Uncomplicated Firewall

From KevinWiki

(Difference between revisions)
Jump to: navigation, search
(Allow access to Samba from a range of IP addresses)
(Delete Rule)
 
Line 186: Line 186:
===Delete Rule===
===Delete Rule===
-
-To delete the rule <code>allow 8080/tcp</code>
+
* To delete the rule <code>allow 8080/tcp</code>
  $ sudo ufw status  
  $ sudo ufw status  
  Status: active
  Status: active
Line 192: Line 192:
  To                        Action  From
  To                        Action  From
  --                        ------  ----
  --                        ------  ----
-
  22:tcp                    ALLOW  60.242.195.70
+
  22:tcp                    ALLOW  192.168.0.1
  80:tcp                    ALLOW  Anywhere
  80:tcp                    ALLOW  Anywhere
  443:tcp                    ALLOW  Anywhere
  443:tcp                    ALLOW  Anywhere
Line 201: Line 201:
</pre>
</pre>
-
-Result
+
* Result
<pre>
<pre>
$ sudo ufw status  
$ sudo ufw status  
Line 213: Line 213:
443:tcp                    ALLOW  Anywhere
443:tcp                    ALLOW  Anywhere
</pre>
</pre>
 +
 +
 +
* Or to delete the rule <code>allow 8080/tcp from 192.168.0.100</code>.
 +
 +
$ sudo ufw status
 +
Status: active
 +
 +
To                        Action  From
 +
--                        ------  ----
 +
22:tcp                    ALLOW  192.168.0.1
 +
80:tcp                    ALLOW  Anywhere
 +
443:tcp                    ALLOW  Anywhere
 +
<span style="color: red; font-weight: bolder;">8080:tcp                  ALLOW  192.168.0.100</span>
 +
 +
$ ufw delete allow in from 192.168.0.100 to any port 8080 proto tcp
 +
 +
* Result
 +
$ sudo ufw status
 +
Status: active
 +
 +
To                        Action  From
 +
--                        ------  ----
 +
22:tcp                    ALLOW  192.168.0.1
 +
80:tcp                    ALLOW  Anywhere
 +
443:tcp                    ALLOW  Anywhere

Latest revision as of 12:48, 31 July 2012

Contents

Installation

$ sudo apt-get install ufw 
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  ucf
The following NEW packages will be installed:
  ucf ufw
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 84.7kB of archives.
After this operation, 463kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://us.archive.ubuntu.com hardy/main ucf 3.005 [61.6kB]
Get:2 http://us.archive.ubuntu.com hardy-updates/main ufw 0.16.2.3 [23.1kB]
Fetched 84.7kB in 1s (77.8kB/s)
Preconfiguring packages ...
Selecting previously deselected package ucf.
(Reading database ... 12638 files and directories currently installed.)
Unpacking ucf (from .../apt/archives/ucf_3.005_all.deb) ...
Moving old data out of the way
Selecting previously deselected package ufw.
Unpacking ufw (from .../archives/ufw_0.16.2.3_all.deb) ...
Setting up ucf (3.005) ...

Setting up ufw (0.16.2.3) ...

Creating config file /etc/ufw/before.rules with new version

Creating config file /etc/ufw/before6.rules with new version

Creating config file /etc/ufw/after.rules with new version

Creating config file /etc/ufw/after6.rules with new version

How to Use UFW

Check the status

$ sudo ufw status 
Status: inactive


Start the firewall

$ sudo ufw enable 
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

-Check the status

$ sudo ufw status 
Status: active


Set default action to deny all the accesses

$ sudo ufw default deny 
Default policy changed to 'deny'
(be sure to update your rules accordingly)


Allow access to port 22 from the specific IP through tcp protocol.

$ sudo ufw allow proto tcp from <your ip> to any port <ssh port (e.g. 22)> 
$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 
Rule added
$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1


Allow access for Web

-Allow access to port 80 (web) from anywhere

$ sudo ufw allow 80/tcp 
Rule added

-Allow access to port 443 (ssl) from anywhere

$ sudo ufw allow 443/tcp 
Rule added
$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere


Allow access to port 22 from the specific IP and web access from anywhere

-Allowing access to port 22 from your IP and allowing access to port 80 (web) and 443 (ssl) from anywhere.

$ sudo ufw enable 
Firewall started and enabled on system startup
$ sudo ufw default deny 
Default policy changed to 'deny'
(be sure to update your rules accordingly)
$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 
Rule added
$ sudo ufw allow 80/tcp 
Rule added
$ sudo ufw allow 443/tcp 
Rule added
$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere


Allow access to port 22 from a range of IP addresses except some

-Allowing access to port 22 from all IPs of 192.168.0.x except 192.168.0.5 and 192.168.0.10

$ sudo ufw deny from 192.168.0.5 to any port 22 
$ sudo ufw deny from 192.168.0.10 to any port 22 
$ sudo ufw allow from 192.168.0.0/24 to any port 22 
$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.5
22:udp                     DENY    192.168.0.5
22:tcp                     DENY    192.168.0.10
22:udp                     DENY    192.168.0.10
22:tcp                     ALLOW   192.168.0.0/24
22:udp                     ALLOW   192.168.0.0/24


Allow access to Samba from a range of IP addresses

-Allowing access to Samba from all IPs of 192.168.0.x

sudo ufw allow from 192.168.0.0/24 to any app Samba

-Allowing access to Samba from all the IPs of 192.168.X.X

sudo ufw allow from 192.168.0.0/16 to any app Samba

-Allowing access to all the IPs of 192.168.X.X from Samba

sudo ufw allow from any app Samba to 192.168.0.0/24

Delete Rule

  • To delete the rule allow 8080/tcp
$ sudo ufw status 
Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere
8080:tcp                   ALLOW   Anywhere
$ sudo ufw delete allow 8080/tcp 
  • Result
$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere


  • Or to delete the rule allow 8080/tcp from 192.168.0.100.
$ sudo ufw status 
Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere
8080:tcp                   ALLOW   192.168.0.100
$ ufw delete allow in from 192.168.0.100 to any port 8080 proto tcp
  • Result
$ sudo ufw status 
Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere
Personal tools