A firewall is a system or router that sits between an external network (i.e. the Internet) and an internal network. This internal network can be a large LAN at a business or your networked home PCs. The firewall in it’s simplest form is like a one-way street. It allows people on the internal network to access the external network (the Intenet), but it restricts traffic so that no one can use the external network to access the systems or files on the internal network.
A firewall has two network connections, one for the external network and one for the internal network. Traffic that is allowed to flow between the two networks is internally “bridged” (using a FORWARD rule) between these two connections. Disallowed traffic is not. This decision-based bridging of traffic between two connections is called “routing” or “IP forwarding”. What this means is that any firewall, by its very nature, is a router (but not all routers block traffic, so not all routers are firewalls).
Login as root
Login as root user either by opening the Terminal or login over the ssh based session. Type the following command:
sudo -i
Install UFW
“This software is used for managing a Linux firewall and aims to provide an easy to use interface for the user”.
Type this command line:
apt-get install ufw
Find status of firewall
Type the following command:
ufw status
verbose
Sample outputs:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
Enable firewall
Type the following command to enables firewall on boot:
ufw enable
Sample outputs:
Firewall is active and enabled on system startup
Disable firewall
Type the following command to disables firewall on boot:
ufw disable
Sample outputs:
Firewall stopped and disabled on system startup
Restart firewall
Type the following command to restart firewall:
ufw reload
Sample outputs:
Firewall reloaded
Note: that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:
ufw show raw
You can also read the rules files in /etc/ufw (the files whose names end with .rules).
Allow and Deny (specific rules)
Allow
ufw allow <port>/<optional: protocol>
example: To allow incoming tcp and udp packet on port 53
example: To allow incoming tcp packets on port 53
example: To allow incoming udp packets on port 53
Deny
ufw deny <port>/<optional: protocol>
example: To deny tcp and udp packets on port 53
example: To deny incoming tcp packets on port 53
example: To deny incoming udp packets on port 53
Delete Existing Rule
To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:
deny 80/tcp
Use this to delete it:
ufw delete deny 80/tcp
Services
You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services:
less /etc/services
Allow by Service Name
ufw allow <service name>
example: to allow ssh by name
Deny by Service Name
ufw deny <service name>
example: to deny ssh by name
ufw deny ssh
Logging
To enable logging use:
ufw logging on
To disable logging use:
ufw logging off
Advanced Syntax
You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.
Allow Access
This section shows how to allow specific access.
Allow by Specific IP
ufw allow from <ip address>
example:To allow packets from 107.46.232.182:
Allow by Subnet
You may use a net mask :
ufw allow from 192.168.1.0/24
Allow by specific port and IP address
ufw allow from <target> to <destination> port <port number>
example: allow IP address 192.168.0.4 access to port 22 for all protocols
Allow by specific port, IP address and protocol
ufw allow from <target> to <destination> port <port number> proto <protocol name>
example: allow IP address 192.168.0.4 access to port 22 using TCP
Enable PING
Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.
In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
or change the “ACCEPT” to “DROP”
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Deny Access
Deny by specific IP
ufw deny from <ip address>
example:To block packets from 107.46.232.182:
Deny by specific port and IP address
ufw deny from <ip address> to <protocol> port <port number>
example: deny ip address 192.168.0.1 access to port 22 for all protocols
Working with numbered rules
Listing rules with a reference number
You may use status numbered to show the order and id number of rules:
ufw status numbered
Editing numbered rules
Delete numbered rule
You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list.
ufw delete 1
Insert numbered rule
ufw insert 1 allow from <ip address>
Advanced Example
Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 using tcp
ufw deny from 192.168.0.1 to any port 22
ufw deny from 192.168.0.7 to any port 22
ufw allow from 192.168.0.0/24 to any port 22 proto tcp