I have a Ubuntu 18.04/20.04 server running ufw (Uncomplicated Firewall) and Docker. Docker relies on iptables-persistent, which is an interface to a much more powerful and complicated firewall that many people would rather avoid.
The problem here is that ufw and iptables-persistent are both ways for creating the same firewall. On my server, only one service would ever run at startup negating the other.
After a reboot ufw would always be disabled.
$ sudo ufw status Status: inactive
Even though the ufw service is enabled, if you look closely, the active service has exited.
$ sudo systemctl status ufw
● ufw.service - Uncomplicated firewall
Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
Active: active (exited)
If I check the server services, both ufw and netfilter-persistent are enabled. netfilter-persistent is a means for managing iptables on Debian and Ubuntu systems.
$ sudo service --status-all [ + ] netfilter-persistent [ + ] ufw
The fix is simple; we need to tell the operating system to load ufw after the netfilter-persistent.
Find and backup the ufw service.
$ ls -l /lib/systemd/system/ufw.service -rw-r--r-- 1 root root 266 Aug 15 2017 ufw.service
$ cd /lib/systemd/system/ $ sudo cp ufw.service ufw.service.original
$ cat /lib/systemd/system/ufw.service [Unit] Description=Uncomplicated firewall Documentation=man:ufw(8) DefaultDependencies=no Before=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/lib/ufw/ufw-init start quiet ExecStop=/lib/ufw/ufw-init stop [Install] WantedBy=multi-user.target
Update and save the modified service by appending `After=netfilter-persistent.service` to the `[Unit]` block.
$ sudo nano /lib/systemd/system/ufw.service
[Unit] Description=Uncomplicated firewall Documentation=man:ufw(8) DefaultDependencies=no Before=network.target After=netfilter-persistent.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/lib/ufw/ufw-init start quiet ExecStop=/lib/ufw/ufw-init stop [Install] WantedBy=multi-user.target
Reboot and test.
$ sudo reboot
$ sudo ufw status Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere