Firewall, is used for automatic processing and filtering of network traffic. Since not all data transmitted over the network is useful and secure, there is a need to check and process them on the fly.
To better understand what is at stake, imagine an apartment building. Hundreds or even thousands of people come in and out every day. Among them are the apartment owners, their household members, guests, and people were not invited — robbers, crooks and just sellers of useless things, annoying people. The firewall in this example is a strict attendant at the entrance. He knows and without any problems passes each tenant, and those who don’t know — thoroughly check. The property and the rest of the inhabitants of the house at the same time are safe.
Linux uses the Netfilter firewall, which has been part of the kernel since 2000, to filter traffic. It allows you to manage the well-known utility iptables. It provides a very flexible configuration system, but it is quite difficult to configure. To make life easier for users, Ubuntu has added a wrapper for iptables — the Uncomplicated Firewall (UFW) firewall and a graphical wrapper for it — GUI for Uncomplicated Firewall (GUFW). To better understand, we will start with the console version of the firewall.
Enable the firewall and create the simplest rules
By default in Ubuntu 16.04 UFW is disabled. To check its current state, use the command:
sudo ufw status
In an effort to make life easier for users, the developers have formed a firewall configuration that is suitable for most home PCs. Therefore, on your computer, you can safely include UFW command:
# sudo ufw enable
On a server, especially one that performs some work, it is better to find out in advance what filtering rules will be applied and, if necessary, to make amendments.
First of all, let’s look at the General principles of UFW. Incoming and outgoing packets are checked for compliance with the existing filtering rules, and then the action set for this rule is performed. If no matching rule is found, the default action is used. Actions can be such:
- Allow – pass
- Deny – block
- Reject – reject and send back a special code that indicates that the packet was rejected
After you turn on the firewall, you can see which rules are currently in use:
# sudo ufw status verbose
In the screenshot above, we see that by default all outgoing traffic is allowed and all incoming traffic is denied. The created rules cancel the incoming traffic ban for ports 80, 22 and 1194/udp.
If you are setting up a server to which you are connected via SSH, you must first allow the connection to port 22:
# sudo ufw allow 22
It is very likely that you will have to open some of the following ports:
80 for HTTP, 443 for HTTPS, 20 and 21 for FTP, 25 for SMTP (sending mail), 465 for SMTP (sending mail with encryption), 143 for IMAP (mail retrieval), 993 for IMAP (receive mail with encryption), etc.
Fortunately, it is not necessary to remember all ports, because UFW has a set of predefined rules for frequently used services. Thanks to this, we can allow FTP like this:
# sudo ufw allow ftp
You can only allow access to a port from one IP. For example, you want to make it so that only you can connect via FTP to your server. Then you need to enable the firewall on the server and do the following:
# sudo ufw allow ftp from ваш_ip
Deny rules are created in much the same way. Deny access to port 110:
# sudo ufw deny 110
Deny access to ftp with notification of unavailability and comment:
# sudo ufw reject ftp comment ‘FTP temporarily closed..’
Remove UFW rules:
If you want to mark a allow rule, you don’t need to create a deny rule, just delete it. For example, if by default incoming traffic is denied, but you have allowed a connection to port 443, and now you want to revoke your permission, run the console:
# sudo ufw delete allow 443
There is another way: print all the rules in a numbered list, and then specify the number of the rule that you want to delete. Print the list and remove the rule number 1:
# sudo ufw status numbered
# sudo ufw delete 1
Default settings and restore to original state:
If there is no corresponding rule for the transmitted data, the default rules are used. In Ubuntu 16.04, after the firewall is enabled, all incoming traffic is blocked (deny) and outgoing traffic is skipped (accept) without any obstacles. In other words, the outgoing data is filtered by the black list principle (everything that is not prohibited by separate rules is allowed), and the incoming data is filtered by the white list principle (everything that was not explicitly allowed is prohibited).
Let me remind you that the command allows you to view the current settings when the firewall is enabled:
# sudo ufw status verbose
About the default settings you will be told a line that begins with “Default:”. If your system is configured differently, the following two commands will set the default configuration:
# sudo ufw default allow outgoing
# sudo ufw default deny incoming
User-defined rules, if they were created earlier, will remain. In order to reset all settings and return the firewall to its original state, perform:
# sudo ufw reset
To confirm, press y, after which all rules will be removed, and the firewall — off, because by default it is in this state. This is exactly what you need if you get confused during the setup or experiments and now something is not working.
Configure rules with direction, Protocol, port, and IP.
As a first example, let’s take a typical situation: you have a computer with Ubuntu, which is configured with the services you need-FTP, Samba or something else. You want to use all these services from Your home network (PC, smartphone, etc.), but leave the access closed outside.
In this case, we will specify the IP addresses of our home network, which allowed:
# sudo ufw allow from 192.168.0.1/24
The list of allowed IP addresses will be from 192.168.0.1 to 192.168.0.254 inclusive.
Let’s complicate the task and allow access from the home network only to the port used for FTP:
# sudo ufw allow from 192.168.0.1/24 to any port 21
Do not be fooled by the phrase “to any port”. These are two separate parts of the command, one of which means the IP address that is being accessed (in this case to any, that is, any), and the second defines the port number (port 21).
Let’s make our rule even more specific and specify the Protocol:
# sudo ufw allow from 192.168.0.0/24 to any port 21 proto tcp
If necessary, you can block access from our computer to a specific IP or even to a specific port of the IP that did not appeal to us:
# sudo ufw deny out to xxx.xxx.xx.x port 123
By specifying the out parameter, we inform you that we want to block outgoing packets. Since they are, as you remember, allowed in our default, our rule will be the only exception.
# sudo ufw deny out to xxx.xxx.xx.x port 123:456 proto udp
The peculiarity of UFW is that each new rule is added to the end of the list of existing rules. When a package arrives, the rules are checked one by one until a suitable one is found. Now imagine a situation where you first added a General allow rule and then a more specific deny rule. In this case, the last rule will not work because the package will pass through the previous rule.
To avoid this situation, when you add a lookup rule, specify the number that you want to assign to it. Suppose you find that someone sends too many requests to your web server. To deny access to the pest, without affecting other users, assign it a blocking rule first:
# sudo ufw insert 1 deny from 220.127.116.11 to any port 80
Now all requests will first be checked for compliance with the prohibited IP, and only after that — go further, according to rule №3.
You can also limit the number of connections. This is most often used to prevent automatic password guessing.
To prevent more than 6 attempts to connect to SSH in 30 seconds, run:
# sudo ufw limit ssh