UFW Essentials: Common Firewall Rules and Commands

Introduction

UFW is a firewall configuration tool for iptables that is included with Ubuntu by default. This cheat sheet-style guide provides a quick reference to UFW commands that will create iptables firewall rules are useful in common, everyday scenarios. This includes UFW examples of allowing and blocking various services by port, network interface, and source IP address.

How To Use This Guide

  • If you are just getting started with using UFW to configure your firewall, check out our introduction to UFW
  • Most of the rules that are described here assume that you are using the default UFW ruleset. That is, it is set to allow outgoing and deny incoming traffic, through the default policies, so you have to selectively allow traffic in
  • Use whichever subsequent sections are applicable to what you are trying to achieve. Most sections are not predicated on any other, so you can use the examples below independently
  • Use the Contents menu on the right side of this page (at wide page widths) or your browser‘s find function to locate the sections you need
  • Copy and paste the command-line examples given, substituting the values in red with your own values

Remember that you can check your current UFW ruleset with sudo ufw status or sudo ufw status verbose.

Block an IP Address

To block all network connections that originate from a specific IP address, 15.15.15.51 for example, run this command:


  • sudo ufw deny from 15.15.15.51

In this example, from 15.15.15.51 specifies a source IP address of "15.15.15.51". If you wish, a subnet, such as 15.15.15.0/24, may be specified here instead. The source IP address can be specified in any firewall rule, including an allow rule.

Block Connections to a Network Interface

To block connections from a specific IP address, e.g. 15.15.15.51, to a specific network interface, e.g.eth0, use this command:


  • sudo ufw deny in on eth0 from 15.15.15.51

This is the same as the previous example, with the addition of in on eth0. The network interface can be specified in any firewall rule, and is a great way to limit the rule to a particular network.

Service: SSH

If you‘re using a cloud server, you will probably want to allow incoming SSH connections (port 22) so you can connect to and manage your server. This section covers how to configure your firewall with various SSH-related rules.

Allow SSH

To allow all incoming SSH connections run this command:


  • sudo ufw allow ssh

An alternative syntax is to specify the port number of the SSH service:


  • sudo ufw allow 22

Allow Incoming SSH from Specific IP Address or Subnet

To allow incoming SSH connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24 subnet, run this command:


  • sudo ufw allow from 15.15.15.0/24 to any port 22

Allow Incoming Rsync from Specific IP Address or Subnet

Rsync, which runs on port 873, can be used to transfer files from one computer to another.

To allow incoming rsync connections from a specific IP address or subnet, specify the source IP address and the destination port. For example, if you want to allow the entire 15.15.15.0/24 subnet to be able to rsync to your server, run this command:


  • sudo ufw allow from 15.15.15.0/24 to any port 873

Service: Web Server

Web servers, such as Apache and Nginx, typically listen for requests on port 80 and 443 for HTTP and HTTPS connections, respectively. If your default policy for incoming traffic is set to drop or deny, you will want to create rules that will allow your server to respond to those requests.

Allow All Incoming HTTP

To allow all incoming HTTP (port 80) connections run this command:


  • sudo ufw allow http

An alternative syntax is to specify the port number of the HTTP service:


  • sudo ufw allow 80

Allow All Incoming HTTPS

To allow all incoming HTTPS (port 443) connections run this command:


  • sudo ufw allow https

An alternative syntax is to specify the port number of the HTTPS service:


  • sudo ufw allow 443

Allow All Incoming HTTP and HTTPS

If you want to allow both HTTP and HTTPS traffic, you can create a single rule that allows both ports. To allow all incoming HTTP and HTTPS (port 443) connections run this command:


  • sudo ufw allow proto tcp from any to any port 80,443

Note that you need to specify the protocol, with proto tcp, when specifying multiple ports.

Service: MySQL

MySQL listens for client connections on port 3306. If your MySQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.

Allow MySQL from Specific IP Address or Subnet

To allow incoming MySQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24 subnet, run this command:


  • sudo ufw allow from 15.15.15.0/24 to any port 3306

Allow MySQL to Specific Network Interface

To allow MySQL connections to a specific network interface—say you have a private network interfaceeth1, for example—use this command:


  • sudo ufw allow in on eth1 to any port 3306

Service: PostgreSQL

PostgreSQL listens for client connections on port 5432. If your PostgreSQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.

PostgreSQL from Specific IP Address or Subnet

To allow incoming PostgreSQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24 subnet, run this command:


  • sudo ufw allow from 15.15.15.0/24 to any port 5432

The second command, which allows the outgoing traffic of established PostgreSQL connections, is only necessary if the OUTPUT policy is not set to ACCEPT.

Allow PostgreSQL to Specific Network Interface

To allow PostgreSQL connections to a specific network interface—say you have a private network interfaceeth1, for example—use this command:


  • sudo ufw allow in on eth1 to any port 5432

The second command, which allows the outgoing traffic of established PostgreSQL connections, is only necessary if the OUTPUT policy is not set to ACCEPT.

Service: Mail

Mail servers, such as Sendmail and Postfix, listen on a variety of ports depending on the protocols being used for mail delivery. If you are running a mail server, determine which protocols you are using and allow the appropriate types of traffic. We will also show you how to create a rule to block outgoing SMTP mail.

Block Outgoing SMTP Mail

If your server shouldn‘t be sending outgoing mail, you may want to block that kind of traffic. To block outgoing SMTP mail, which uses port 25, run this command:


  • sudo ufw deny out 25

This configures your firewall to drop all outgoing traffic on port 25. If you need to reject a different service by its port number, instead of port 25, simply replace it.

Allow All Incoming SMTP

To allow your server to respond to SMTP connections, port 25, run this command:


  • sudo ufw allow 25

Note: It is common for SMTP servers to use port 587 for outbound mail.

Allow All Incoming IMAP

To allow your server to respond to IMAP connections, port 143, run this command:


  • sudo ufw allow 143

Allow All Incoming IMAPS

To allow your server to respond to IMAPS connections, port 993, run this command:


  • sudo ufw allow 993

Allow All Incoming POP3

To allow your server to respond to POP3 connections, port 110, run this command:


  • sudo ufw allow 110

Allow All Incoming POP3S

To allow your server to respond to POP3S connections, port 995, run this command:


  • sudo ufw allow 995

Conclusion

That should cover many of the commands that are commonly used when using UFW to configure a firewall. Of course, UFW is a very flexible tool so feel free to mix and match the commands with different options to match your specific needs if they aren‘t covered here.

Good luck!

来源: https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands

Configure Ubuntu Firewall (UFW) on Ubuntu 14.04

Modified on: Wed, Jun 24, 2015 at 6:27 pm EST

Linux Guides Security Ubuntu

Security is crucial when you run your own server. You want to make sure that only authorized users can access your server, configuration, and services.

In Ubuntu, there is a firewall that comes preloaded. It‘s called UFW (Ubuntu-Firewall). Although UFW is a pretty basic firewall, it is user friendly, excels at filtering traffic, and has good documentation. Some basic Linux knowledge should be enough to configure this firewall on your own.

Install UFW

Notice that UFW is typically installed by default in Ubuntu. But if anything, you can install it yourself. To install UFW, run the following command.

sudo apt-get install ufw

Allow connections

If you are running a web server, you obviously want the world to be able to access your website(s). Therefore, you need to make sure that the default TCP port for web is open.

sudo ufw allow 80/tcp

In general, you can allow any port you need by using the following format:

sudo ufw allow <port>/<optional: protocol>

Deny connections

If you need to deny access to a certain port, use this:

sudo ufw deny <port>/<optional: protocol>

For example, let‘s deny access to our default MySQL port.

sudo ufw deny 3306

UFW also supports a simplified syntax for the most common service ports.

[email protected]:~$ sudo ufw deny mysql
Rule updated
Rule updated (v6)

It is highly recommended to restrict access to your SSH port (by default it‘s port 22) from anywhere except your trusted IP addresses (example: office or home).

Allow access from a trusted IP address

Typically, you would need to allow access only to publicly open ports such as port 80. Access to all other ports need to be restricted or limited. You can whitelist your home/office IP address (preferably, it is supposed to be a static IP) to be able to access your server through SSH or FTP.

sudo ufw allow from 192.168.0.1 to any port 22

Let‘s also allow access to the MySQL port.

sudo ufw allow from 192.168.0.1 to any port 3306

Looks better now. Let‘s move on.

Enable UFW

Before enabling (or restating) UFW, you need to make sure that the SSH port is allowed to receive connections from your IP address. To start/enable your UFW firewall, use the following command:

sudo ufw enable

You will see this:

[email protected]:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Type Y, then press Enter to enable the firewall.

Firewall is active and enabled on system startup

Check UFW status

Take a look at all of your rules.

sudo ufw status

You will see output similar to the following.

sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
22:tcp                     DENY    ANYWHERE

Use the "verbose" parameter to see a more detailed status report.

sudo ufw status verbose

Disable/reload/restart UFW

To disable (stop) UFW, run this command.

sudo ufw disable

If you need to reload UFW (reload rules), run the following.

sudo ufw reload

In order to restart UFW, you will need to disable it first, and then enable it again.

sudo ufw disable
sudo ufw enable

Again, before enabling UFW, make sure that the SSH port is allowed for your IP address.

Removing rules

To manage your UFW rules, you need to list them. You can do that by checking UFW status with the parameter "numbered". You will see output similar to the following.

[email protected]:~$ sudo ufw status numbered
Status: active

To                              Action      From
--                              ------      ----
[ 1] 22                         ALLOW IN    192.168.0.1
[ 2] 80                         ALLOW IN    Anywhere
[ 3] 3306                       ALLOW IN    192.168.0.1
[ 4] 22                         DENY IN     Anywhere

Noticed the numbers in square brackets? Now, to remove any of these rules, you will need to use these numbers.

sudo ufw delete [number]

Enabling IPv6 support

If you use IPv6 on your VPS, you need to ensure that IPv6 support is enabled in UFW. To do so, open the config file in a text editor.

sudo nano /etc/default/ufw

Once opened, make sure that IPV6 is set to "yes":

IPV6=yes

After making this change, save the file. Then, restart UFW by disabling and re-enabling it.

sudo ufw disable
sudo ufw enable

Back to default settings

If you need to go back to default settings, simply type in the following command. This will revert any of your changes.

sudo ufw reset

Conclusion

Overall, UFW is able to protect your VPS against the most common hacking attempts. Of course, your security measures should be more detailed than just using UFW. However, it is a good (and necessary) start.

If you need more examples of using UFW, you can refer to UFW - Community Help Wiki.

来源: https://www.vultr.com/docs/how-to-configure-ufw-firewall-on-ubuntu-14-04

来自为知笔记(Wiz)

原文地址:https://www.cnblogs.com/jins-note/p/9513588.html

时间: 2024-10-02 10:18:52

UFW Essentials: Common Firewall Rules and Commands的相关文章

CentOS 7 下 安装Webmin 启动防火墙失败----Applying firewall rules:iptables-restore:line 2 failed

最近学习CentOS 7 系统管理,使用的是<CentOS 6.X系统管理实战宝典>一书------因为网购的CentOS 7 的书还没有送到 O(‘  ’!!)O~ (1)先使用yum方法安装Webmin: 默认使用yum时无法安装Webmin,原因是该软件没有在官方站点存放.虽然以前要用tar方式安装,但是之后编译出了RPM安装包,所以只好自行配置更新站点.在/etc/yum.repo.d中创建webmin.repo文件,编辑完成后保存退出,然后导入Webmin开放源代码的GPG的数字签名

[Windows Hyper-V-Server]Enable disable firewall rules under powershell / powershell下启用禁用防火墙规则

http://www.cryer.co.uk/brian/windows/hyper-v-server/help_computer_cannot_be_managed.htm Enable COM+ Network Access(DCOM-in) and all rules of Remote Event log Management to use Computer Management remotely: #在HyperV主机上,执行下列命令/ do this on HyperV server

Common Macros for Build Commands and Properties

https://msdn.microsoft.com/en-us/library/c02as0cs.aspx $(ProjectDir)  The directory of the project (defined as drive + path); includes the trailing backslash '\'.

如何将centos7自带的firewall防火墙更换为iptables防火墙

用惯了centos6的iptables防火墙,对firewall太无感了,那么如何改回原来熟悉的iptables防火墙呢? 1.关闭firewall防火墙 [[email protected] html]# systemctl stop firewalld #停止firewall防火墙 [[email protected] html]# systemctl disable firewalld #禁止firewall开机启动 [[email protected] html]# systemctl

Firewall Rule Properties Page: Advanced Tab

Applies To: Windows 7, Windows Server 2008 R2 Use this tab to configure the profiles and interface types to which this firewall rule will be applied. To get to this tab In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rul

Neutron:Firewall as a Service(FWaaS)

用户可以用它来创建和管理防火墙,在 subnet 的边界上对 layer 3 和 layer 4 的流量进行过滤. 传统网络中的防火墙一般放在网关上,用来控制子网之间的访问. FWaaS 的原理也一样,是在 Neutron 虚拟 router 上应用防火墙规则,控制进出租户网络的数据. FWaaS 有三个重要概念: Firewall.Policy 和 Rule. Firewall 租户能够创建和管理的逻辑防火墙资源. Firewall 必须关联某个 Policy,因此必须先创建 Policy.

ansible安装配置与简单使用

前言: AnsibleWorks成立于2012年,由自动化工具Cobbler及Func的开发者Michael DeHaan创建.其Ansible平台是一个开源的配置及计算机管理平台.可实现多节点的软件部署,执行特定任务并进行配置管理. Ansible 跟其他IT自动化技术的区别在于其关注点并非配置管理.应用部署或IT流程工作流,而是提供一个统一的界面来协调所有的IT自动化功能,因此 Ansible的系统更加易用,部署更快.受管理的节点无需安装额外的远程控制软件,由平台通过SSH(Secure S

NFSv3 NFSv3针对防火墙端口开通策略 生产环境实践

针对NFSv4版本需要服务官方说明: NFS version 4 (NFSv4) works throughfirewalls and on the Internet, no longer requires an rpcbind service, supportsACLs, and utilizes stateful operations. Red Hat Enterprise Linux 6 supportsNFSv2, NFSv3, and NFSv4 clients. When mount

OPENVPN搭建与配置

Content-type: text/html; charset=UTF-8 openvpn Section: Maintenance Commands (8)Updated: 17 November 2008Index Return to Main Contents NAME openvpn - secure IP tunnel daemon. SYNOPSIS openvpn [ options ... ] INTRODUCTION OpenVPN is an open source VPN