Kyle Manna

Kyle Manna

Entrepreneur and chip whisperer.

Ubuntu 14.04 LTS on OpenVZ + ufw and iptables Firewall

1 minute read

I upgraded my P.O.S. OpenVZ VPS (KVM from now on…) from Ubuntu 12.04.4 LTS to 14.04 LTS today and ran in to some problems with the firewall rules. Every time I’d reboot the VPS, it would to setup all the firewall rules setup by ufw, most notably the application allow rules (ie ssh) and the INPUT chain policy. Kind of dangerous.

Debugging

Running /lib/ufw/ufw-init force-reload manually returns:

iptables-restore: line 4 failed
ip6tables-restore: line 4 failed

Fixing

Some digging revealed that this is the result of a semantics change in the iptables rules broke /lib/ufw/ufw-init-functions. Around line 263 the culprit can be found and resolved by changing -m conntrack --ctstate to -m state --state. The following snippet works for me now until the next ufw update clobbers it:

			# add tracking policy
			if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then
				printf "*filter\n"\
"-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT\n"\
"-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT\n"\
"COMMIT\n" | $exe-restore -n || error="yes"
			fi

			if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then
				printf "*filter\n"\
"-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT\n"\
"-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT\n"\
"COMMIT\n" | $exe-restore -n || error="yes"
			fi

			if [ "$DEFAULT_FORWARD_POLICY" = "ACCEPT" ]; then
				printf "*filter\n"\
"-A ufw${type}-track-forward -p tcp -m state --state NEW -j ACCEPT\n"\
"-A ufw${type}-track-forward -p udp -m state --state NEW -j ACCEPT\n"\
"COMMIT\n" | $exe-restore -n || error="yes"
			fi

That should do it on top of applying similar updates to rules in /etc/ufw and the hacks I had previously done in Ubuntu 12.04.

Next Steps

The real problem is that OpenVZ and ufw are crap. Put an ancient kernel from OpenVZ (2.6.32-042stab078.26) and ufw together and there will be drama. Next step is to get a better VPS (something with KVM, recommendations?). And inevitably when the ufw package is updated in Ubuntu and undoes this change I’ll probably convert back to straight iptables-save/restore files like I do in Arch. None of those hacked up automatic firewall configuration shell scripts with a million variables – just iptables-save output and simple iptables-restore script. Life will be blissful again.

Comments