This post is in follow up to my post on firewalls on Ubuntu Desktops.
IMO firewalls are often helpful for restricting access to servers. Servers come in two varieties, public and private, and often people wish to limit access or black list IP addresses that misbehave.
Again I will use UFW which is installed by default. In the last section I will introduce iptables. One feature that is nice about ufw, if you understand the ufw rules it is an easy transition to iptables.
The most important thing you need to know to firewall servers is;
- Who (ip address) you wish to allow or restrict access.
- What protocol (tcp / udp) and port is used by your server.
A listing of ports is available here.
Enable your firewall
If you are accessing your server remotely be sure NOT to lock yourself out
Assuming you are accessing via ssh, allow ssh (we will restrict ssh access below, for now just do not lock yourself out).
sudo ufw allow 22
Now enable your firewall. Except for ssh, which you allowed with the above rule, this will deny all incoming (udp/tcp) traffic to your server.
sudo ufw enable
sudo default deny
Public servers
Examples of public servers would be Apache (http) or FTP servers (to name a few). Here we wish to allow access to just about everyone.
Simply allow by port
sudo ufw allow 80
Or if you wish, by protocol and port (most servers will be tcp).
sudo ufw allow 80/tcp
You may specify multiple ports (comma separated list):
sudo ufw allow 80,443/tcp
Or a range of ports, low:high:
#Allow ports 6881 – 6999 (torrent)
sudo ufw allow 6881:6999/tcp
You may specify most services by name.
By Name :
sudo ufw allow ssh
Some servers can be specified “by application”, although this is still by port and is not application specific. By that I mean : if you allow “Apache”, you open port 80, which can be used by any client application (firefox, wget, etc).
List applications with -
sudo ufw app list
ufw app list
Available applications:
Apache
Apache Full
Apache Secure
CUPS
OpenSSH
To translate the cryptic output to English,
Apache = http = port 80
Apache Secure = https = port 443
Apache Full = both ports
As you install servers, they will be added to the list.
Now allow by application.
Examples (you do not need to use all 3 rules):
sudo ufw allow Apache
#Note: Quotes are needed with “Apache Full”
sudo ufw allow “Apache Full”
sudo ufw allow from 192.168.0.0/24 app OpenSSH
You may add custom applications or custom ports to /etc/ufw/application.d
As an example, /etc/ufw/applications.d/apache2.2-common contains
[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp
[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp
[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp
So if you changed the ssh port to 8822, add a file “ssh-custom”, at /etc/ufw/applications.d/ssh-custom
[SSH Custom]
title= SSH Custom port
description=OpenSSH Server Custom port
ports=8822/tcp
You will now see “SSH Custom” when you list apps and can use it as above.
Private servers
Examples may included NFS, Samba, ssh, VNC, and VPN. I will use ssh and Apache as an examples.
For these examples we will assume your LAN is 192.168.0.0/24 and your server is 192.168.0.10
Here we almost always wish to restrict access to a single ip or perhaps range of IP. For example to restrict access for ssh to a single machine, say 192.168.0.20
sudo ufw allow proto tcp from 192.168.0.20 to 192.168.0.10 port 22
The syntax is protocol from <ip> to <server ip> port
To allow ssh from any client on your your lan use:
sudo ufw allow proto tcp from 192.168.0.0/24 to 192.168.0.10 port 22
Limiting access
Limiting access comes in two flavors, the first is to limit a DOS or brute force attempt, and the other blacklisting.
Brute Force
UFW will rate limit connection attempts:
ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. ufw will deny connections if an IP address has attempted to initiate 6 or more connections in the last 30 seconds.
Example (using ssh):
sudo ufw limit ssh
“Limit” opens the port, so you do not need a second rule.
ufw status
Status: active
To Action From
-- ------ ----
22 LIMIT Anywhere
This output demonstrates – Port 22 is open and access is limited by ufw.
Blacklist
Keep in mind the order of your rules is critical. As such I like to block first, accept second. So for example let us assume we wish to block a misbehaving client on our LAN, 192.168.0.20:
sudo ufw insert 1 deny from 192.168.0.20
Here “insert 1″ is specifying to ufw to insert the rule first (or near the top) of the chain.
Using UFW in this way blocks only NEW connections.
IMO better to use iptables or an application such as iplist.
Block ping
By default, UFW allows ping requests. In order to block these requests you will need to edit /etc/ufw/before.rules
sudo -e /etc/ufw/before.rules
Change
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
to
# ok icmp codes
-A ufw-before-input -p icmp –icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp –icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp –icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp –icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp –icmp-type echo-request -j DROP
Restart UFW
sudo ufw disable
sudo ufw enable
Deleting rules
Deleting a rule is also easy. Use the same syntax you used to add a rule to ufw with the word “delete” added.
For example, using Apache as an example:
# sudo ufw allow Apache
Rule added
# ufw status
Status: active
To Action From
– —— —-
22 LIMIT Anywhere
Apache ALLOW Anywhere
# sudo ufw delete allow Apache
Rule deleted
# ufw status
Status: active
To Action From
– —— —-
22 LIMIT Anywhere
Logs
ufw logs messages to /var/log/messages and logging is enabled / disabled from the command line.
sudo ufw logging on
sudo ufw logging off
The options are on, off, low, medium, high, and full. on = Low.
From the ufw man pages :
LOGGING
ufw supports multiple logging levels. ufw defaults to a loglevel of
’low’ when a loglevel is not specified. Users may specify a loglevel
with:ufw logging LEVEL
LEVEL may be ’off’, ’low’, ’medium’, ’high’ and full. Log levels are
defined as:off disables ufw managed logging
low logs all blocked packets not matching the default policy (with
rate limiting), as well as packets matching logged rulesmedium log level low, plus all allowed packets not matching the default
policy, all INVALID packets, and all new connections. All
logging is done with rate limiting.high log level medium (without rate limiting), plus all packets with
rate limitingfull log level high without rate limiting
Loglevels above medium generate a lot of logging output, and may
quickly fill up your disk. Loglevel medium may generate a lot of
logging output on a busy system.Specifying ’on’ simply enables logging at log level ’low’ if logging is
currently not enabled.
Iptables
Now that you have ufw under your belt, it is easier to understand iptables. If you are wanting to use iptables, best disable UFW first.
sudo ufw disable
#These iptables rules clean up after UFW, deleting the custom tables
sudo iptables -F
sudo iptables -X
To deny all incoming traffic (take care not to lock yourself out form remote servers, allow ssh first !!!):
sudo iptables -A INPUT -j DROP
You can set a Policy with iptables, but doing so makes it easy to lock yourself out if you issue the command “iptables -F”.
To allow ssh
sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT
To allow ssh only from your LAN:
sudo iptables -A INPUT -s 192.168.0.0/24 -p tcp –dport 22 -j ACCEPT
iptables is much more feature rich the UFW and hopefully this blog will both stimulate your interest and facilitate your learning of the use of iptables.
See also : Bodhi Zazen’s Iptables Primer
Pingback: Tweets that mention Shadows of epiphany » Blog Archive » Firewall Ubuntu Servers -- Topsy.com
Dropping ICMP control messages is a great way to cause terrible performance. Ping is one thing, messing up congestion control and so on another.
OK, thanks for the feedback. I personally prefer to keep ping so I overlooked this detail, I will update my post.
— Should be better now =)
Pingback: uberVU - social comments
Very nice article thanks bodhi!
You can also look in /etc/services for the ports/protocol info. Very handy if you only have ssh access and well can’t go browsing wiki pages.
This is indeed very handy drubin.
You may search for a service with grep :
grep ssh /etc/services
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp
Pingback: Bodhi.Zazen: Firewall Ubuntu GUFW | L&C Tech Talk
Lots of of folks write about this topic but you said really true words.
Hmmm… my main question is if you enter a semi-complicated (for the sort of person ufw is designed for) rule, say one specifying only allowing a certain machine access to a certain port, over tcp, that sort of thing… how do you specify that rule later if you want to delete it? ufw only lists the rules, not the syntax that created them. On the one hand it should give an experienced user enough information that they could recreate the rule and successfully delete it, but for a beginner who didn’t copy it down in a text file somewhere… they might left with no option but to wipe all the rules to get the one they really wanted gone.
Or am I missing something here?
LOL, this is true and I have had that problem.
As with all things, as you use ufw and become more familiar with it you will become more familiar with the syntax.
As you suggest, the syntax of ufw (when listing the rules) is cryptic, but is often sufficient to work through, but it can be difficult.
If you are stuck you could consider either deleting the rule with gufw or post on the Ubuntu Forums, in the security section (ask for help).
I found your blog recently and have been visiting it . I think your way of thinking is good. keep up the good work. If interested in link exchange please contact me.
This article was *very* helpful to me at a crucial time. Thank you for your efforts, especially the examples and attention to detail, all written with CLARITY (a difficult commodity to find in Linux work).
Well done!
I am new to Ubuntu and your blog has been a great help its clear and easy to follow; many thanks and keep up the good work
Steve
@Steve: You are most welcome, glad you found the information helpful.
all these settings can be done GUI also. thanks for the info.
@jonny rocket : Yes, but on servers we typically do not have a graphical environment.
If you need a graphical interface for a server, take a look at tools such as webmin (or similar). Many web interfaces will allow you to configure iptables.
HTH
Very helpful article.
Keep posting !!!!
Pingback: 防火牆ufw « Gavaee’s Blog
Many thanks, I’m gonna have a go at some of these tonight!
Very helpful posts, bodhi!
enabled ufw and wanting to use limits noticed that ufw also has the same set of rules for ipv6
now i need to google a bit how to enable it also for that :)
Thank you!
Pingback: Debian Server mit der unkomplizierten Firewall ufw absichern « gambaru.de
STATUS:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
– —— —-
22/tcp ALLOW IN Anywhere
LOGS:
Jan 29 21:38:27 *** kernel: [6168044.287849] [UFW BLOCK] IN=venet0 OUT= MAC= SRC=********** DST=********* LEN=52 TOS=0×00 PREC=0×00 TTL=116 ID=*** DF PROTO=TCP SPT=*** DPT=22 WINDOW=****RES=0×00 SYN URGP=0
What is wrong? it does not recognize my ruleS?
So will i report it at launchpad.net?
@Alx – I do not see anything obviously wrong.