Uncomplicated Firewall
From KevinWiki
Installation
$ sudo apt-get install ufw
Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: ucf The following NEW packages will be installed: ucf ufw 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 84.7kB of archives. After this operation, 463kB of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 http://us.archive.ubuntu.com hardy/main ucf 3.005 [61.6kB] Get:2 http://us.archive.ubuntu.com hardy-updates/main ufw 0.16.2.3 [23.1kB] Fetched 84.7kB in 1s (77.8kB/s) Preconfiguring packages ... Selecting previously deselected package ucf. (Reading database ... 12638 files and directories currently installed.) Unpacking ucf (from .../apt/archives/ucf_3.005_all.deb) ... Moving old data out of the way Selecting previously deselected package ufw. Unpacking ufw (from .../archives/ufw_0.16.2.3_all.deb) ... Setting up ucf (3.005) ... Setting up ufw (0.16.2.3) ... Creating config file /etc/ufw/before.rules with new version Creating config file /etc/ufw/before6.rules with new version Creating config file /etc/ufw/after.rules with new version Creating config file /etc/ufw/after6.rules with new version
How to Use UFW
Check the status
$ sudo ufw status Status: inactive
Start the firewall
$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
-Check the status
$ sudo ufw status Status: active
Set default action to deny all the accesses
$ sudo ufw default deny Default policy changed to 'deny' (be sure to update your rules accordingly)
Allow access to port 22 from the specific IP through tcp protocol.
$ sudo ufw allow proto tcp from <your ip> to any port <ssh port (e.g. 22)>
$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 Rule added
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp ALLOW 192.168.0.1
Allow access for Web
-Allow access to port 80 (web) from anywhere
$ sudo ufw allow 80/tcp Rule added
-Allow access to port 443 (ssl) from anywhere
$ sudo ufw allow 443/tcp Rule added
$ sudo ufw status Status: active To Action From -- ------ ---- 80:tcp ALLOW Anywhere 443:tcp ALLOW Anywhere
Allow access to port 22 from the specific IP and web access from anywhere
-Allowing access to port 22 from your IP and allowing access to port 80 (web) and 443 (ssl) from anywhere.
$ sudo ufw enable Firewall started and enabled on system startup
$ sudo ufw default deny Default policy changed to 'deny' (be sure to update your rules accordingly)
$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 Rule added
$ sudo ufw allow 80/tcp Rule added
$ sudo ufw allow 443/tcp Rule added
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp ALLOW 192.168.0.1 80:tcp ALLOW Anywhere 443:tcp ALLOW Anywhere
Allow access to port 22 from a range of IP addresses except some
-Allowing access to port 22 from all IPs of 192.168.0.x except 192.168.0.5 and 192.168.0.10
$ sudo ufw deny from 192.168.0.5 to any port 22 $ sudo ufw deny from 192.168.0.10 to any port 22 $ sudo ufw allow from 192.168.0.0/24 to any port 22
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp DENY 192.168.0.5 22:udp DENY 192.168.0.5 22:tcp DENY 192.168.0.10 22:udp DENY 192.168.0.10 22:tcp ALLOW 192.168.0.0/24 22:udp ALLOW 192.168.0.0/24
Allow access to Samba from a range of IP addresses
-Allowing access to Samba from all IPs of 192.168.0.x
sudo ufw allow from 192.168.0.0/24 to any app Samba
-Allowing access to Samba from all the IPs of 192.168.X.X
sudo ufw allow from 192.168.0.0/16 to any app Samba
-Allowing access to all the IPs of 192.168.X.X from Samba
sudo ufw allow from any app Samba to 192.168.0.0/24
Delete Rule
-To delete the rule allow 8080/tcp
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22:tcp ALLOW 60.242.195.70
80:tcp ALLOW Anywhere
443:tcp ALLOW Anywhere
8080:tcp ALLOW Anywhere
$ sudo ufw delete allow 8080/tcp
-Result
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp ALLOW 192.168.0.1 80:tcp ALLOW Anywhere 443:tcp ALLOW Anywhere