The default firewall configuration tool for Ubuntu is known as ‘UFW’. Developed to ease iptables firewall configuration, UFW provides a user-friendly way to create an IPv4 or IPv6 host-based firewall that will serve to protect your computer from un-authorised access and in this article I am going to show you how to setup, configure and manage your security needs on Ubuntu 12.04 LTS Precise Pangolin.
So let’s get started …
In Terminal type:
sudo apt-get install ufw gufw
In Console type:
sudo apt-get install ufw gufw
Getting started with UFW
To enable the firewall, use:
sudo ufw enable
To disable the firewall at any time, use:
sudo ufw disable
To enable the firewall ‘log’, use:
sudo ufw logging on
To disable the ‘logging’ at any time, use:
sudo ufw logging off
All log files can be found in /var/log
To set the default policy, use:
sudo ufw default allow
To remove the default policy, use:
sudo ufw default deny
The recommended approach is to deny access to all ports/services and to slowly open the ports/services you need. Remember, by setting the default policy you will be exposing your entire system; so it is often better to begin by closing all ports/services and opening as and when they are required.
And to check the status of your firewall use:
sudo ufw status
or
sudo ufw status verbose
Easy so far … and if you were looking for the graphical utility, simply open the ‘Dash’ and search for GUFW.
Managing the UFW
In the following section I will now ‘walk you through’ the management of ports with plenty of examples.
Allow and Deny
For those of you who would like to allow access to any specific port use:
sudo ufw allow port_number
Similarly, to deny access to any specific port use:
sudo ufw deny port_number
Remember to replace ‘port_number’ with a specific port number …
Time for some ‘port-based’ examples:
‘Allow’ access to port 53
sudo ufw allow 53
Delete ‘Allow’ access to port 53
sudo ufw delete allow 53
‘Allow’ access to port 80
sudo ufw allow 80/tcp
Delete ‘Allow’ access to port 80
sudo ufw delete allow 80/tcp
Managing Services with UFW
Now let’s turn to the even easier process of managing services.
Allow and Deny
To allow access to any specific port use:
sudo ufw allow service_name
Similarly, to deny access to any specific port use:
sudo ufw deny service_name
Remember to replace ‘service_name’ with a specific service name, but if you do not know what your service is called, you can always obtain a list of running services by simply typing:
less /etc/services
Time for some ‘service based’ examples:
‘Allow’ access to port smtp
sudo ufw allow smtp
‘Deny’ access to port smtp
sudo ufw deny smtp
Delete ‘Allow’ access to port smtp
sudo ufw delete allow smtp
Delete ‘Deny’ access to port smtp
sudo ufw delete deny smtp
‘Allow’ access to port ssh
sudo ufw allow ssh
‘Deny’ access to port ssh
sudo ufw deny ssh
Delete ‘Allow’ access to port ssh
sudo ufw delete allow ssh
Delete ‘Deny’ access to port ssh
sudo ufw delete deny ssh
I hope you can now see how simple this is …
Mixing it up with advanced syntax
For those of you who wish to employ a series of more complicated rulesets, the syntax will change slightly but the process remains the same:
To allow by a specific IP address use,
sudo ufw allow from XXX.XXX.XXX.XXX
To allow by a specific subnet we invoke netmask and use
sudo ufw allow from XXX.XXX.XXX.XXX/XX
And finally, to allow by a specific port and an IP address you can use,
sudo ufw allow from XXX.XXX.XXX.XXX to AAA port YY
Alternatively you may use the ‘deny’ command and block access by using a not too dis-similar process from that shown above.
To block by a specific IP address use,
sudo ufw deny from XXX.XXX.XXX.XXX
To block by a specific subnet we invoke netmask and use
sudo ufw deny from XXX.XXX.XXX.XXX/XX
And finally, to block by a specific port and an IP address you can use,
sudo ufw deny from XXX.XXX.XXX.XXX to AAA port YY
Where XXX.XXX.XXX.XXX is the specific IP address, AAA is a specific protocol and YY is the specific port number.
For example:
To allow the ip address 192.168.1.14 access to port 53 for all protocols you would type:
sudo ufw allow from 192.168.1.14 to any port 53
Or, to allow the ip address 192.168.1.32 access to port 22 for all protocols you would type:
sudo ufw allow from 192.168.1.32 to any port 22
A protocol is either TCP, UDP or BOTH (any)
A word of caution
When attempting to block access to a specific IP address you should be aware that the rules should follow a set order of logic.
In theory, this would mean that if the first rule provides full access to a specific port or service then any attempt to block that user afterwards will be ignored. So in practice, instead of simply deleting all your rules and re-ordering them, it would be a lot easier to open the source file and include a new section like so:
Grant yourself ‘root’ privileges like so:
sudo su And then: For Terminal users use,
gedit /etc/ufw/before.rules
For console users (replacing ‘nano’ with your preferred text editor) use,
nano /etc/ufw/before.rules
Look for the lines in ‘before.rules’ that look something like this:
# drop INVALID packets (logs these in loglevel medium and higher) -A ufw-before-input -m state --state INVALID -j ufw-logging-deny -A ufw-before-input -m state --state INVALID -j DROP
And add your ‘drop’ rules directly afterwards like so:
# drop INVALID packets (logs these in loglevel medium and higher) -A ufw-before-input -m state --state INVALID -j ufw-logging-deny -A ufw-before-input -m state --state INVALID -j DROP MY FIRST DROP RULE GOES HERE MY SECOND DROP RULE GOES HERE MY THIRD DROP RULE GOES HERE
And that’s it. Very shortly you should be running a very secure environment.