msgbartop
A chronological documentation test project, nothing serious, really!
msgbarbottom

21 May 2008 Using ufw / iptables in Ubuntu 8.04 LTS

Posted by

ufw (Uncomplicated Firewall) is a new and easy firewall/iptables tool introduced in Ubuntu 8.04 LTS (Hardy Heron).

ufw is a front-end for iptables-restore, with its rules saved in /etc/ufw/before.rules, /etc/ufw/after.rules and /var/lib/ufw/user.rules. Administrators can customize before.rules and after.rules as desired using the standard iptables-restore syntax. Rules are evaluated as follows: before.rules first, user.rules next, and after.rules last. IPv6 rules are evaluated in the same way, with the rules files named before6.rules, user6.rules and after6.rules.

Please note that ufw status only shows rules added with ufw and not the rules found in the /etc/ufw rules files.

This is a simple example to create a firewall that has a default deny rule and we explicitly tell it what services we would like to allow, like SSH. The order that you type the following commands are vital and should not be changed unless you know what you are doing or you’re not working towards your machine through network/SSH.

Turn on firewall logging

# ufw logging on

Default rule value for the firewall is DENY

# ufw default deny

Allow SSH traffic

# ufw allow ssh/tcp

Start firewall

# ufw enable

You can now check the status of your new firewall

# ufw status

Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   Anywhere

We can see that port 22 (SSH) is allowed from everywhere. ufw status only shows rules added with ufw and not the rules found in the /etc/ufw rules files.

Deleting a rule

# ufw delete allow ssh/tcp

You just put a delete in front of the rule you would like to delete.

Limit access to port 22/SSH from subnet 192.168.0.0/255.255.255.0

# ufw allow proto tcp from 192.168.0.0/24 to any port 22

Adding a rule with a range of (multiple) ports is not possible using ufw in Ubuntu 8.04 and 8.10. If I was using iptables the rule would look like this

iptables -A FIREWALL -p tcp --dport 5900:5910 -j ACCEPT

One way to work around this limitation is to do some bash scripting.
This example shows how I manage to open arange of 10 ports for VNC, though not gracefully…

for port in {5900..5910}; do ufw allow proto tcp from any to any port $port; done

Result

To                         Action  From
--                         ------  ----
...
5900:tcp                   ALLOW   Anywhere
5901:tcp                   ALLOW   Anywhere
5902:tcp                   ALLOW   Anywhere
5903:tcp                   ALLOW   Anywhere
...

Adding custom rules without using ufw can be done by adding the rules to the files in /etc/ufw/before.rules and /etc/ufw/after.rules. Rules manually added to /var/lib/ufw/user.rules will be deleted the next time you use ufw from the command line!

These are my custom rules added to /etc/ufw/before.rules

...
*filter
...
:SSH_CHECK - [0:0]
### RULES ###

# Script kiddie check
-A ufw-before-input -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
-A SSH_CHECK -m recent --set --name SSH
-A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
...

These rules are explained in a earlier post about SSH dictionary prevention

ufw status only shows the part you tell it to modify. The whole iptables output looks like this

# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0           

Chain SSH_CHECK (1 references)
target     prot opt source               destination
           all  --  0.0.0.0/0            0.0.0.0/0           recent: SET name: SSH side: source
DROP       all  --  0.0.0.0/0            0.0.0.0/0           recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source 

Chain ufw-after-forward (1 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK FORWARD]: '
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-input (1 references)
target     prot opt source               destination
RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137
RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445
RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67
RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:68
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK INPUT]: '
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-output (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-forward (1 references)
target     prot opt source               destination
ufw-user-forward  all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0           ctstate INVALID
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 12
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
ufw-not-local  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  224.0.0.0/4          0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            224.0.0.0/4
ufw-user-input  all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-output (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
ufw-user-output  all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-not-local (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type LOCAL
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type MULTICAST
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type BROADCAST
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK NOT-TO-ME]: '
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-forward (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-input (1 references)

target     prot opt source               destination
SSH_CHECK  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:4949
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-output (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Tags: , ,

Comments are closed.