Uncomplicated Firewall
From KevinWiki
(Difference between revisions)
(New page: Category: Network == Installation == <pre> $ sudo apt-get install ufw </pre> <pre> Reading package lists... Done Building dependency tree Reading state information... Done The followin...) |
(→Delete Rule) |
||
(3 intermediate revisions not shown) | |||
Line 2: | Line 2: | ||
== Installation == | == Installation == | ||
<pre> | <pre> | ||
- | $ sudo apt-get install ufw | + | $ sudo apt-get install ufw |
</pre> | </pre> | ||
<pre> | <pre> | ||
Line 42: | Line 42: | ||
===Check the status=== | ===Check the status=== | ||
<pre> | <pre> | ||
- | $ sudo ufw status | + | $ sudo ufw status |
- | + | Status: inactive | |
</pre> | </pre> | ||
Line 49: | Line 49: | ||
===Start the firewall=== | ===Start the firewall=== | ||
<pre> | <pre> | ||
- | $ sudo ufw enable | + | $ sudo ufw enable |
- | Firewall | + | Command may disrupt existing ssh connections. Proceed with operation (y|n)? y |
+ | Firewall is active and enabled on system startup | ||
</pre> | </pre> | ||
-Check the status | -Check the status | ||
<pre> | <pre> | ||
- | $ sudo ufw status | + | $ sudo ufw status |
- | + | Status: active | |
</pre> | </pre> | ||
Line 62: | Line 63: | ||
===Set default action to deny all the accesses=== | ===Set default action to deny all the accesses=== | ||
<pre> | <pre> | ||
- | $ sudo ufw default deny | + | $ sudo ufw default deny |
Default policy changed to 'deny' | Default policy changed to 'deny' | ||
(be sure to update your rules accordingly) | (be sure to update your rules accordingly) | ||
Line 70: | Line 71: | ||
===Allow access to port 22 from the specific IP through tcp protocol.=== | ===Allow access to port 22 from the specific IP through tcp protocol.=== | ||
<pre> | <pre> | ||
- | $ sudo ufw allow proto tcp from <your ip> to any port <ssh port (e.g. 22)> | + | $ sudo ufw allow proto tcp from <your ip> to any port <ssh port (e.g. 22)> |
</pre> | </pre> | ||
<pre> | <pre> | ||
- | $ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 | + | $ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 |
Rule added | Rule added | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
- | $ sudo ufw status | + | $ sudo ufw status |
- | + | Status: active | |
To Action From | To Action From | ||
Line 91: | Line 92: | ||
-Allow access to port 80 (web) from anywhere | -Allow access to port 80 (web) from anywhere | ||
<pre> | <pre> | ||
- | $ sudo ufw allow 80/tcp | + | $ sudo ufw allow 80/tcp |
Rule added | Rule added | ||
</pre> | </pre> | ||
Line 97: | Line 98: | ||
-Allow access to port 443 (ssl) from anywhere | -Allow access to port 443 (ssl) from anywhere | ||
<pre> | <pre> | ||
- | $ sudo ufw allow 443/tcp | + | $ sudo ufw allow 443/tcp |
Rule added | Rule added | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
- | $ sudo ufw status | + | $ sudo ufw status |
- | + | Status: active | |
To Action From | To Action From | ||
Line 116: | Line 117: | ||
-Allowing access to port 22 from your IP and allowing access to port 80 (web) and 443 (ssl) from anywhere. | -Allowing access to port 22 from your IP and allowing access to port 80 (web) and 443 (ssl) from anywhere. | ||
<pre> | <pre> | ||
- | $ sudo ufw enable | + | $ sudo ufw enable |
Firewall started and enabled on system startup | Firewall started and enabled on system startup | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
- | $ sudo ufw default deny | + | $ sudo ufw default deny |
Default policy changed to 'deny' | Default policy changed to 'deny' | ||
(be sure to update your rules accordingly) | (be sure to update your rules accordingly) | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
- | $ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 | + | $ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 |
Rule added | Rule added | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
- | $ sudo ufw allow 80/tcp | + | $ sudo ufw allow 80/tcp |
Rule added | Rule added | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
- | $ sudo ufw allow 443/tcp | + | $ sudo ufw allow 443/tcp |
Rule added | Rule added | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
- | $ sudo ufw status | + | $ sudo ufw status |
- | + | Status: active | |
To Action From | To Action From | ||
Line 153: | Line 154: | ||
-Allowing access to port 22 from all IPs of 192.168.0.x except 192.168.0.5 and 192.168.0.10 | -Allowing access to port 22 from all IPs of 192.168.0.x except 192.168.0.5 and 192.168.0.10 | ||
<pre> | <pre> | ||
- | $ sudo ufw deny from 192.168.0.5 to any port 22 | + | $ sudo ufw deny from 192.168.0.5 to any port 22 |
- | $ sudo ufw deny from 192.168.0.10 to any port 22 | + | $ sudo ufw deny from 192.168.0.10 to any port 22 |
- | $ sudo ufw allow from 192.168.0.0/24 to any port 22 | + | $ sudo ufw allow from 192.168.0.0/24 to any port 22 |
</pre> | </pre> | ||
<pre> | <pre> | ||
- | $ sudo ufw status | + | $ sudo ufw status |
- | + | Status: active | |
To Action From | To Action From | ||
Line 173: | Line 174: | ||
</pre> | </pre> | ||
+ | |||
+ | ===Allow access to Samba from a range of IP addresses=== | ||
+ | -Allowing access to Samba from all IPs of 192.168.0.x | ||
+ | sudo ufw allow from 192.168.0.0/24 to any app Samba | ||
+ | |||
+ | -Allowing access to Samba from all the IPs of 192.168.X.X | ||
+ | sudo ufw allow from 192.168.0.0/16 to any app Samba | ||
+ | |||
+ | -Allowing access to all the IPs of 192.168.X.X from Samba | ||
+ | sudo ufw allow from any app Samba to 192.168.0.0/24 | ||
===Delete Rule=== | ===Delete Rule=== | ||
- | + | * To delete the rule <code>allow 8080/tcp</code> | |
- | $ sudo ufw status | + | $ sudo ufw status |
- | + | Status: active | |
To Action From | To Action From | ||
-- ------ ---- | -- ------ ---- | ||
- | 22:tcp ALLOW | + | 22:tcp ALLOW 192.168.0.1 |
80:tcp ALLOW Anywhere | 80:tcp ALLOW Anywhere | ||
443:tcp ALLOW Anywhere | 443:tcp ALLOW Anywhere | ||
Line 187: | Line 198: | ||
<pre> | <pre> | ||
- | $ sudo ufw delete allow 8080/tcp | + | $ sudo ufw delete allow 8080/tcp |
</pre> | </pre> | ||
- | + | * Result | |
<pre> | <pre> | ||
- | $ sudo ufw status | + | $ sudo ufw status |
- | + | Status: active | |
To Action From | To Action From | ||
Line 202: | Line 213: | ||
443:tcp ALLOW Anywhere | 443:tcp ALLOW Anywhere | ||
</pre> | </pre> | ||
+ | |||
+ | |||
+ | * Or to delete the rule <code>allow 8080/tcp from 192.168.0.100</code>. | ||
+ | |||
+ | $ sudo ufw status | ||
+ | Status: active | ||
+ | |||
+ | To Action From | ||
+ | -- ------ ---- | ||
+ | 22:tcp ALLOW 192.168.0.1 | ||
+ | 80:tcp ALLOW Anywhere | ||
+ | 443:tcp ALLOW Anywhere | ||
+ | <span style="color: red; font-weight: bolder;">8080:tcp ALLOW 192.168.0.100</span> | ||
+ | |||
+ | $ ufw delete allow in from 192.168.0.100 to any port 8080 proto tcp | ||
+ | |||
+ | * Result | ||
+ | $ sudo ufw status | ||
+ | Status: active | ||
+ | |||
+ | To Action From | ||
+ | -- ------ ---- | ||
+ | 22:tcp ALLOW 192.168.0.1 | ||
+ | 80:tcp ALLOW Anywhere | ||
+ | 443:tcp ALLOW Anywhere |
Latest revision as of 12:48, 31 July 2012
Installation
$ sudo apt-get install ufw
Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: ucf The following NEW packages will be installed: ucf ufw 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 84.7kB of archives. After this operation, 463kB of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 http://us.archive.ubuntu.com hardy/main ucf 3.005 [61.6kB] Get:2 http://us.archive.ubuntu.com hardy-updates/main ufw 0.16.2.3 [23.1kB] Fetched 84.7kB in 1s (77.8kB/s) Preconfiguring packages ... Selecting previously deselected package ucf. (Reading database ... 12638 files and directories currently installed.) Unpacking ucf (from .../apt/archives/ucf_3.005_all.deb) ... Moving old data out of the way Selecting previously deselected package ufw. Unpacking ufw (from .../archives/ufw_0.16.2.3_all.deb) ... Setting up ucf (3.005) ... Setting up ufw (0.16.2.3) ... Creating config file /etc/ufw/before.rules with new version Creating config file /etc/ufw/before6.rules with new version Creating config file /etc/ufw/after.rules with new version Creating config file /etc/ufw/after6.rules with new version
How to Use UFW
Check the status
$ sudo ufw status Status: inactive
Start the firewall
$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
-Check the status
$ sudo ufw status Status: active
Set default action to deny all the accesses
$ sudo ufw default deny Default policy changed to 'deny' (be sure to update your rules accordingly)
Allow access to port 22 from the specific IP through tcp protocol.
$ sudo ufw allow proto tcp from <your ip> to any port <ssh port (e.g. 22)>
$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 Rule added
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp ALLOW 192.168.0.1
Allow access for Web
-Allow access to port 80 (web) from anywhere
$ sudo ufw allow 80/tcp Rule added
-Allow access to port 443 (ssl) from anywhere
$ sudo ufw allow 443/tcp Rule added
$ sudo ufw status Status: active To Action From -- ------ ---- 80:tcp ALLOW Anywhere 443:tcp ALLOW Anywhere
Allow access to port 22 from the specific IP and web access from anywhere
-Allowing access to port 22 from your IP and allowing access to port 80 (web) and 443 (ssl) from anywhere.
$ sudo ufw enable Firewall started and enabled on system startup
$ sudo ufw default deny Default policy changed to 'deny' (be sure to update your rules accordingly)
$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 Rule added
$ sudo ufw allow 80/tcp Rule added
$ sudo ufw allow 443/tcp Rule added
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp ALLOW 192.168.0.1 80:tcp ALLOW Anywhere 443:tcp ALLOW Anywhere
Allow access to port 22 from a range of IP addresses except some
-Allowing access to port 22 from all IPs of 192.168.0.x except 192.168.0.5 and 192.168.0.10
$ sudo ufw deny from 192.168.0.5 to any port 22 $ sudo ufw deny from 192.168.0.10 to any port 22 $ sudo ufw allow from 192.168.0.0/24 to any port 22
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp DENY 192.168.0.5 22:udp DENY 192.168.0.5 22:tcp DENY 192.168.0.10 22:udp DENY 192.168.0.10 22:tcp ALLOW 192.168.0.0/24 22:udp ALLOW 192.168.0.0/24
Allow access to Samba from a range of IP addresses
-Allowing access to Samba from all IPs of 192.168.0.x
sudo ufw allow from 192.168.0.0/24 to any app Samba
-Allowing access to Samba from all the IPs of 192.168.X.X
sudo ufw allow from 192.168.0.0/16 to any app Samba
-Allowing access to all the IPs of 192.168.X.X from Samba
sudo ufw allow from any app Samba to 192.168.0.0/24
Delete Rule
- To delete the rule
allow 8080/tcp
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22:tcp ALLOW 192.168.0.1
80:tcp ALLOW Anywhere
443:tcp ALLOW Anywhere
8080:tcp ALLOW Anywhere
$ sudo ufw delete allow 8080/tcp
- Result
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp ALLOW 192.168.0.1 80:tcp ALLOW Anywhere 443:tcp ALLOW Anywhere
- Or to delete the rule
allow 8080/tcp from 192.168.0.100
.
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22:tcp ALLOW 192.168.0.1
80:tcp ALLOW Anywhere
443:tcp ALLOW Anywhere
8080:tcp ALLOW 192.168.0.100
$ ufw delete allow in from 192.168.0.100 to any port 8080 proto tcp
- Result
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp ALLOW 192.168.0.1 80:tcp ALLOW Anywhere 443:tcp ALLOW Anywhere