I have a Ubuntu 18.04/20.04 server running ufw (Uncomplicated Firewall) and Docker. Docker relies on iptables-persistent, which is an interface to a much more powerful and complicated firewall that many people would rather avoid.
The problem here is that ufw and iptables-persistent are both ways for creating the same firewall. On my server, only one service would ever run at startup negating the other.
After a reboot ufw would always be disabled.
|
1 2 3 |
$ sudo ufw status Status: inactive |
Even though the ufw service is enabled, if you look closely, the active service has exited.
|
1 2 3 4 5 |
$ sudo systemctl status ufw ● ufw.service - Uncomplicated firewall Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled) Active: active (exited) |
If I check the server services, both ufw and netfilter-persistent are enabled. netfilter-persistent is a means for managing iptables on Debian and Ubuntu systems.
|
1 2 3 4 |
$ sudo service --status-all [ + ] netfilter-persistent [ + ] ufw |
The fix is simple; we need to tell the operating system to load ufw after the netfilter-persistent.
Find and backup the ufw service.
|
1 2 3 |
$ ls -l /lib/systemd/system/ufw.service -rw-r--r-- 1 root root 266 Aug 15 2017 ufw.service |
|
1 2 3 |
$ cd /lib/systemd/system/ $ sudo cp ufw.service ufw.service.original |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ cat /lib/systemd/system/ufw.service [Unit] Description=Uncomplicated firewall Documentation=man:ufw(8) DefaultDependencies=no Before=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/lib/ufw/ufw-init start quiet ExecStop=/lib/ufw/ufw-init stop [Install] WantedBy=multi-user.target |
Update and save the modified service by appending After=netfilter-persistent.service to the [Unit] block.
|
1 |
$ sudo nano /lib/systemd/system/ufw.service |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[Unit] Description=Uncomplicated firewall Documentation=man:ufw(8) DefaultDependencies=no Before=network.target After=netfilter-persistent.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/lib/ufw/ufw-init start quiet ExecStop=/lib/ufw/ufw-init stop [Install] WantedBy=multi-user.target |
Reboot and test.
|
1 |
$ sudo reboot |
|
1 2 3 4 5 6 7 |
$ sudo ufw status Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere |