Save this as `/etc/NetworkManager/conf.d/default-firewall-use- iptables.conf`, then run `sudo systemctl restart NetworkManager`.
This will configure NetworkManager to use `iptables` as its default firewall backend, which should resolve the issue in this bug when starting the hotspot in the future. ** Attachment added: "default-firewall-use-iptables.conf" https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2128668/+attachment/5920785/+files/default-firewall-use-iptables.conf ** Description changed: SRU Justification: [ Impact ] When a wi-fi hotspot is being broadcast, NetworkManager does not automatically configure all firewall rules as needed for clients to access the internet. [ Test Plan ] Start wi-fi hotspot on device running ufw that is connected to the internet [ Actual result ] Clients cannot connect to the internet via the hotspot. Only after adding custom firewall rules such as those described above can the client connect to the internet. [ Expected result ] Clients can connect to the internet via the hotspot [ Fix ] At minimum, the following is needed to enable this: 1. Enable routing from wireless adapter to wired adapter (ex: sudo ufw route allow in on wlP9s9 out on enp1s0 (varies depending on adapter names)) 2. Set iptables forwarding rules correctly (ex: sudo iptables -P FORWARD ACCEPT) 3. If the host is running its own DNS / DHCP servers, those will also have to be allowed by the firewall This is already implemented by NetworkManager. However, since applications like UFW configure firewall rules directly through /etc/sbin/iptables, NetworkManager needs to be configured to do so as well. Since we don't explicitly set a firewall backend to use in our config, NM checks for the existence of nftables and uses it since it is installed on Ubuntu, which is not sufficient to override the rules set via iptables by UFW and Docker. Therefore, the most straightforward solution is to configure Ubuntu's NetworkManager to use iptables as its firewall backend, bringing it in line with how UFW orchestrates its firewall rules. + (Apply this config change to set iptables as the default backend for NM: + https://bugs.launchpad.net/ubuntu/+source/network- + manager/+bug/2128668/comments/6) + [ Where problems could occur ] While NetworkManager should be configuring the same rules regardless of the firewall backend used, any differences that might exist between how /usr/sbin/iptables and /usr/sbin/nftables handles the setup could manifest as user-visible differences in firewall behavior. Additionally, since /usr/sbin/iptables is a symlink to /etc/alternatives/iptables, a user who has changed their /etc/alternatives/iptables target could also deviate from the behavior of a default Ubuntu configuration. With that said, keeping this configuration as-is may also have risks beyond the hotspot sharing use-case, since even the default firewall profiles in NM are currently set via the nftables interface, which I've observed is not always in sync with the UFW-enforced rules set via /usr/sbin/iptables. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/2128668 Title: Wi-Fi hotspot startup does not configure firewall as needed for internet sharing Status in network-manager package in Ubuntu: In Progress Status in network-manager source package in Jammy: In Progress Status in network-manager source package in Noble: In Progress Status in network-manager source package in Plucky: Won't Fix Status in network-manager source package in Questing: In Progress Status in network-manager source package in Resolute: In Progress Bug description: SRU Justification: [ Impact ] When a wi-fi hotspot is being broadcast, NetworkManager does not automatically configure all firewall rules as needed for clients to access the internet. [ Test Plan ] Start wi-fi hotspot on device running ufw that is connected to the internet [ Actual result ] Clients cannot connect to the internet via the hotspot. Only after adding custom firewall rules such as those described above can the client connect to the internet. [ Expected result ] Clients can connect to the internet via the hotspot [ Fix ] At minimum, the following is needed to enable this: 1. Enable routing from wireless adapter to wired adapter (ex: sudo ufw route allow in on wlP9s9 out on enp1s0 (varies depending on adapter names)) 2. Set iptables forwarding rules correctly (ex: sudo iptables -P FORWARD ACCEPT) 3. If the host is running its own DNS / DHCP servers, those will also have to be allowed by the firewall This is already implemented by NetworkManager. However, since applications like UFW configure firewall rules directly through /etc/sbin/iptables, NetworkManager needs to be configured to do so as well. Since we don't explicitly set a firewall backend to use in our config, NM checks for the existence of nftables and uses it since it is installed on Ubuntu, which is not sufficient to override the rules set via iptables by UFW and Docker. Therefore, the most straightforward solution is to configure Ubuntu's NetworkManager to use iptables as its firewall backend, bringing it in line with how UFW orchestrates its firewall rules. (Apply this config change to set iptables as the default backend for NM: https://bugs.launchpad.net/ubuntu/+source/network- manager/+bug/2128668/comments/6) [ Where problems could occur ] While NetworkManager should be configuring the same rules regardless of the firewall backend used, any differences that might exist between how /usr/sbin/iptables and /usr/sbin/nftables handles the setup could manifest as user-visible differences in firewall behavior. Additionally, since /usr/sbin/iptables is a symlink to /etc/alternatives/iptables, a user who has changed their /etc/alternatives/iptables target could also deviate from the behavior of a default Ubuntu configuration. With that said, keeping this configuration as-is may also have risks beyond the hotspot sharing use-case, since even the default firewall profiles in NM are currently set via the nftables interface, which I've observed is not always in sync with the UFW-enforced rules set via /usr/sbin/iptables. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2128668/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
