[15:05] <Skyrider> Greetings all
[15:05] <Skyrider> I am in need of some help.. think my firewall, is... kinda? busted. It appears all allow rules in ufw works perfectly fine.. though, the deny/reject doesn't work at all.
[15:06] <Skyrider> I used a simple rule to deny my mobile IP to connect to the server, yet I can still load sites just fine.
[15:07] <teward> we'd need to see your rules you're trying to set up
[15:07] <teward> also UFW is specifically based on first-match so if your ALLOW rules are before your DROP/REJECT rules it will still allow
[15:08] <Skyrider> Anywhere                   DENY        143.179.70.207 - is above the allow rules
[15:09] <teward> and you're *sure* your phone is using that IP actively?  (send your phone to https://ifconfig.co to find out)
[15:09] <teward> if it's NOT when it goes out to the 'net then that's why your rule doesn't work
[15:10] <Skyrider> According to that site, my mobile is using 143.179.70.207
[15:10] <Skyrider> Which matches with the deny rule.
[15:11] <Skyrider> https://i.imgur.com/ZCQglP5.png
[15:14] <Skyrider> Even when I reload ufw, doesn't make much difference.
[15:16] <teward> `ufw status numbered` please - i think you actually do have a rule ordering issue
[15:16] <teward> (AND include the headers please)
[15:16] <teward> (Because reading that output is pain)
[15:16] <teward> just want to verify the numerical ordering is right
[15:17] <teward> because I just spun a container up with ufw rules, and did an allow rule for SSH but also a REJECT rule for my IP and it puts the SSH Allow above
[15:18] <teward> (which is important to note because it will match the 22 ALLOW rule first)
[15:19] <teward> also make sure your phone isn't using IPv6 if v6 is on your infra
[15:19] <Skyrider> https://paste.ubuntu.com/p/DhHby6f5F4/
[15:20] <Skyrider> Not sure why there are 2x 22'c, I'll erase that later on. But, I do believe the order is correct.
[15:21] <teward> probably because at one point you specified just port 22 which is any protocol
[15:21] <Skyrider> All reject/denies are above the allowed rules.. so.. I'm, honestly confused.
[15:21] <teward> so am I let me do some poking
[15:22] <teward> what's your box's version? 18.04?
[15:22] <teward> just to make sure i'm testing the right version :p
[15:23] <lordievader> Skyrider: Could you pastebin the output of `sudo iptables-save`?
[15:23] <teward> that as well
[15:24] <teward> because ufw might be doing a weirdness behind the scenes
[15:25] <teward> Skyrider: how're you testing the DENY rule?
[15:25] <teward> out of curiousity
[15:25] <teward> because `ping` isn't denied by ufw by default
[15:25] <teward> so you will always get false info from `ping`
[15:25] <teward> (just confirmed this in an 18.04 box)
[15:26] <Skyrider> ya, 18.04 and lemme grab the iptables rules. As testing, using mobile device to check my domains. Should be rejected.
[15:27] <teward> so, accessing it via HTTP and such then
[15:28] <Skyrider> yup
[15:28] <teward> ahhhhh okay i replicated your issue
[15:28] <teward> I *think* the ALLOW rules get placed in a higher priority in iptables
[15:28] <teward> which is stupid
[15:29] <Skyrider> https://paste.ubuntu.com/p/s8tMkSPzpx/
[15:29] <teward> somehow
[15:33] <lordievader> I guess it is the ufw-user-input chain
[15:33] <lordievader> Line 99
[15:34] <Skyrider> not local?
[15:34] <lordievader> Which happens before line 60 (reject), due to line 57 calling the ufw-user-input chain.
[15:37] <teward> lordievader: i think there may be other bugs...
[15:37] <teward> perhaps this is because i'm running in a container BUT
[15:37] <teward> with a REJECT on my IP and an ALLOW on 80 with apache2 installed it still permits me in
[15:38] <Skyrider> Interesting fact I just discovered.
[15:38] <Skyrider> The deny/rejection on IP didn't allow my mobile to connect to SSH.
[15:38] <teward> but did for HTTP?
[15:38] <Skyrider> Indeed
[15:38] <teward> i assume *caching* was eliminated as a factor
[15:38] <teward> because browsers are evil
[15:38] <teward> (my tests are with curl :)
[15:39] <teward> (which seem to suggest the HTTP Allow rule takes precedence)
[15:39] <Skyrider> Once I erased my cells IP rule, I was able to connect again.
[15:40] <Skyrider> I assumed all reject/deny were systemwide, even for http(s).
[15:41] <teward> they should be
[15:41] <teward> this seems like a bug
[15:41] <teward> but i need to verify somehow
[15:41] <teward> (ufw isn't doing logging right even at full levels)
[15:45] <teward> okay i think something's actually odd on your env
[15:45] <teward> because I realized I fatfingered a rule on my side
[15:45] <teward> and it's now working
[15:45] <teward> https://paste.ubuntu.com/p/H3p6F5PnH6/
[15:45] <teward> and a curl rejects to it
[15:45] <teward> (curl doesn't have a cache)
[15:46] <teward> Skyrider: they should be
[15:46] <teward> what you aren't doing is verifying if your browser is caching or not
[15:46] <lordievader> If you want a detailed answer why something went through or not look into the trace functionality of netfilter.
[15:46] <teward> nuke your browser cache
[15:46] <teward> and try again
[15:46] <teward> because browsers are NOTORIOUS with caching if you've gone to the page at least once
[15:46] <teward> Skyrider: readd your REJECT rule in the right spot and then erase your browser cache and try again on your phone
[15:46] <teward> chances are it'll reject
[15:46] <teward> and your browser was simply caching content
[15:47] <teward> (which is usually the case for browsers)
[15:48] <Skyrider> I shall try.. however, would like to add that last week I mentioned that a deny/reject rule I added with ip range kept scanning my sites.
[15:48] <Skyrider> Was forced to block the IP range through nginx instead.
[15:48] <teward> hmmm
[15:48] <teward> just as an FYI
[15:49] <teward> this is why I don't use ufw
[15:49] <teward> it has some... nuances...
[15:49] <teward> I just control everything via iptables directly :P
[15:49] <teward> ufw is nice, but it can be weird and glitchy
[15:49] <Skyrider> Ya.. I find iptables a bit... complicated.
[15:49] <teward> most users do unfortunately, hence why they use ufw.
[15:49] <teward> the problem I find is, ufw does a lot of other 'stuff' with its rules that can be glitchy
[15:49] <teward> and ufw logging is poor :P
[15:49] <jdstrand> if there are weird glitchy issues in ufw, please file bugs
[15:50] <teward> jdstrand: you mean like `ufw logging full` not actually logging anything anywhere?  :P
[15:50] <teward> (at least, in LXD containers)
[15:50] <Skyrider> I re-added the the IP, though no success. Gotta admit, I didn't clean the cache. But I went to forum pages that I never went to before on mobile, even private area's. Wasn't blocked a single time.
[15:50] <jdstrand> teward: that isn't ufw's fault. unprivileged containers don't have access to kmsg and that is where the kernel logs
[15:50] <teward> jdstrand: this is a privileged container ;)
[15:50] <teward> and it still can't access
[15:51] <jdstrand> again, that is the kernel, not ufw
[15:51] <Skyrider> Even created a new thread on the forums with my mobile :p, you can't cache that.
[15:51] <teward> hmm
[15:51] <teward> let me spin up a VM
[15:51] <teward> remove the kernel headaches from the equation for testing
[15:51] <weedmic> why not use iptables, then you can save it to a file and at any time run it to instantly set it the way you want?
[15:51] <teward> and get some niiice auditing to try and replicate this
[15:51] <teward> weedmic: because they find it 'complicated' :P
[15:51] <teward> most users do
[15:52] <jdstrand> logging is also complicated by journald
[15:52] <jdstrand> so depending on the release in the container, there may be some stuff going on with journald
[15:52] <weedmic> well, it's just a language (of sorts) - it's only got like 5 things in it - but I could see that - I find it easier than suse's gui for firewall
[15:52] <Skyrider> If there's something that is similar to ufw (in simplicity), but adds rules as iptables would.. I don't mind.
[15:53] <Skyrider> Never had any issues with ufw until a few weeks ago.
[15:53]  * jdstrand also notes that ufw uses iptables-restore syntax under the hood
[15:53] <jdstrand> (man ufw-framework)
[15:53] <jdstrand> Skyrider: please file bugs if there are issues
[15:53] <teward> wellllllllllll
[15:54] <teward> I was writing a python frontend to `iptables` that does much like what `ufw` does...
[15:54] <teward> but I got busy/bored/distracted
[15:54] <Skyrider> I could report a bug, but need to be sure that this isn't my fault XD
[15:54] <teward> jdstrand: well rsyslogd dumps it to /var/log/ufw.log and that oddly enough works
[15:54] <teward> Skyrider: let me set up a test env with logging, etc. give me a minute then i'll coopt you to do some testing
[15:55] <teward> *goes to the Cloud*
[15:56] <Skyrider> ^_^
[15:56] <jdstrand> teward: its gonna depend on what is available in the container, how the container is configured, how logging overall is configured, the kernel, etc. ufw does ship an rsyslog snippet, yes
[15:56] <teward> right
[15:56] <teward> but this is why i'm going to the Cloud and VMs for a full env
[15:56] <teward> thank you cloud VPS deployment xD
[15:56] <jdstrand> but the imklog
[15:57] <jdstrand> module from rsyslog might not be able to read the kernel logs
[15:57] <jdstrand> so, it can't put it in ufw.log
[15:57] <jdstrand> but again, lots of variables
[15:58] <jdstrand> the container host should still see it though
[15:59] <teward> yep which is why i'm spinning a cloud instance up to test with :p
[15:59] <teward> should help
[16:01] <Skyrider> Hopefully with results matching my issue... makes things easier.
[16:03] <teward> just takes a while to launch xD
[16:03] <Skyrider> Cloud aint that fast ey
[16:03] <teward> not as fast as I'd like but I don't use predeployed images :P
[16:03] <teward> I boot the ISOs and deploy my own settings :P
[16:19] <teward> Skyrider: check your PMs I sent you a location to go to
[16:42] <teward> jdstrand: i think we've narrowed it down
[16:42] <teward> but it's not a ufw bug
[16:42] <teward> it's how their android phone behaves with Internet
[16:42] <teward> (everything goes via Google Proxies for some reason)
[16:42] <teward> which makes sense if it's using stock Google Chrome on the Android :P
[16:42] <teward> Skyrider: ^
[16:57] <teward> as to why the /16 wasn't blocking I am unsure, because by all intents and purposes it shouold have
[16:57] <teward> can't rule out proxies at play though
[17:15] <jdstrand> teward: oh, interersting. yeah, clouds, their kernels and their logging infra can certainly affect things. good luck tracking it down!
[17:15] <teward> KVM VPS on OpenStack though...
[17:15] <teward> Thats full virtualization ;)
[17:18] <setuid> Need some Android Emulator running on top of an instance inside that OpenStack though :D
[17:18] <Skyrider> Guess my headless server is busted then
[17:30] <JanC> the "google proxies" = AMP stuff ?
[17:39] <teward> JanC: Not sure, but Skyrider had Google Data Saver on in their Chrome browser
[17:39] <teward> that was probably a factor
[17:52] <teward> jdstrand: but Skyrider DOES have something wonky up with their environment, even with the rules in the proper places it still allows connections.  Can't rule out caching, but something's up with their system
[17:52] <teward> not a ufw bug per se, maybe something specific to their config
[18:03] <jdstrand> Skyrider: note that connection tracking may be an issue. usually this indicates either other firewall software is installed and is competing with ufw or something is not configured correctly in the kernel. you can run 'sudo /usr/share/ufw/check-requirements' for the latter
[18:22] <Skyrider> jdstrand: Command requests to create rules.
[18:22] <Skyrider> teward: Does ufw override iptables rules by any chance?
[18:22] <teward> ufw *is* iptables rules
[18:22] <teward> it will overwrite any other loaded netfilter rules
[18:23] <teward> (which is iptables)
[18:23] <Skyrider> That, I know.. But I noticed ufw lines being used in iptables rule list.
[18:23] <teward> that's normal
[18:23] <Skyrider> Maybe just for naming purposes?
[18:23] <teward> because ufw *uses* netfilter/iptables under the hood
[18:23] <teward> it's UFW specifics for how it does its tables/namings/etc
[18:23] <teward> but it's still ultimately iptables, just a user-friendly frontend to manage the iptables rules
[18:23] <Skyrider> Maybe I should try to create an iptables rule denying my own ip address, directly from iptables.
[18:23] <Skyrider> Rather than ufw.. see if that works.
[18:23] <teward> disable ufw first, then apply a ruleset similarly.  I can help you write a ruleset as such if you want
[18:24] <teward> ufw will overwrite any iptables rules you add
[18:24] <teward> (for the record I use iptables exclusively, but i have reasons xD)
[18:24] <Skyrider> I assume "iptables -A INPUT -s IP-ADDRESS -j DROP" would work fine. Not sure the order it would add it though.
[18:24] <Skyrider> Maybe I should just use iptables, and use aliasses to make it more simpler for me.
[18:25] <teward> `iptables -I INPUT 1 -s IPADDRESS -j REJECT --reject-with icmp-host-unreachable` would be more instantaneously identifiable as a truly effective rule
[18:25] <teward> of course with sudo :P
[18:25] <Skyrider> ^_^
[18:25] <Skyrider> oki, ufw disabled.
[18:26] <Skyrider> What about the order?
[18:26] <Skyrider> Is there a command to set the order like ufw? sudo ufw insert x .. etc, etc, etc.
[18:26] <teward> the rule I provided adds to the top of the list and there's a default ALLOW by default in `iptables`
[18:26] <teward> `iptables -I`  - `-I CHAIN INDEX` Insert rule into specified chain at specified index/position
[18:27] <teward> in this case, INPUT is the chain (as expected) and INDEX is 1, meaning top of the chain]
[18:28] <teward> Skyrider: i'd be happy to give you a crash course in `iptables` syntax at some point :P
[18:29] <teward> if it turns out this deny/reject actually WORKS
[18:29] <teward> ... ops?
[18:29] <teward> ooops*
[18:29] <teward> i think they killed themselves... if they did i'll have to help them fix it
[18:29]  * teward reminds himself that ufw can be evil
[18:36] <Skyrider> *shrugs*
[18:36] <Skyrider> Forgot, that it would block me from .. .well, everything
[18:36] <Skyrider> lol
[18:36] <Skyrider> Was forced to reboot and reset the rules.
[18:37] <Skyrider> Interesting fact though that blocking my IP in iptables disconnected me almost instantly from everything.. while if I do the same on ufw, it didn't.
[18:37] <Skyrider> So my guess is.... ufw.. is, busted on my end.
[18:41] <jdstrand> teward, Skyrider: actually, ufw will *not* overwrite rules you have unless you specify MANAGE_BUILTINS=yes in /etc/default/ufw, which is not the default
[18:42] <teward> jdstrand: interesting.  so it'll what, append rules?
[18:42] <tds> Skyrider: that depends on where exactly you're adding the drop/reject rules - if they go before a rule using conntrack allowing existing connections, that will terminate all open connections, while after will only make them affect new connections
[18:42] <teward> last i checked ufw overwrites whatever I put in `iptables` when ufw is disabled
[18:42] <jdstrand> teward: no, it works on its own chains that are all prepended with ufw-*
[18:43] <jdstrand> teward: this is how it plays well with libvirt, etc which adds their own rules. but something like iptables-persistent or other things that assume they own the firewall can interfere with ufw
[18:43] <Skyrider> The rule I was provided to add in iptables disconnected all my connections.
[18:44] <Skyrider> Let me try again, but only adding the web ports instead rather than a global deny.
[18:44] <jdstrand> still, the advice is sound to disable ufw and see if something simple is working
[18:45] <Skyrider> "iptables -A INPUT -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP" ?
[18:45] <Skyrider> err, no.. lacking ip
[18:45] <teward> Skyrider: `sudo iptables -I INPUT 1 -s IPADDRESS -p tcp --dport 80 -j REJECT --reject-with icmp-host-unreachable`
[18:45] <teward> same for 443 (though you can replace the index with `2`
[18:45] <teward> and that'll ONLY block traffic matching the source IP address heading to port 80 on TCP
[18:45] <Skyrider> Thanks :) lemme try
[18:45] <teward> (standard HTTP)
[18:46] <teward> my apologies for fubaring your access, but at least we know THAT worked xD)
[18:46] <Skyrider> Simple reboot fixed it XD.. why isn't iptables saved though?
[18:46] <Skyrider> With that, I mean.. saved on reboot ,etc.
[18:46] <jdstrand> teward: it depends on how your are disabling ufw. if you disable and do /lib/ufw/ufw-init flush-all or other low level things (or have MANAGE_BUILTINS=yes set), then yes, it will blow stuff away
[18:47] <teward> because it's not stored in a file anywhere, ufw when it reenables loads data from stored rules/data and reloads it into netfilter
[18:47] <teward> similar to how `iptables-persistent` does the same on boot (but assumes firewall ownership and blasts things apart)
[18:47] <Skyrider> oki, I dropped the connection on 80 and 443.. didn't work.
[18:47] <tds> Skyrider: iptables itself doesn't do anything for saving on boot, if you want that you need to install something like the iptables-persistent package
[18:47] <Skyrider> Well, it got added.. just didn't block my access on my web stuff.
[18:47] <jdstrand> do note that just because ufw doesn't stomp on the rules doesn't mean that rule ordering isn't in play. iptables rules are order-dependent. if the ufw chains are first, then ufw will work, if after, they may not (ie, -A (append) vs -I (insert))
[18:48] <teward> Skyrider: did you use DROP or REJECT?
[18:48] <teward> test REJECT
[18:48] <teward> instead of DROP
[18:48] <teward> this said, DROP should've worked too
[18:48] <teward> Skyrider: is this a VPS?  Is it containerized (LXD, OpenVZ) or full virtual (KVM)?
[18:49] <teward> Skyrider: also, make sure you're actually blocking the right IP (remember the google proxy evil?)
[18:49] <Skyrider>     Virtualization: kvm
[18:49] <jdstrand> Skyrider: how are you testing the connection? is the traffic going through the interface you expect to be firewalling? did you kill off any connection tracking (eg, sudo conntrack -D ...)
[18:50] <Skyrider> Not sure what conntrack is.
[18:50] <jdstrand> Skyrider: did you add the rules with -A (append) or -I (insert)?
[18:50] <teward> jdstrand: would that apply even if the first rule were a global matchall?  If they did `-I INPUT 1` like i suggested it'd have put it at first position in INPUT
[18:50] <jdstrand> Skyrider: it is also possible there are vps rules that are in front of your added rules
[18:51] <jdstrand> I see Skyrider used iptables -A INPUT...
[18:52] <teward> ah that might break it
[18:52] <Skyrider> Copy/pasted, ya :P
[18:52] <teward> Skyrider: did you use `iptables -A INPUT` or `iptables -I INPUT 1` like i suggested?
[18:52] <Skyrider> I copy/pasted your line
[18:52] <Skyrider> So.. with input 1.
[18:53] <jdstrand> Skyrider: with INPUT 1, it worked and blocked the connection?
[18:53] <Skyrider> -A INPUT -s xxxxxx/32 -p tcp -m tcp --dport 443 -j REJECT --reject-with icmp-host-unreachable - and another line with port 80 according to iptables -S
[18:53] <Skyrider> And no, it didn't block my web connection.
[18:53] <teward> show us the `iptables-save` output (Pastebin it please)
[18:54] <Skyrider> sure
[18:54] <tds> `iptables-save -c` ideally :)
[18:54] <teward> ^ that
[18:54] <Skyrider> >_>
[18:55] <teward> ... ooooooooooops i just broke my own email, stupid firewalls and NAT... *goes to fix*
[18:55] <Skyrider> https://paste.ubuntu.com/p/49hZ53dx4d/
[18:56] <teward> the only reason it'd be doing *that* is because your IP(s) accessing the site aren't what we think it is
[18:56] <jdstrand> Skyrider: how did you disable ufw?
[18:56] <teward> which is what was happening earlier with our tests skyrider
[18:56] <Skyrider> sudo ufw disable
[18:56] <Skyrider> Status: inactive
[18:56] <jdstrand> Skyrider: and you rebooted?
[18:56] <Skyrider> Reboot kept ufw disabled.
[18:57] <teward> jdstrand: shouldn't the first to input lines (24, 25) have caught regardless if the source IP matching was correct?
[18:57] <teward> 0:0 suggests that it never triggered/matched on sourceIP
[18:57] <teward> and since those rules are ABOVE the ufw rules, those should be matched regardless of UFW active/inactive
[18:57] <teward> at least per my nf understanding
[18:59] <jdstrand> Skyrider: that isn't what a disabled ufw looks like after a reboot
[18:59] <Skyrider> Don't look at me XD
[18:59] <jdstrand> (if it is disabled, after a reboot, it should have no ufw chains)
[19:00] <jdstrand> Skyrider: what release of ubuntu is this?
[19:00] <Skyrider> 18.04
[19:00] <Skyrider> I removed ufw and purged it.
[19:00] <Skyrider> ufw rules in iptables-save are still there.
[19:00] <Skyrider> At least, the ufw lines.
[19:00] <teward> jdstrand: just ran ufw in the command line in a container
[19:00] <teward> aaaaaaaaaand, the ufw rules are still there when disabled
[19:00] <teward> even on reboot
[19:00] <jdstrand> Skyrider: this is a container?
[19:00] <teward> except on reboot*
[19:01] <teward> jdstrand: confirming on a VM currently as well
[19:01] <teward> standby...
[19:01] <jdstrand> teward: ufw disable pre-reboot will leave chains in place, but empty them. on reboot, they won't be added
[19:01] <teward> that part i confirm
[19:02] <teward> Skyrider: you did `sudo ufw disable` and then restarted the server yes?
[19:02] <jdstrand> Skyrider: what is ENABLED set to in /etc/ufw/ufw.conf?
[19:02] <teward> because jdstrand *is* right - it won't add those rules if `ufw` was disabled when you rebooted
[19:02] <tds> Skyrider: did you install iptables-persistent or anything similar?
[19:02] <tds> if you did, that may have saved the ufw rules for you
[19:02] <teward> looks to me more like you just rebooted then did `sudo ufw disable`
[19:02] <jdstrand> tds: yes
[19:02] <jdstrand> tds: that is often a problem
[19:02] <tds> `grep ufw /etc/iptables/rules.v4` would tell you :)
[19:03] <teward> (and won't exist if it's not installed or manually created)
[19:03]  * jdstrand is reminded he needs to add iptables-persistent detection to /usr/share/ufw/check-requirements
[19:03] <teward> jdstrand: what's the underlying language for it?
[19:03] <teward> i might be bored enough to try :p
[19:05] <jdstrand> python3 for the ufw command, shell for early boot setup and iptables-restore syntax for rules
[19:05] <Skyrider> Ya, iptables-persistent is installed.
[19:05] <jdstrand> Skyrider: iptables-persistent and ufw do not work well together. choose one or the other
[19:05] <Skyrider> I only added it a few hours ago, when I was trying to fix all of this.
[19:06] <teward> remove iptables-persistent and reboot
[19:06] <teward> then add the `iptables` rule I stated
[19:06] <teward> this said
[19:06] <Skyrider> Do I have to reboot? :P
[19:06] <teward> jdstrand: my previous question stands.
[19:06] <teward> jdstrand: shouldn't the first to input lines (24, 25) have caught regardless if the source IP matching was correct?
[19:06] <teward> because of the ordering in INPUT
[19:06] <jdstrand> Skyrider: that's fine, but we can only debug what is happening right now
[19:07] <Skyrider> One moment, will disable/enable some services and reboot.
[19:07] <jdstrand> teward: yes, they should have
[19:07] <teward> jdstrand: one of the issues we ran into earlier with Skyrider was their device(s) were being routed via Google's Proxies
[19:07] <teward> as a result of datasaver, etc.
[19:07] <teward> when we blocekd the IP of their actual address that was in the access logs from the webserver they couldn't get to it
[19:07] <Skyrider> This time however, using my own browser on my main desktop system.
[19:08] <jdstrand> teward: so the incoming ip is NAT'd or something? that is going to make a source ip infeasible
[19:08] <Skyrider> Wait a sec...
[19:08] <teward> jdstrand: there's a few different factors
[19:08] <Skyrider> once I removed persistent, everything started to work
[19:08] <Skyrider> nvm..
[19:08] <teward> when their main computer connected and I blacklisted that in a live system it blocked them
[19:08] <Skyrider> Just slow connection XD
[19:08] <teward> but the tricky part here is that i can't verify what's going on on their main desktop
[19:09] <teward> jdstrand: i also can't rule out Proxy settings at play by ISP or some other VPN or proxy system at play
[19:09] <teward> in which case if they ARE indeed nat'd we'd have some... headaches with that and you're rightw e'd have to ignore source IP as a valid identifier (because NAT breaks it)
[19:09] <teward> case in point my IP currently, it shows as my home's IP instead of ym work's IP because I'm VPN'd through home, but HTTP Proxies would behave similarly for HTTP/HTTPS connections in some cases
[19:10] <teward> Skyrider: confirm you're still rejected on the test IP I provided earlier as well
[19:10] <jdstrand> sudo tcpdump -i <interface name> -s 0 -n -vv port 80
[19:10] <Skyrider> Not atm (not on my desktop)_
[19:10] <jdstrand> that will also be helpful on the server ^
[19:11] <jdstrand> Skyrider: just for your own debugging. you'll then see the IPs involved
[19:11] <teward> jdstrand: i'd agree with what jdstrand says :P
[19:11] <Skyrider> **rebooting**
[19:11] <teward> then attempt connecting yourself and see the IP(s)
[19:11] <teward> blehrewrherw9re
[19:11] <teward> *yawns*
[19:14] <teward> jdstrand: ewwww check-requirements is bash >.<
[19:14] <teward>  /bin/sh *
[19:14] <jdstrand> oh your question was about that. yes, shell
[19:14] <teward> one of my more hated languages
[19:14] <teward> behind Ruby and Perl
[19:15] <Skyrider> Okay, so..
[19:15] <Skyrider> Reboot done.
[19:15] <teward> (Ruby, Perl, pure Dash/sh, C, C++...)
[19:15] <Skyrider> iptables only shows 3 lines now.
[19:15] <Skyrider> input, forward and output.
[19:15] <jdstrand> heh, well, it works ok for that particular debugging purpose :)
[19:15] <jdstrand> Skyrider: ok, so you now have a completely clean slate
[19:16] <teward> jdstrand: oh fun fact: you might need to remove the python 2.* checks in this thing for focal if we're sure we're blasting Py2 away
[19:16] <teward> :P
[19:17] <Skyrider> I re-added the 80/443 rules.
[19:17]  * jdstrand notes that the ufw rules that were there before were all 'pass through' but it complicated the output. please, trying to reason around ufw and iptables-persistent at the same time is never good
[19:19] <jdstrand> teward: yes, ufw itself is all py3, etc, etc. I do need to drop the py2 packaging which I'll do before ff. note that check-requirements looks for any python, it just happened to find py2 on the system
[19:19] <jdstrand> Skyrider: and the connection is still not blocked?
[19:20] <Skyrider> Not yet.. just reminded server is using cloudflare.. lemme disable that.
[19:21] <Skyrider> sudo tcpdump -i <interface name> -s 0 -n -vv port 443 - Can I ignore the the machines IP?
[19:21] <Skyrider> Getting spammed with it.
[19:21] <Skyrider> A lot of them with cksum 0x8d69 (incorrect -> 0x0873), seq 1:194, ack 1, win 229, length 193
[19:22] <Skyrider> Specifically the "incorrect" part.
[19:25] <teward> jdstrand: https://paste.ubuntu.com/p/k5NPprmBv3/ in case you're curious *might* help, since those're the scripts iptables-persistent currently installs - if either of them exists then the package is installed :P
[19:25] <teward> it's a diff btw
[19:26] <teward> > server uses cloudflare
[19:26] <teward> well that explains a lot
[19:26] <teward> CloudFlare is equivalent to Proxies and VPN, it futzes the endpoint Source IPs
[19:26] <Skyrider> Side question.. if I allow a port to be used on a specific IP with iptables, does it block the rest?
[19:26] <teward> so you can't use `iptables` or `ufw` to filter on SourceIP if you're behind CloudFlare
[19:26] <teward> Which explains the problems you're having
[19:27] <teward> Skyrider: if you put the default policy to DROP or add a REJECT rule at the end of the rules as a default, then it will
[19:27] <Skyrider> Okay, that makes it different over UFW.
[19:27] <teward> no
[19:27] <teward> because iptables defaults is ALLOW
[19:27] <jdstrand> teward: re check-requirement, thanks :)
[19:27] <teward> ufw's 'default' policy is deny incoming ;)
[19:27] <Skyrider> Adding an accept port / ip rule through ufw, auto denies it for other ip's.
[19:27] <teward> jdstrand: yep, it's likely to need minor refinement.
[19:27] <teward> Skyrider: because the default policy is DROP
[19:27] <teward> in Ufw
[19:28] <Skyrider> Which I find, better.. in my opinion
[19:28] <teward> iptables doesn't have that unless you specify it as that, but that's a different discussion
[19:28] <teward> because you can *set* iptables to default-Deny
[19:28] <teward> which can cause issues if you're not careful
[19:28] <jdstrand> Skyrider: you can add 'and host <ip addr>'
[19:29] <Skyrider> Ah, that makes it better :D
[19:29] <Skyrider> Also... still doesn't block my IP >_>
[19:29] <Skyrider> ****web wise.
[19:29] <teward> Skyrider: if you're using Cloudflare then it won't
[19:29] <teward> to reiterate WHY:
[19:29] <teward> CloudFlare is equivalent to Proxies and VPN, it futzes the endpoint Source IPs
[19:29] <teward> because the traffic goes through CloudFlare's nginx proxy to try and mitigate DDoS and provide minor CDN functionality
[19:29] <Skyrider> Oh, I know. :)
[19:30] <teward> so... :P
[19:30] <Skyrider> Set it to DNS only
[19:30] <teward> and you're sure your computer sees the updated DNS?
[19:30] <Skyrider> Chrome / Firefox appears to be blocked now.. Internet explorer.. not so much.
[19:30] <teward> ... ewww IExplorer
[19:30] <teward> *shivers*
[19:30] <Skyrider> XD
[19:30] <Skyrider> Using it just for testing.
[19:30] <teward> Internet Explorer is evil and relies on Windows' DNS cache
[19:30] <teward> Chrome/FFox both do their own queries lol
[19:30] <Skyrider> Okay, soo... works now.. so all this time, cloudflare was the issue.
[19:31] <Skyrider> Really wish iptables would be smarter to check "behind" the proxy...
[19:32] <jdstrand> it can't. the info is gone from the packet
[19:33] <Skyrider> Fun times.. can't even use cloudflare XD
[19:33] <jdstrand> the T in NAT is Transalation. the host doing the translating rewrites the address before sending the packet on its way
[19:34] <teward> jdstrand: regarding iptables-persistent if that patch looks good I can turn that into an actual quilt patch and upload it.  but i don't want to touch things that're major-critical without second sets of eyes/testing :P
[19:34] <jdstrand> Skyrider: but the host doing the translating sees it. perhaps there is something in the cloudfare UI that allows you to block that ip
[19:34] <teward> also my shell is rusty so :P
[19:34] <teward> jdstrand: CF will pass a header called Ray-ID
[19:35] <teward> and XFF
[19:35] <teward> nginx can check XFF
[19:35] <teward> iptables can't
[19:35] <Skyrider> iptables sounds outdated :o
[19:35] <teward> i think you're confusing 'firewall' with 'proxy filtration'
[19:35] <teward> 'firewall' is good at the packets level
[19:35] <Skyrider> And yea, using multiple methods online to convert the proxy ip to the users real IP.
[19:35] <teward> NOT at the application level
[19:35] <jdstrand> teward: I'm doing uploads for Debian and Ubuntu in the coming weeks. thanks for the offer
[19:35] <Skyrider> Set it up in nginx as well.
[19:35] <teward> which is what XFF / RayID involves
[19:35] <teward> jdstrand: ack
[19:35] <teward> jdstrand: just, if you use the diff verbatim, please credit me :)
[19:36] <jdstrand> teward: of course
[19:36] <teward> (it's inspiration though if you have a better way, I just fast-hashed it together)
[19:36] <teward> ... DAMN YOU EMAIL
[19:36] <teward> ... seriously hate email sometimes, I broke it bad...
[19:36] <teward> *goes to fix his postfix and dovecot mail system*
[19:36] <jdstrand> and if I modify it, I'll still reference you 'based on...' or whatever makes sense
[19:36] <Skyrider> I do appreciate all you guys help and efforts btw!
[19:37] <teward> jdstrand: ack, thank you very much :)
[19:37] <teward> Skyrider: glad we could help, sorry that it took so long to debug
[19:37] <teward> Skyrider: yeah, if you're using CloudFlare you need to use web server level filtering/blocking for the traffic on those IP(s)
[19:37] <teward> if you're not, you can use `iptables`
[19:37] <teward> it's unfortunately the case of different levels of the TCP/IP stack being at play because of CF
[19:37] <jdstrand> or ufw ;)
[19:38] <teward> true :P
[19:38]  * teward has a habit of typing `iptables` :P
[19:38] <jdstrand> that is unfortunate, yes
[19:38] <teward> `iptables`/`ufw` work at one level of the TCP/IP stack (packet level), your webserver will operate at a more application-level filtration (so XFF header, etc. from Cloudflare so it IDs properly at endpoints for filtration)
[19:39] <teward> the second of those which is what you have to do when Cloudflare is in the equation
[19:39] <jdstrand> I suspect it makes since to use iptables(-persitent), ufw, or something on the server to block most stuff (ie, with rules to allow all 80, 443, etc) and then use cloudfare UI to blacklist certain IPs
[19:39] <jdstrand> s/since/sense/
[19:40] <teward> yep
[19:40] <teward> though unless you pay for CF your filtration there is limited
[19:42] <Skyrider> I find webmin.. weird.
[19:42] <Skyrider> The ufw chains still exists in its firewall rules.
[19:43] <teward> webmin is evil don't rely on it
[19:44] <Skyrider> At least rules are working..
[19:48] <Skyrider> What about nftables ? :P
[19:50] <jdstrand> Skyrider: did you 'dpkg --purge iptables-persistent'? maybe there are some lingering files that still fire on reboot
[19:51] <jdstrand> Skyrider: (or at the time of the removal, apt-get remove --purge iptables-persistent)
[19:51]  * jdstrand is confused. I thought Skyrider said after reboot it was empty...
[19:52] <Skyrider> Ya, the iptables -S said it did.. just webmin for some reason cached the old ufw chains.
[19:52] <Skyrider> I erased webmin though.
[19:52] <jdstrand> oh, I see. I don't know what it was doing
[20:01] <Skyrider> Wow iptables is sooo limited >_>
[20:03] <teward> for the record
[20:03] <teward> to properly protect systems
[20:04] <teward> you need IDS/IPS *and* firewalls
[20:04] <teward> and WAFs
[20:04] <teward> IDS/IPS to protect from signature based threats, firewalls for specific IPs, WAFs for HTTP/HTTPS level application filtering when CF and stuff are in play
[20:04] <teward> it's a lot more complex than just "Use a firewall"
[20:04] <teward> esp. when Cloudflare is involved
[20:08] <Skyrider> Indeed, sounds complicated :o
[20:09] <mybalzitch> whats a waf
[20:09] <Skyrider> dog? :p
[20:09] <mybalzitch> woof?
[20:09] <teward> Web Application Firewall
[20:09] <teward> something that operates at the HTTP/HTTPS 'application' level
[20:10] <mybalzitch> neat
[20:10] <Skyrider> eg ModSecurity.. seen that around.
[20:14] <Skyrider> Though, kinda sucks I have to compile nginx to include MC into nginx.