UFW – We can rebuild him. We have the technology.

So say you have UFW (uncomplicated firewall) installed on your server and you accidentally issue “iptables -F” and kill all of your networking. “No worries,” you think, “I can just restart UFW.” Except you find that after you issue “ufw disable; ufw enable” that it still does not work. Welp, crap. You’re hosed now. Have no fear, fellow sysadmin! Rescue is on the way.

UFW is kinda derpy in the fact that it doesn’t completely clean up after itself when you disable it. For example, here is the output of iptables-save on a box after you run “ufw disable”:

hodor ~ # iptables-save 
# Generated by iptables-save v1.4.10 on Sun Jul 22 04:38:51 2012
*filter
:INPUT ACCEPT [399:530740]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [274:46083]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
-A INPUT -j ufw-before-logging-input 
-A INPUT -j ufw-before-input 
-A INPUT -j ufw-after-input 
-A INPUT -j ufw-after-logging-input 
-A INPUT -j ufw-reject-input 
-A INPUT -j ufw-track-input 
-A FORWARD -j ufw-before-logging-forward 
-A FORWARD -j ufw-before-forward 
-A FORWARD -j ufw-after-forward 
-A FORWARD -j ufw-after-logging-forward 
-A FORWARD -j ufw-reject-forward 
-A OUTPUT -j ufw-before-logging-output 
-A OUTPUT -j ufw-before-output 
-A OUTPUT -j ufw-after-output 
-A OUTPUT -j ufw-after-logging-output 
-A OUTPUT -j ufw-reject-output 
-A OUTPUT -j ufw-track-output 
COMMIT
# Completed on Sun Jul 22 04:38:51 2012

As you can see, there is quite a bit of UFW related stuff left over. And worse off, UFW expects that those rules that it has on the default filter chains to be unmolested. An “iptables -F” will remove all of the rules, but leave the UFW-specific chains intact. For some reason UFW derpily assumes that if the chains exists, then it can start normally. You can see how this isn’t true since it doesn’t re-populate the references to the UFW-specific chains in the default filter chains when you start it back up in this state. The fix for this is to simply delete the UFW chains. If you would like to only delete the UFW chains, this one-liner should do the job:

for i in `iptables-save | grep :ufw | cut -d":" -f2 | cut -d" " -f1`; do iptables -X $i; done;

Alternatively, you can nuke all of the chains by running “iptables -X”. Either option will force UFW to re-populate all of its default rules and chains when you next start it. Happy hacking!

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>