How to allow traffic from a specific IP for a specific port in UFW?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I use private networking on Digital Ocean between a load balancer and a webserver (nginx/node). I want the webserver to block all incoming traffic on all ports, except two things:
- Allow SSH from anywhere
- Allow HTTP on port 80 only from the loadbalancer IP
I have tried to achieve this with the following ufw commands:
ufw enable
ufw default deny
ufw deny http
ufw deny https
ufw allow ssh
ufw allow from loadbalancer.private.ip to any port 80
ufw allow from loadbalancer.public.ip to any port 80
The result of ufw status verbose shows this:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
80 DENY IN Anywhere
443 DENY IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN loadbalancer.private.ip
80 ALLOW IN loadbalancer.public.ip
80 (v6) DENY IN Anywhere (v6)
443 (v6) DENY IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
The website is not responding and only showing nginx 504 gateway time-out. If I type ufw allow http the site is available. So my above setup must be blocking out the loadbalancer. What is wrong?
firewall ufw
migrated from stackoverflow.com Jan 21 '17 at 18:42
This question came from our site for professional and enthusiast programmers.
add a comment |
I use private networking on Digital Ocean between a load balancer and a webserver (nginx/node). I want the webserver to block all incoming traffic on all ports, except two things:
- Allow SSH from anywhere
- Allow HTTP on port 80 only from the loadbalancer IP
I have tried to achieve this with the following ufw commands:
ufw enable
ufw default deny
ufw deny http
ufw deny https
ufw allow ssh
ufw allow from loadbalancer.private.ip to any port 80
ufw allow from loadbalancer.public.ip to any port 80
The result of ufw status verbose shows this:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
80 DENY IN Anywhere
443 DENY IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN loadbalancer.private.ip
80 ALLOW IN loadbalancer.public.ip
80 (v6) DENY IN Anywhere (v6)
443 (v6) DENY IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
The website is not responding and only showing nginx 504 gateway time-out. If I type ufw allow http the site is available. So my above setup must be blocking out the loadbalancer. What is wrong?
firewall ufw
migrated from stackoverflow.com Jan 21 '17 at 18:42
This question came from our site for professional and enthusiast programmers.
@ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!
– nidaros
Jan 22 '17 at 12:35
You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.
– Thomas Ward♦
Jan 22 '17 at 12:41
add a comment |
I use private networking on Digital Ocean between a load balancer and a webserver (nginx/node). I want the webserver to block all incoming traffic on all ports, except two things:
- Allow SSH from anywhere
- Allow HTTP on port 80 only from the loadbalancer IP
I have tried to achieve this with the following ufw commands:
ufw enable
ufw default deny
ufw deny http
ufw deny https
ufw allow ssh
ufw allow from loadbalancer.private.ip to any port 80
ufw allow from loadbalancer.public.ip to any port 80
The result of ufw status verbose shows this:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
80 DENY IN Anywhere
443 DENY IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN loadbalancer.private.ip
80 ALLOW IN loadbalancer.public.ip
80 (v6) DENY IN Anywhere (v6)
443 (v6) DENY IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
The website is not responding and only showing nginx 504 gateway time-out. If I type ufw allow http the site is available. So my above setup must be blocking out the loadbalancer. What is wrong?
firewall ufw
I use private networking on Digital Ocean between a load balancer and a webserver (nginx/node). I want the webserver to block all incoming traffic on all ports, except two things:
- Allow SSH from anywhere
- Allow HTTP on port 80 only from the loadbalancer IP
I have tried to achieve this with the following ufw commands:
ufw enable
ufw default deny
ufw deny http
ufw deny https
ufw allow ssh
ufw allow from loadbalancer.private.ip to any port 80
ufw allow from loadbalancer.public.ip to any port 80
The result of ufw status verbose shows this:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
80 DENY IN Anywhere
443 DENY IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN loadbalancer.private.ip
80 ALLOW IN loadbalancer.public.ip
80 (v6) DENY IN Anywhere (v6)
443 (v6) DENY IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
The website is not responding and only showing nginx 504 gateway time-out. If I type ufw allow http the site is available. So my above setup must be blocking out the loadbalancer. What is wrong?
firewall ufw
firewall ufw
edited Jan 21 '17 at 18:43
Thomas Ward♦
45.5k23125178
45.5k23125178
asked Jan 21 '17 at 11:16
nidarosnidaros
813
813
migrated from stackoverflow.com Jan 21 '17 at 18:42
This question came from our site for professional and enthusiast programmers.
migrated from stackoverflow.com Jan 21 '17 at 18:42
This question came from our site for professional and enthusiast programmers.
@ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!
– nidaros
Jan 22 '17 at 12:35
You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.
– Thomas Ward♦
Jan 22 '17 at 12:41
add a comment |
@ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!
– nidaros
Jan 22 '17 at 12:35
You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.
– Thomas Ward♦
Jan 22 '17 at 12:41
@ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!
– nidaros
Jan 22 '17 at 12:35
@ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!
– nidaros
Jan 22 '17 at 12:35
You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.
– Thomas Ward♦
Jan 22 '17 at 12:41
You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.
– Thomas Ward♦
Jan 22 '17 at 12:41
add a comment |
2 Answers
2
active
oldest
votes
Firewall rules are first-matched in terms of processing. If the DENY comes before the ALLOW, it won't work right.
Your ALLOW rules need to come before the DENY rules. Otherwise the first matched rules are the DENY rules and you can't connect as you want.
add a comment |
Old question, but you don't have to specifically deny things in UFW, it's default deny.
In this case, you would only have to add the specific allow rule, for the said IP. And that's it. Nothing else.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f874634%2fhow-to-allow-traffic-from-a-specific-ip-for-a-specific-port-in-ufw%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Firewall rules are first-matched in terms of processing. If the DENY comes before the ALLOW, it won't work right.
Your ALLOW rules need to come before the DENY rules. Otherwise the first matched rules are the DENY rules and you can't connect as you want.
add a comment |
Firewall rules are first-matched in terms of processing. If the DENY comes before the ALLOW, it won't work right.
Your ALLOW rules need to come before the DENY rules. Otherwise the first matched rules are the DENY rules and you can't connect as you want.
add a comment |
Firewall rules are first-matched in terms of processing. If the DENY comes before the ALLOW, it won't work right.
Your ALLOW rules need to come before the DENY rules. Otherwise the first matched rules are the DENY rules and you can't connect as you want.
Firewall rules are first-matched in terms of processing. If the DENY comes before the ALLOW, it won't work right.
Your ALLOW rules need to come before the DENY rules. Otherwise the first matched rules are the DENY rules and you can't connect as you want.
answered Jan 22 '17 at 12:41
Thomas Ward♦Thomas Ward
45.5k23125178
45.5k23125178
add a comment |
add a comment |
Old question, but you don't have to specifically deny things in UFW, it's default deny.
In this case, you would only have to add the specific allow rule, for the said IP. And that's it. Nothing else.
add a comment |
Old question, but you don't have to specifically deny things in UFW, it's default deny.
In this case, you would only have to add the specific allow rule, for the said IP. And that's it. Nothing else.
add a comment |
Old question, but you don't have to specifically deny things in UFW, it's default deny.
In this case, you would only have to add the specific allow rule, for the said IP. And that's it. Nothing else.
Old question, but you don't have to specifically deny things in UFW, it's default deny.
In this case, you would only have to add the specific allow rule, for the said IP. And that's it. Nothing else.
answered 4 mins ago
ShikiShiki
3,52151525
3,52151525
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f874634%2fhow-to-allow-traffic-from-a-specific-ip-for-a-specific-port-in-ufw%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
@ThomasWard changing the order and putting the ALLOW rules on top solved my issue. Thank you!
– nidaros
Jan 22 '17 at 12:35
You are welcome. I converted my comment to an answer so you can mark it as accepted and mark the question as solved.
– Thomas Ward♦
Jan 22 '17 at 12:41