Uncomplicated Firewall

From KevinWiki

Revision as of 18:19, 12 October 2010 (view source) Kevin (Talk | contribs) (→Allow access to Samba from a range of IP addresses) ← Older edit		Latest revision as of 12:48, 31 July 2012 (view source) Kevin (Talk | contribs) (→Delete Rule)
Line 186:		Line 186:
	===Delete Rule===		===Delete Rule===
-	-To delete the rule <code>allow 8080/tcp</code>	+	* To delete the rule <code>allow 8080/tcp</code>
	$ sudo ufw status		$ sudo ufw status
	Status: active		Status: active
Line 192:		Line 192:
	To                        Action  From		To                        Action  From
	--                        ------  ----		--                        ------  ----
-	22:tcp                    ALLOW  60.242.195.70	+	22:tcp                    ALLOW  192.168.0.1
	80:tcp                    ALLOW  Anywhere		80:tcp                    ALLOW  Anywhere
	443:tcp                    ALLOW  Anywhere		443:tcp                    ALLOW  Anywhere
Line 201:		Line 201:
	</pre>		</pre>
-	-Result	+	* Result
	<pre>		<pre>
	$ sudo ufw status		$ sudo ufw status
Line 213:		Line 213:
	443:tcp                    ALLOW  Anywhere		443:tcp                    ALLOW  Anywhere
	</pre>		</pre>
		+
		+
		+	* Or to delete the rule <code>allow 8080/tcp from 192.168.0.100</code>.
		+
		+	$ sudo ufw status
		+	Status: active
		+
		+	To                        Action  From
		+	--                        ------  ----
		+	22:tcp                    ALLOW  192.168.0.1
		+	80:tcp                    ALLOW  Anywhere
		+	443:tcp                    ALLOW  Anywhere
		+	<span style="color: red; font-weight: bolder;">8080:tcp                  ALLOW  192.168.0.100</span>
		+
		+	$ ufw delete allow in from 192.168.0.100 to any port 8080 proto tcp
		+
		+	* Result
		+	$ sudo ufw status
		+	Status: active
		+
		+	To                        Action  From
		+	--                        ------  ----
		+	22:tcp                    ALLOW  192.168.0.1
		+	80:tcp                    ALLOW  Anywhere
		+	443:tcp                    ALLOW  Anywhere

---

Latest revision as of 12:48, 31 July 2012

Contents 1 Installation 2 How to Use UFW 2.1 Check the status 2.2 Start the firewall 2.3 Set default action to deny all the accesses 2.4 Allow access to port 22 from the specific IP through tcp protocol. 2.5 Allow access for Web 2.6 Allow access to port 22 from the specific IP and web access from anywhere 2.7 Allow access to port 22 from a range of IP addresses except some 2.8 Allow access to Samba from a range of IP addresses 2.9 Delete Rule

Installation

$ sudo apt-get install ufw 

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  ucf
The following NEW packages will be installed:
  ucf ufw
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 84.7kB of archives.
After this operation, 463kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://us.archive.ubuntu.com hardy/main ucf 3.005 [61.6kB]
Get:2 http://us.archive.ubuntu.com hardy-updates/main ufw 0.16.2.3 [23.1kB]
Fetched 84.7kB in 1s (77.8kB/s)
Preconfiguring packages ...
Selecting previously deselected package ucf.
(Reading database ... 12638 files and directories currently installed.)
Unpacking ucf (from .../apt/archives/ucf_3.005_all.deb) ...
Moving old data out of the way
Selecting previously deselected package ufw.
Unpacking ufw (from .../archives/ufw_0.16.2.3_all.deb) ...
Setting up ucf (3.005) ...

Setting up ufw (0.16.2.3) ...

Creating config file /etc/ufw/before.rules with new version

Creating config file /etc/ufw/before6.rules with new version

Creating config file /etc/ufw/after.rules with new version

Creating config file /etc/ufw/after6.rules with new version

How to Use UFW

Check the status

$ sudo ufw status 
Status: inactive

Start the firewall

$ sudo ufw enable 
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

-Check the status

$ sudo ufw status 
Status: active

Set default action to deny all the accesses

$ sudo ufw default deny 
Default policy changed to 'deny'
(be sure to update your rules accordingly)

Allow access to port 22 from the specific IP through tcp protocol.

$ sudo ufw allow proto tcp from <your ip> to any port <ssh port (e.g. 22)> 

$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 
Rule added

$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1

Allow access for Web

-Allow access to port 80 (web) from anywhere

$ sudo ufw allow 80/tcp 
Rule added

-Allow access to port 443 (ssl) from anywhere

$ sudo ufw allow 443/tcp 
Rule added

$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere

Allow access to port 22 from the specific IP and web access from anywhere

-Allowing access to port 22 from your IP and allowing access to port 80 (web) and 443 (ssl) from anywhere.

$ sudo ufw enable 
Firewall started and enabled on system startup

$ sudo ufw default deny 
Default policy changed to 'deny'
(be sure to update your rules accordingly)

$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 
Rule added

$ sudo ufw allow 80/tcp 
Rule added

$ sudo ufw allow 443/tcp 
Rule added

$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere

Allow access to port 22 from a range of IP addresses except some

-Allowing access to port 22 from all IPs of 192.168.0.x except 192.168.0.5 and 192.168.0.10

$ sudo ufw deny from 192.168.0.5 to any port 22 
$ sudo ufw deny from 192.168.0.10 to any port 22 
$ sudo ufw allow from 192.168.0.0/24 to any port 22 

$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.5
22:udp                     DENY    192.168.0.5
22:tcp                     DENY    192.168.0.10
22:udp                     DENY    192.168.0.10
22:tcp                     ALLOW   192.168.0.0/24
22:udp                     ALLOW   192.168.0.0/24

Allow access to Samba from a range of IP addresses

-Allowing access to Samba from all IPs of 192.168.0.x

sudo ufw allow from 192.168.0.0/24 to any app Samba

-Allowing access to Samba from all the IPs of 192.168.X.X

sudo ufw allow from 192.168.0.0/16 to any app Samba

-Allowing access to all the IPs of 192.168.X.X from Samba

sudo ufw allow from any app Samba to 192.168.0.0/24

Delete Rule

• To delete the rule allow 8080/tcp

$ sudo ufw status 
Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere
8080:tcp                   ALLOW   Anywhere

$ sudo ufw delete allow 8080/tcp 

• Result

$ sudo ufw status 

Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere

• Or to delete the rule allow 8080/tcp from 192.168.0.100.

$ sudo ufw status 
Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere
8080:tcp                   ALLOW   192.168.0.100

$ ufw delete allow in from 192.168.0.100 to any port 8080 proto tcp

• Result

$ sudo ufw status 
Status: active

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
80:tcp                     ALLOW   Anywhere
443:tcp                    ALLOW   Anywhere