Firewall
The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server.
A userspace interface for manage the Netfilter subsystem is iptable. (When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptable.
ufw
Developed to ease iptables firewall configuration ufw provides a user-friendly way to create an IPv4 or IPv6 host-based firewall.
Basic Commands for Management
- ufw status management
$ sudo ufw status
$ sudo ufw enable
$ sudo ufw disable
$ sudo ufw status verbose
$ sudo ufw allow 22(Open a port for SSH service)
$ sudo ufw insert 1 allow 80 (Adding rules)
$ sudo ufw deny 22(Close a port)
$ sudo ufw delete deny 22(Delete a rule)
- Specific the port
$ sudo ufw allow proto tcp from 192.169.1.14 to any port 22
$ sudo ufw delete allow proto tcp from 192.168.1.14 to any port 22
- Adding --dry-run option to a ufw will output the resulting rules, but not apply them.
$ sudo ufw --dry-run allow http
- ufw application integration
Application that open ports can include an ufw profile, which details the ports needed for the application to function properly. The profiles are kept in /etc/ufw/applications.d, and can be edited if the default ports have been changed.
- To view which applications have installed a profile, enter the following in a terminal:
$ sudo ufw app list
- Allowing traffic to a port, using an application profile is accomplished by:
$ sudo ufw allow Samba
$ sudo ufw allow from 192.168.0.0/24 to any app Samba
The protocols are specified in app profile, and use the app name instead of port number)
Using IPv6 with UFW
- If your VPS is configured for IPv6, ensure that UFW is configured to support IPv6 so that will configured both yout IPv4 and IPv6 firewall rules.
$ sudo vi /etc/default/ufw
Add the following line:
IPv6=yes
- Set up defaults
One of the things that will make setting up any firewall easier is to define some default rules for allowing and denying connections. UFW’s defaults are to deny all incoming connections and allow all outgoing connections.
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
- Allow Other connections:
$ sudo ufw allow www
$ sudo ufw allow 80/tcp
$ sudo ufw allow ftp
$ sudo ufw allow 21/tcp
- Allow IP Address
$ sudo ufw allow from 192.168.255.255
- Denying Connections
Our default set up is to deny all incoming connections. This makes the firewall rules easier to administer sicne we are only selectively allowing certain ports and IP addresses through.
$ sudo ufw deny 80/tcp
- Deleting rules
$ sudo ufw delete allow ssh
$ sudo ufw delete allow 1000:2000/tcp
- To get the list of rules number in the setting:
$ sudo ufw status numbered
$ sudo ufw delete [number]
- Reset Everything
$ sudo ufw reset