Using ufw / iptables in Ubuntu 8.04 LTS
ufw (Uncomplicated Firewall) is a new and easy firewall/iptables tool introduced in Ubuntu 8.04 LTS (Hardy Heron).
ufw is a front-end for iptables-restore, with its rules saved in /etc/ufw/before.rules, /etc/ufw/after.rules and /var/lib/ufw/user.rules. Administrators can customize before.rules and after.rules as desired using the standard iptables-restore syntax. Rules are evaluated as follows: before.rules first, user.rules next, and after.rules last. IPv6 rules are evaluated in the same way, with the rules files named before6.rules, user6.rules and after6.rules.
Please note that ufw status only shows rules added with ufw and not the rules found in the /etc/ufw rules files.
This is a simple example to create a firewall that has a default deny rule and we explicitly tell it what services we would like to allow, like SSH. The order that you type the following commands are vital and should not be changed unless you know what you are doing or you’re not working towards your machine through network/SSH.
Turn on firewall logging
# ufw logging on
Default rule value for the firewall is DENY
# ufw default deny
Allow SSH traffic
# ufw allow ssh/tcp
Start firewall
# ufw enable
You can now check the status of your new firewall
# ufw status Firewall loaded To Action From -- ------ ---- 22:tcp ALLOW Anywhere
We can see that port 22 (SSH) is allowed from everywhere. ufw status only shows rules added with ufw and not the rules found in the /etc/ufw rules files.
Deleting a rule
# ufw delete allow ssh/tcp
You just put a delete in front of the rule you would like to delete.
Limit access to port 22/SSH from subnet 192.168.0.0/255.255.255.0
# ufw allow proto tcp from 192.168.0.0/24 to any port 22
Adding a rule with a range of (multiple) ports is not possible using ufw in Ubuntu 8.04 and 8.10. If I was using iptables the rule would look like this
iptables -A FIREWALL -p tcp --dport 5900:5910 -j ACCEPT
One way to work around this limitation is to do some bash scripting.
This example shows how I manage to open arange of 10 ports for VNC, though not gracefully…
for port in {5900..5910}; do ufw allow proto tcp from any to any port $port; done
Result
To Action From -- ------ ---- ... 5900:tcp ALLOW Anywhere 5901:tcp ALLOW Anywhere 5902:tcp ALLOW Anywhere 5903:tcp ALLOW Anywhere ...
Adding custom rules without using ufw can be done by adding the rules to the files in /etc/ufw/before.rules and /etc/ufw/after.rules. Rules manually added to /var/lib/ufw/user.rules will be deleted the next time you use ufw from the command line!
These are my custom rules added to /etc/ufw/before.rules
... *filter ... :SSH_CHECK - [0:0] ### RULES ### # Script kiddie check -A ufw-before-input -p tcp --dport 22 -m state --state NEW -j SSH_CHECK -A SSH_CHECK -m recent --set --name SSH -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP ...
These rules are explained in a earlier post about SSH dictionary prevention
ufw status only shows the part you tell it to modify. The whole iptables output looks like this
# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
Chain SSH_CHECK (1 references)
target prot opt source destination
all -- 0.0.0.0/0 0.0.0.0/0 recent: SET name: SSH side: source
DROP all -- 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source
Chain ufw-after-forward (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK FORWARD]: '
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-input (1 references)
target prot opt source destination
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK INPUT]: '
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-output (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 224.0.0.0/4 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 224.0.0.0/4
ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK NOT-TO-ME]: '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-forward (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-input (1 references)
target prot opt source destination
SSH_CHECK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4949
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-output (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0