Using the firewall in Ubuntu can be as easy or as hard as you want to make it. BSD variants all basically use the ipfw command whereas most of the rest of the *nix world will use netfilter. Netfilter has a number of front ends; the one that comes pre-installed in Ubuntu is ufw, short for ‘uncomplicated firewall’. Ufw is good for basic port management: allow and deny type of stuff. It’s not going to have the divert or throttling options. So let’s look at some basic incantations of ufw (you need to have elevated privileges to do all of this btw).
First you need to enable ufw, which is done using the ufw command (no need to apt-get this to install it or build it from source) followed by the enable option:
You can also use the disable option to turn the firewall back off:
And to see rules and the status of the firewall, use the status option:
The ufw Configuration File
The ufw configuration file is /etc/default/ufw. Here, you can manage some basic options of ufw. These include:
- IPV6 – Set to YES to enable
- DEFAULT_INPUT_POLICY – Policy for how to handle incoming traffic not otherwise defined by a rule. Defaults at DROP but can be changed to ACCEPT or REJECT
- DEFAULT_OUTPUT_POLICY – Same as above but for handling outgoing traffic not otherwise defined by a rule.
- DEFAULT_FORWARD_POLICY – Same as above but for forwarding packets (routing).
- DEFAULT_APPLICATION_POLICY – I’d just leave this as the default, SKIP.
- MANAGE_BUILTINS – when set to yes, allows ufw to manage default iptables chains as well.
- IPT_MODULES – An array of iptables modules that can be added
To restart ufw after you make changes to the configuration file, use the services command:
service ufw reload
service ufw restart
The first thing most people will want to do is enable a port. And of the ports, 22 is going to be pretty common, since without it you can’t ssh back into the box. For this, you’ll use the allow option followed by the name of the service (application profile):
ufw allow ssh
You can use numbers instead (since ufw isn’t going to know every possible combination and you might be running some on custom ports):
ufw allow 22
You can also deny traffic using the same structure, just swapping allow with deny:
ufw deny http
Beyond a basic allow and deny, you can also specify what IP addresses are able to access each port. This is done using ufw followed by the proto option, which is the followed by the actual protocol (tcp vs udp, etc) which is then followed by the from option and then the source then the to option then the IP to accept traffic (or the any option for all IPs on your box) and finally the port option followed by the actual port. Sounds like a lot until you see it in action. Let’s say you actually want to allow traffic for port 10000 but only from 192.168.210.2. In that case, your rule would be:
ufw allow proto tcp from 192.168.210.2 to any port 10000
Or if you only wanted 10000 to be accessible on one IP of your system (theoretically you have two in this scenario) that has an address of 192.168.210.254:
ufw allow proto tcp from 192.168.210.2 to 192.168.210.254 port 10000
Once you have your rules configured, you are invariably going to have to troubleshoot issues with the service. Obviously, start with log review to perform a hypothesis of what the problem is. To enable logging use the logging option and specify the on parameter for it:
ufw logging on
Once enabled I usually like to view both /var/log/messages and /var/log/syslog for entries:
cat /var/log/syslog | grep UFW ; cat /var/log/messages | grep UFW
One of the best troubleshooting tools to prove any hypothesis that has to do with a rule is to simply delete the rule. To delete the deny http rule that we made earlier, just use the ufw command along with the delete option specifying the deny 22 rule as the rule to remove:
ufw delete deny http
Additionally, just disabling ufw will usually tell you definitively whether you are looking at a problem with a rule, allowing you to later look into disabling each rule until you find the offending rule.
Ubuntu also comes with iptables by default. iptables is the ipchains replacement introduced a number of years ago and is much more complicated and therefore flexible than ufw, although using one does not mean you cannot use the other. To get started, let’s look at the rules:
You will then see all of the rules on your host. If you have been enabling rules with ufw these will be listed here. You can then configure practically anything for how each chain (a chain is a series of rules for handling packets) functions. You can still do basic tasks, such as enabling ssh, but iptables will need much more information about what specifically you are trying to do. For example, to accept incoming traffic you would need to define that the chain will add an input (by appending it to the chain using -A INPUT) for tcp packets (-p tcp) on port 22 (–dport ssh) and accepting those packets (-j ACCEPT):
iptables -A INPUT -p tcp –dport ssh -j ACCEPT
That is about as simple as iptables get. I’ll try and write up more on dealing with it later but for now you should have enough information to get a little wacky with some basic firewall functionality on Linux. Enjoy.