Could somebody give some simple steps with configuration example how to setup simple firewall on Ubuntu (using console only)? Only ssh, http and https access should be allowed.
Asked
Active
Viewed 1.3k times
9 Answers
20
sudo ufw default deny
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ssh
sudo ufw enable
Sasha Chedygov
- 353
- 1
- 5
- 13
Nerdfest
- 628
- 5
- 7
-
If I would call this commands in sequence via ssh, will it breake my connection? – klew Apr 30 '09 at 12:04
-
I don't believe so, but you should check to make sure. This also holds it's status between restarts, so you should only need to do it once. – Nerdfest Apr 30 '09 at 12:07
-
-
You could put it into a script and run it and then even if you get disconnected you will be able to reconnect afterwards. See my answer below for the script. – Hamish Downer Apr 30 '09 at 13:30
-
2The previous comment is correct. Basically, run the first command in the above script last. – Nerdfest Apr 30 '09 at 14:19
-
+1 for a working answer, but why not edit your answer to put the "ufw enable" at the end? Doesn't break anything and helps users who are configuring the firewall over SSH. – Mark E. Haase May 15 '12 at 19:48
14
Use this script.
Just decide if you want to allow incoming ICMP (ping) or not.
# Clear any existing firewall stuff before we start
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# As the default policies, drop all incoming traffic but allow all
# outgoing traffic. This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
# Allow all incoming traffic if it is coming from the local loopback device
iptables -A INPUT -i lo -j ACCEPT
# Accept all incoming traffic associated with an established
# connection, or a "related" connection
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming connections
# SSH
iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
# HTTP
iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
iptables -A INPUT -p tcp -i eth0 --dport 443 -m state --state NEW -j ACCEPT
# Allow icmp input so that people can ping us
iptables -A INPUT -p icmp -j ACCEPT
# Reject all other incoming packets
iptables -A INPUT -j REJECT
Mikeage
- 2,741
- 6
- 26
- 37
8
As noted in comments to another answer, you don't want to lose your connection before you allow the ssh port. From the man page:
"REMOTE MANAGEMENT
When running ufw enable or starting ufw via its initscript, ufw will flush its chains. This is required so ufw can maintain a consistent state, but it may drop existing connections (eg ssh). ufw does support adding rules before enabling the firewall, so administrators can do:
ufw allow proto tcp from any to any port 22
before running ’ufw enable’. The rules will still be flushed, but the ssh port will be open after enabling the firewall. Please note that once ufw is ’enabled’, ufw will not flush the chains when adding or removing rules (but will when modifying a rule or changing the default policy)."
So here is an approach that uses a script to set it. You will get logged out when you run this script, but having run it you can then log in again over ssh.
Put the following in a script and call it start-firewall.sh
#!/bin/sh
ufw allow ssh
ufw enable
ufw default deny
ufw allow http
ufw allow https
And then make it executable and run it by doing
$ chmod + x start-firewall.sh
$ sudo ./start-firewall.sh
To learn more, read the man page.
Hamish Downer
- 9,420
- 6
- 38
- 51
1
I really like using firehol (package).
To create setup rules you like you would need to edit the file /etc/default/firehol and change START_FIREHOL=YES
And you would want to make your /etc/firehol/firehol.conf look like this.
version 5
interface any IfAll
client any AnyClient accept
server "ssh http https" accept
# Accept everything from trusted networks
server anystateless AllInside accept src "10.3.27.0/24"
One of the great things about firehol is the 'try' command. You can adjust your configuration file and do a 'firehol try', if you where connected via ssh, and something about what you changed killed your network access then firehol will revert the changes. To have the changes actually go into effect, you must say commit.
Zoredache
- 130,897
- 41
- 276
- 420
-
1Firehol is brilliant for manipulating iptables rules. '$ firehol try' "Activates the firewall, but waits until the user types the word commit. If this word is not typed within 30 seconds, the previous firewall is restored." – Gareth May 09 '09 at 23:32
-
Sooo you can add/edit/remove rules and then test them. If you're doing this via SSH remotely then it's not going to lock you out of your own server! – Gareth May 09 '09 at 23:34
1
I would prefer Shorewall. It is easy to setup but flexible at the same time.
Artyom Sokolov
- 155
- 1
- 5
1
Quicktables helped me to learn iptables rules. Just run the script and it will generate an iptables script for you... then you can open it and view the associated commands generated by the questions it asked of you. It's a great learning resource.
Unfortunately, it is no longer maintained.
JP Richardson
- 113
- 1
- 2
- 10
0
Maybe you should take a look at http://iptables-tutorial.frozentux.net/iptables-tutorial.html. Also you can find more information on lartc.org
hyperboreean
- 294
- 5
- 13
-1
sudo apt-get install firestarter
Then, look in the System->Administration menu.
spoulson
- 2,183
- 5
- 22
- 30
-
-
Ahh, my mistake. Alternatively. the admin can still ssh -X into the server and run firestarter remotely. – spoulson Apr 30 '09 at 11:52
-
1
-
@klew, you don't need to install a full X server to run X applications over ssh. You do need several libraries, but you don't need everything. For the bare minimum you only need xauth and xbase-clients packages. – Zoredache Apr 30 '09 at 18:48