Differences
This shows you the differences between two versions of the page.
— | tech:linux:ufw [2025/01/01 12:30] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== UFW - Uncomplicated Firewall ====== | ||
+ | Setup of UFW on Precise Pangolin LTS 12.04 (Ubuntu) | ||
+ | ===== Steps ===== | ||
+ | The steps below will make the firewall active, but almost non-existent. | ||
+ | |||
+ | ==== Basic setup ==== | ||
+ | Setup basic firewall - net result zero effect | ||
+ | <code bash> | ||
+ | ufw status | ||
+ | ufw default allow incoming | ||
+ | ufw default allow outgoing | ||
+ | ufw enable | ||
+ | ufw status | ||
+ | </ | ||
+ | |||
+ | ==== Setup for Nginx Server active as reverse Proxy ==== | ||
+ | NOTE: THIS HAS NOT BEEN TESTED! | ||
+ | |||
+ | When setting up Nginx server as reverse proxy, you want incoming connections, | ||
+ | |||
+ | <code bash> | ||
+ | # Turn on logging | ||
+ | ufw logging on | ||
+ | # Allow ALL incoming - Depend on the network to only allow 80, 443. If network itself is hacked you have bigger problems! | ||
+ | ufw default allow incoming | ||
+ | # Deny ALL outgoing - You want to limit outgoing to just what is required | ||
+ | ufw default deny outgoing | ||
+ | # Allow server to access DNS servers | ||
+ | ufw allow out to 192.168.1.1 port 53 | ||
+ | ufw allow out to 192.168.1.39 port 53 | ||
+ | ufw allow out to 192.168.1.40 port 53 | ||
+ | # Allow server to access Web/ | ||
+ | ufw allow out to 192.168.1.18 port 80 | ||
+ | ufw allow out to 192.168.1.19 port 80 | ||
+ | # Enable and check status | ||
+ | ufw enable | ||
+ | ufw status verbose | ||
+ | </ | ||
+ | |||
+ | To check what servers and outgoing ports are in use, use this command | ||
+ | <code bash> | ||
+ | grep proxy_pass / | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Basic setup - Command and Typical responses ==== | ||
+ | Same as above | ||
+ | < | ||
+ | [root@someserver]:/ | ||
+ | Status: inactive | ||
+ | [root@someserver]:/ | ||
+ | Default incoming policy changed to ' | ||
+ | (be sure to update your rules accordingly) | ||
+ | [root@someserver]:/ | ||
+ | Default outgoing policy changed to ' | ||
+ | (be sure to update your rules accordingly) | ||
+ | [root@someserver]:/ | ||
+ | Firewall is active and enabled on system startup | ||
+ | [root@someserver]:/ | ||
+ | Status: active | ||
+ | </ | ||
+ | |||
+ | ==== Deny a single IP ==== | ||
+ | === For All ports and protocols === | ||
+ | Below is to show how to setup rule to deny a single IP. And then to delete the rule as well. | ||
+ | < | ||
+ | [root@someserver]: | ||
+ | Rule added | ||
+ | |||
+ | [root@someserver]: | ||
+ | Status: active | ||
+ | |||
+ | To | ||
+ | -- | ||
+ | Anywhere | ||
+ | |||
+ | |||
+ | [10:00:12 PM][root@someserver]: | ||
+ | Status: active | ||
+ | |||
+ | | ||
+ | | ||
+ | [ 1] Anywhere | ||
+ | |||
+ | |||
+ | [root@someserver]: | ||
+ | Deleting: | ||
+ | deny from 192.168.1.101 | ||
+ | Proceed with operation (y|n)? y | ||
+ | Rule deleted | ||
+ | </ | ||
+ | |||
+ | === To a Port for All protocols === | ||
+ | Denying a single IP to a single port for all protocols (tcp/ | ||
+ | |||
+ | < | ||
+ | [root@someserver]: | ||
+ | Rule added | ||
+ | |||
+ | [root@someserver]: | ||
+ | Status: active | ||
+ | |||
+ | | ||
+ | | ||
+ | [ 1] 22 DENY IN | ||
+ | </ | ||
+ | |||
+ | === To a Port for a protocol === | ||
+ | Denying a single IP to a single port for a protocol. In this example we use ssh/22 with tcp protocol. | ||
+ | |||
+ | < | ||
+ | [root@someserver]: | ||
+ | Rule added | ||
+ | |||
+ | [root@someserver]: | ||
+ | Status: active | ||
+ | |||
+ | | ||
+ | | ||
+ | [ 1] 22/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Limit connections ==== | ||
+ | Command to limit ssh connections on tcp port to 6 connections only every 30 seconds. | ||
+ | |||
+ | < | ||
+ | [root@someserver]: | ||
+ | Rule added | ||
+ | Skipping unsupported IPv6 ' | ||
+ | [root@someserver]: | ||
+ | Status: active | ||
+ | |||
+ | To | ||
+ | -- | ||
+ | 22/ | ||
+ | </ | ||
+ | |||
+ | Checking the changes in the config file. The following file / | ||
+ | |||
+ | The following lines are added | ||
+ | |||
+ | < | ||
+ | ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in | ||
+ | -A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set | ||
+ | -A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit | ||
+ | -A ufw-user-input -p tcp --dport 22 -j ufw-user-limit-accept | ||
+ | </ | ||
+ | |||
+ | Notice the " | ||
+ | < | ||
+ | |||
+ | ==== Firewall reset ==== | ||
+ | The reset to factory defaults use the below command. This also makes the firewall inactive as this was the original configuration. | ||
+ | |||
+ | < | ||
+ | [06:26:17 AM][root@someserver]: | ||
+ | Resetting all rules to installed defaults. Proceed with operation (y|n)? y | ||
+ | Backing up ' | ||
+ | Backing up ' | ||
+ | Backing up ' | ||
+ | Backing up ' | ||
+ | Backing up ' | ||
+ | Backing up ' | ||
+ | </ | ||
+ | |||
+ | So after this operation you would want to redo the [[# | ||
+ | |||
+ | ==== SSH from local network ==== | ||
+ | < | ||
+ | ufw allow from 192.168.1.0/ | ||
+ | </ | ||
+ | |||
+ | ===== Other considerations ===== | ||
+ | ==== Resources ==== | ||
+ | * [[http:// | ||
+ | ==== Logging ==== | ||
+ | Ref: [[https:// | ||
+ | === Prevent dual logging in syslog === | ||
+ | In file ''/ | ||
+ | === Log in batches === | ||
+ | For efficiency log in batches rather than real time. Add a dash to the start of file name in ''/ | ||
+ | < | ||
+ | : | ||
+ | </ | ||
+ | === logrotate === | ||
+ | May also need to update ''/ |