw status verbose shows this:



Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
80 DENY IN Anywhere
443 DENY IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN loadbalancer.private.ip
80 ALLOW IN loadbalancer.public.ip
80 (v6) DENY IN Anywhere (v6)
443 (v6) DENY IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)


The website is not responding and only showing nginx 504 gateway time-out. If I type ufw allow http the site is available. So my above setup must be blocking out the loadbalancer. What is wrong?










share|improve this question















migrated from stackoverflow.com Jan 21 '17 at 18:42


This question came from our site for professional and enthusiast programmers.



















  • @ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!

    – nidaros
    Jan 22 '17 at 12:35











  • You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.

    – Thomas Ward
    Jan 22 '17 at 12:41
















1












1








1








I use private networking on Digital Ocean between a load balancer and a webserver (nginx/node). I want the webserver to block all incoming traffic on all ports, except two things:




  1. Allow SSH from anywhere

  2. Allow HTTP on port 80 only from the loadbalancer IP


I have tried to achieve this with the following ufw commands:



ufw enable
ufw default deny
ufw deny http
ufw deny https
ufw allow ssh
ufw allow from loadbalancer.private.ip to any port 80
ufw allow from loadbalancer.public.ip to any port 80


The result of ufw status verbose shows this:



Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
80 DENY IN Anywhere
443 DENY IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN loadbalancer.private.ip
80 ALLOW IN loadbalancer.public.ip
80 (v6) DENY IN Anywhere (v6)
443 (v6) DENY IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)


The website is not responding and only showing nginx 504 gateway time-out. If I type ufw allow http the site is available. So my above setup must be blocking out the loadbalancer. What is wrong?










share|improve this question
















I use private networking on Digital Ocean between a load balancer and a webserver (nginx/node). I want the webserver to block all incoming traffic on all ports, except two things:




  1. Allow SSH from anywhere

  2. Allow HTTP on port 80 only from the loadbalancer IP


I have tried to achieve this with the following ufw commands:



ufw enable
ufw default deny
ufw deny http
ufw deny https
ufw allow ssh
ufw allow from loadbalancer.private.ip to any port 80
ufw allow from loadbalancer.public.ip to any port 80


The result of ufw status verbose shows this:



Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
80 DENY IN Anywhere
443 DENY IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN loadbalancer.private.ip
80 ALLOW IN loadbalancer.public.ip
80 (v6) DENY IN Anywhere (v6)
443 (v6) DENY IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)


The website is not responding and only showing nginx 504 gateway time-out. If I type ufw allow http the site is available. So my above setup must be blocking out the loadbalancer. What is wrong?







firewall ufw






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 21 '17 at 18:43









Thomas Ward

45.5k23125178




45.5k23125178










asked Jan 21 '17 at 11:16









nidarosnidaros

813




813




migrated from stackoverflow.com Jan 21 '17 at 18:42


This question came from our site for professional and enthusiast programmers.









migrated from stackoverflow.com Jan 21 '17 at 18:42


This question came from our site for professional and enthusiast programmers.















  • @ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!

    – nidaros
    Jan 22 '17 at 12:35











  • You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.

    – Thomas Ward
    Jan 22 '17 at 12:41





















  • @ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!

    – nidaros
    Jan 22 '17 at 12:35











  • You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.

    – Thomas Ward
    Jan 22 '17 at 12:41



















@ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!

– nidaros
Jan 22 '17 at 12:35





@ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!

– nidaros
Jan 22 '17 at 12:35













You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.

– Thomas Ward
Jan 22 '17 at 12:41







You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.

– Thomas Ward
Jan 22 '17 at 12:41












2 Answers
2






active

oldest

votes


















1














Firewall rules are first-matched in terms of processing. If the DENY comes before the ALLOW, it won't work right.



Your ALLOW rules need to come before the DENY rules. Otherwise the first matched rules are the DENY rules and you can't connect as you want.






share|improve this answer































    0














    Old question, but you don't have to specifically deny things in UFW, it's default deny.



    In this case, you would only have to add the specific allow rule, for the said IP. And that's it. Nothing else.





    share
























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "89"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f874634%2fhow-to-allow-traffic-from-a-specific-ip-for-a-specific-port-in-ufw%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      1














      Firewall rules are first-matched in terms of processing. If the DENY comes before the ALLOW, it won't work right.



      Your ALLOW rules need to come before the DENY rules. Otherwise the first matched rules are the DENY rules and you can't connect as you want.






      share|improve this answer




























        1














        Firewall rules are first-matched in terms of processing. If the DENY comes before the ALLOW, it won't work right.



        Your ALLOW rules need to come before the DENY rules. Otherwise the first matched rules are the DENY rules and you can't connect as you want.






        share|improve this answer


























          1












          1








          1







          Firewall rules are first-matched in terms of processing. If the DENY comes before the ALLOW, it won't work right.



          Your ALLOW rules need to come before the DENY rules. Otherwise the first matched rules are the DENY rules and you can't connect as you want.






          share|improve this answer













          Firewall rules are first-matched in terms of processing. If the DENY comes before the ALLOW, it won't work right.



          Your ALLOW rules need to come before the DENY rules. Otherwise the first matched rules are the DENY rules and you can't connect as you want.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 22 '17 at 12:41









          Thomas WardThomas Ward

          45.5k23125178




          45.5k23125178

























              0














              Old question, but you don't have to specifically deny things in UFW, it's default deny.



              In this case, you would only have to add the specific allow rule, for the said IP. And that's it. Nothing else.





              share




























                0














                Old question, but you don't have to specifically deny things in UFW, it's default deny.



                In this case, you would only have to add the specific allow rule, for the said IP. And that's it. Nothing else.





                share


























                  0












                  0








                  0







                  Old question, but you don't have to specifically deny things in UFW, it's default deny.



                  In this case, you would only have to add the specific allow rule, for the said IP. And that's it. Nothing else.





                  share













                  Old question, but you don't have to specifically deny things in UFW, it's default deny.



                  In this case, you would only have to add the specific allow rule, for the said IP. And that's it. Nothing else.






                  share











                  share


                  share










                  answered 4 mins ago









                  ShikiShiki

                  3,52151525




                  3,52151525






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Ask Ubuntu!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f874634%2fhow-to-allow-traffic-from-a-specific-ip-for-a-specific-port-in-ufw%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      GameSpot

                      日野市

                      Tu-95轟炸機