[Touch-packages] [Bug 881137] Re: UFW does not clean iptables setting from /etc/ufw/before.rules
CzBiX, ufw does not yet manage the nat table (though there have been a couple of false starts). However, it does manage the FORWARD chain with 'ufw route' so it is possible for you to create a chain in the nat table in /etc/ufw/before.rules, and then use ufw route for other things. This is described in 'man ufw-framework' in the EXAMPLES section. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/881137 Title: UFW does not clean iptables setting from /etc/ufw/before.rules Status in ufw package in Ubuntu: Won't Fix Bug description: Adding some additional settings to /etc/ufw/before.rules is not deleted when ufw is stopped. I added these lines at top of file /etc/ufw/before.rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall with command: ufw reload. Output from iptables-save $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall again: $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And ufw reload again $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And again and postrouting is never deleted when ufw is stopped and added again when stared. Same happen if I stop ufw firewall with: $ stop ufw. nat lines are not cleaned. UFW should remove all iptables settings specified in config files after ufw is stopped! This can be dangerous if apt-get is updating some ufw files and scripts needs to reload ufw (some lines will be more times). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/881137/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 881137] Re: UFW does not clean iptables setting from /etc/ufw/before.rules
Does it possible to add predefined nat chains? Like what the openwrt does. UFW can insert `ufw_prerouting_rule`, `ufw_postrouting_rule` on start, and remove these on stop. User can insert their custom rules in the ufw chains, without worry about the flush/duplicate issues. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/881137 Title: UFW does not clean iptables setting from /etc/ufw/before.rules Status in ufw package in Ubuntu: Won't Fix Bug description: Adding some additional settings to /etc/ufw/before.rules is not deleted when ufw is stopped. I added these lines at top of file /etc/ufw/before.rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall with command: ufw reload. Output from iptables-save $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall again: $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And ufw reload again $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And again and postrouting is never deleted when ufw is stopped and added again when stared. Same happen if I stop ufw firewall with: $ stop ufw. nat lines are not cleaned. UFW should remove all iptables settings specified in config files after ufw is stopped! This can be dangerous if apt-get is updating some ufw files and scripts needs to reload ufw (some lines will be more times). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/881137/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 881137] Re: UFW does not clean iptables setting from /etc/ufw/before.rules
Please note that the various rules files are there for admins to adjust as needed. However, to work with other programs on the system, I reiterate that by default ufw will not flush anything it doesn't manage itself (MANAGE_BUILTINS, as mentioned, controls this behavior). If someone adds rules to these files then care is needed to add rules to remove them. You could add flush rules to do this like has been posted above, but as posted this is not much different from setting MANAGE_BUILTINS=yes. Perhaps you would like to instead add to the nat table your own chain, adding your rules to the chain, and then flush that chain (this is what ufw does internally for its chains). Maciej mentioned after_up, after_down, before_up and before_down. Please note that these days ufw supports something similar with its /etc/ufw/after.init and /etc/ufw/before.init scripts. See 'BOOT INITIALIZATION' in 'man ufw-framework' for details. Progress has been made on nat and other routing rules, so ufw will start to manage some of these others tables in a similar fashion as the filter table (thought it's been slow going). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/881137 Title: UFW does not clean iptables setting from /etc/ufw/before.rules Status in ufw package in Ubuntu: Won't Fix Bug description: Adding some additional settings to /etc/ufw/before.rules is not deleted when ufw is stopped. I added these lines at top of file /etc/ufw/before.rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall with command: ufw reload. Output from iptables-save $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall again: $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And ufw reload again $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And again and postrouting is never deleted when ufw is stopped and added again when stared. Same happen if I stop ufw firewall with: $ stop ufw. nat lines are not cleaned. UFW should remove all iptables settings specified in config files after ufw is stopped! This can be dangerous if apt-get is updating some ufw files and scripts needs to reload ufw (some lines will be more times). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/881137/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 881137] Re: UFW does not clean iptables setting from /etc/ufw/before.rules
Is this going to work? It was reported on 2011 and last comment on 2015. It is 2018 and still after restarting ufw rules are added multiple time. Just add this: /etc/ufw/after_up /etc/ufw/after_down /etc/ufw/before_up /etc/ufw/before_down User can manualy add rules to *_up executed when ufw starts and add rules to be deleted to *_down when ufw is shutting down. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/881137 Title: UFW does not clean iptables setting from /etc/ufw/before.rules Status in ufw package in Ubuntu: Won't Fix Bug description: Adding some additional settings to /etc/ufw/before.rules is not deleted when ufw is stopped. I added these lines at top of file /etc/ufw/before.rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall with command: ufw reload. Output from iptables-save $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall again: $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And ufw reload again $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And again and postrouting is never deleted when ufw is stopped and added again when stared. Same happen if I stop ufw firewall with: $ stop ufw. nat lines are not cleaned. UFW should remove all iptables settings specified in config files after ufw is stopped! This can be dangerous if apt-get is updating some ufw files and scripts needs to reload ufw (some lines will be more times). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/881137/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 881137] Re: UFW does not clean iptables setting from /etc/ufw/before.rules
As a workaround, add a flush for the nat chains you want flushed at beginning of the section like this: *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -F POSTROUTING -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Warrning: This WILL also delete rules which may have been put there by other tools! ONLY do this if ufw is the only tool managing the specific tables/ chains (here: nat POSTROUTING) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/881137 Title: UFW does not clean iptables setting from /etc/ufw/before.rules Status in ufw package in Ubuntu: Won't Fix Bug description: Adding some additional settings to /etc/ufw/before.rules is not deleted when ufw is stopped. I added these lines at top of file /etc/ufw/before.rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall with command: ufw reload. Output from iptables-save $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall again: $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And ufw reload again $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And again and postrouting is never deleted when ufw is stopped and added again when stared. Same happen if I stop ufw firewall with: $ stop ufw. nat lines are not cleaned. UFW should remove all iptables settings specified in config files after ufw is stopped! This can be dangerous if apt-get is updating some ufw files and scripts needs to reload ufw (some lines will be more times). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/881137/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 881137] Re: UFW does not clean iptables setting from /etc/ufw/before.rules
sry, shorter and corrected: As a workaround, add a flush for the nat chains you want flushed at beginning of the section like this: *nat :POSTROUTING ACCEPT [0:0] -F POSTROUTING -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Warrning: This WILL also delete rules which may have been put there by other tools! ONLY do this if ufw is the only tool managing the specific tables / chains (here: nat POSTROUTING) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/881137 Title: UFW does not clean iptables setting from /etc/ufw/before.rules Status in ufw package in Ubuntu: Won't Fix Bug description: Adding some additional settings to /etc/ufw/before.rules is not deleted when ufw is stopped. I added these lines at top of file /etc/ufw/before.rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall with command: ufw reload. Output from iptables-save $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall again: $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And ufw reload again $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And again and postrouting is never deleted when ufw is stopped and added again when stared. Same happen if I stop ufw firewall with: $ stop ufw. nat lines are not cleaned. UFW should remove all iptables settings specified in config files after ufw is stopped! This can be dangerous if apt-get is updating some ufw files and scripts needs to reload ufw (some lines will be more times). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/881137/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 881137] Re: UFW does not clean iptables setting from /etc/ufw/before.rules
Sam, while ufw has added support for managing the FORWARD chain, it does not yet support the nat table which is why you are seeing this issue. Please see comments #1 and #5 in this bug for more details. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/881137 Title: UFW does not clean iptables setting from /etc/ufw/before.rules Status in ufw package in Ubuntu: Won't Fix Bug description: Adding some additional settings to /etc/ufw/before.rules is not deleted when ufw is stopped. I added these lines at top of file /etc/ufw/before.rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall with command: ufw reload. Output from iptables-save $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall again: $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And ufw reload again $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And again and postrouting is never deleted when ufw is stopped and added again when stared. Same happen if I stop ufw firewall with: $ stop ufw. nat lines are not cleaned. UFW should remove all iptables settings specified in config files after ufw is stopped! This can be dangerous if apt-get is updating some ufw files and scripts needs to reload ufw (some lines will be more times). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/881137/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 881137] Re: UFW does not clean iptables setting from /etc/ufw/before.rules
Just had the same bug after executing sudo ufw reload 4 times, this is how my iptables -t nat looks like: Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.17.0.0/160.0.0.0/0 RETURN all -- 192.168.122.0/24 224.0.0.0/24 RETURN all -- 192.168.122.0/24 255.255.255.255 MASQUERADE tcp -- 192.168.122.0/24!192.168.122.0/24 masq ports: 1024-65535 MASQUERADE udp -- 192.168.122.0/24!192.168.122.0/24 masq ports: 1024-65535 MASQUERADE all -- 192.168.122.0/24!192.168.122.0/24 MASQUERADE all -- 10.0.20.0/24 0.0.0.0/0 MASQUERADE all -- 10.0.20.0/24 0.0.0.0/0 MASQUERADE all -- 10.0.20.0/24 0.0.0.0/0 MASQUERADE all -- 10.0.20.0/24 0.0.0.0/0 I've added the following line to /etc/ufw/before.rules: # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through eth0 - Change to match you out-interface -A POSTROUTING -s 10.0.20.0/24 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't # be processed COMMIT Version: ufw --version ufw 0.34~rc-0ubuntu2 Copyright 2008-2012 Canonical Ltd. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/881137 Title: UFW does not clean iptables setting from /etc/ufw/before.rules Status in ufw package in Ubuntu: Won't Fix Bug description: Adding some additional settings to /etc/ufw/before.rules is not deleted when ufw is stopped. I added these lines at top of file /etc/ufw/before.rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall with command: ufw reload. Output from iptables-save $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall again: $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And ufw reload again $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And again and postrouting is never deleted when ufw is stopped and added again when stared. Same happen if I stop ufw firewall with: $ stop ufw. nat lines are not cleaned. UFW should remove all iptables settings specified in config files after ufw is stopped! This can be dangerous if apt-get is updating some ufw files and scripts needs to reload ufw (some lines will be more times). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/881137/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 881137] Re: UFW does not clean iptables setting from /etc/ufw/before.rules
@erniecom: as of 0.34 ufw does have route rules now and it also supports customization scripts via /etc/ufw/before.init and /etc/ufw/after..init. See 'man ufw-framework' for details. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/881137 Title: UFW does not clean iptables setting from /etc/ufw/before.rules Status in “ufw” package in Ubuntu: Won't Fix Bug description: Adding some additional settings to /etc/ufw/before.rules is not deleted when ufw is stopped. I added these lines at top of file /etc/ufw/before.rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall with command: ufw reload. Output from iptables-save $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT Then I reloaded ufw firewall again: $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And ufw reload again $ iptables-save -t nat *nat :PREROUTING ACCEPT [4:478] :INPUT ACCEPT [4:478] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT And again and postrouting is never deleted when ufw is stopped and added again when stared. Same happen if I stop ufw firewall with: $ stop ufw. nat lines are not cleaned. UFW should remove all iptables settings specified in config files after ufw is stopped! This can be dangerous if apt-get is updating some ufw files and scripts needs to reload ufw (some lines will be more times). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/881137/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp