Home | 簡體中文 | 繁體中文 | 雜文 | 知乎專欄 | Github | OSChina 博客 | 雲社區 | 雲棲社區 | Facebook | Linkedin | 視頻教程 | 打賞(Donations) | About
知乎專欄多維度架構 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者”

40.4. ufw - program for managing a netfilter firewall

  1. Installation

    sudo apt-get install ufw

  2. Enable | Disable

    sudo ufw enable | disable

    neo@master:~$ sudo ufw enable
    Firewall started and enabled on system startup
    				
  3. Default Rule

    sudo ufw default deny

    sudo ufw default allow

    neo@master:~$ sudo ufw default deny
    Default policy changed to 'deny'
    (be sure to update your rules accordingly)
    	  			
  4. Rule Allow|Deny

    sudo ufw allow|deny [service]

    打開或關閉某個連接埠,例如:


    sudo ufw allow smtp  允許所有的外部IP訪問本機的25/tcp (smtp)連接埠
    sudo ufw allow 22/tcp  允許所有的外部IP訪問本機的22/tcp (ssh)連接埠
    sudo ufw allow 53  允許外部訪問53連接埠(tcp/udp)
    sudo ufw allow from 172.16.1.100  允許此IP訪問所有的本機連接埠
    sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
    sudo ufw deny smtp  禁止外部訪問smtp服務
    sudo ufw delete allow smtp  刪除上面建立的某條規則

    UFW 使用範例


    UFW 使用範例:

    允許 53 連接埠

    $ sudo ufw allow 53

    禁用 53 連接埠

    $ sudo ufw delete allow 53

    允許 80 連接埠

    $ sudo ufw allow 80/tcp

    禁用 80 連接埠

    $ sudo ufw delete allow 80/tcp

    允許 smtp 連接埠

    $ sudo ufw allow smtp

    刪除 smtp 連接埠的許可

    $ sudo ufw delete allow smtp

    允許某特定 IP

    $ sudo ufw allow from 192.168.254.254

    刪除上面的規則

    $ sudo ufw delete allow from 192.168.254.254

    $ sudo ufw allow ssh
    $ sudo ufw allow www
    $ sudo ufw allow smtp

    neo@master:~$ sudo ufw allow ssh
    Rule added
    				
  5. Status

    sudo ufw status

    neo@master:~$ sudo ufw allow www
    Rule added
    neo@master:~$ sudo ufw status
    Firewall loaded
    
    To                         Action  From
    --                         ------  ----
    25:tcp                     ALLOW   Anywhere
    22:tcp                     ALLOW   Anywhere
    22:udp                     ALLOW   Anywhere
    80:tcp                     ALLOW   Anywhere
    80:udp                     ALLOW   Anywhere
    				
  6. Rule Delete

    sudo ufw delete allow|deny RULE

    neo@master:~$ sudo ufw status
    Firewall loaded
    
    To                         Action  From
    --                         ------  ----
    25:tcp                     ALLOW   Anywhere
    22:tcp                     ALLOW   Anywhere
    22:udp                     ALLOW   Anywhere
    80:tcp                     ALLOW   Anywhere
    80:udp                     ALLOW   Anywhere
    
    neo@master:~$ sudo ufw delete allow smtp
    Rule deleted
    neo@master:~$ sudo ufw status
    Firewall loaded
    
    To                         Action  From
    --                         ------  ----
    22:tcp                     ALLOW   Anywhere
    22:udp                     ALLOW   Anywhere
    80:tcp                     ALLOW   Anywhere
    80:udp                     ALLOW   Anywhere
    
    				
  7. logging

    sudo ufw logging on|off

    neo@master:~$ sudo ufw logging ON
    Logging enabled
    				
  8. iptales

    neo@master:~$ sudo iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ufw-before-input  all  --  anywhere             anywhere
    ufw-after-input  all  --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ufw-before-forward  all  --  anywhere             anywhere
    ufw-after-forward  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    ufw-before-output  all  --  anywhere             anywhere
    ufw-after-output  all  --  anywhere             anywhere
    
    Chain ufw-after-forward (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK FORWARD]: '
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-after-input (1 references)
    target     prot opt source               destination
    RETURN     udp  --  anywhere             anywhere            udp dpt:netbios-ns
    RETURN     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
    RETURN     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
    RETURN     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
    RETURN     udp  --  anywhere             anywhere            udp dpt:bootps
    RETURN     udp  --  anywhere             anywhere            udp dpt:bootpc
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK INPUT]: '
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-after-output (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-before-forward (1 references)
    target     prot opt source               destination
    ufw-user-forward  all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-before-input (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED
    DROP       all  --  anywhere             anywhere            ctstate INVALID
    ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
    ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
    ufw-not-local  all  --  anywhere             anywhere
    ACCEPT     all  --  base-address.mcast.net/4  anywhere
    ACCEPT     all  --  anywhere             base-address.mcast.net/4
    ufw-user-input  all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-before-output (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
    ACCEPT     udp  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
    ufw-user-output  all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-not-local (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type LOCAL
    RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type MULTICAST
    RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type BROADCAST
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK NOT-TO-ME]: '
    DROP       all  --  anywhere             anywhere
    
    Chain ufw-user-forward (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-user-input (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:www
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-user-output (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    				

40.4.1. /etc/default/ufw

$ sudo vim /etc/default/ufw
# /etc/default/ufw
#

# set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=no

# set the default input policy to ACCEPT, DROP or REJECT.  Please note that if
# you change this you will most likely want to adjust your rules
DEFAULT_INPUT_POLICY="DROP"

# set the default output policy to ACCEPT, DROP, or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_OUTPUT_POLICY="ACCEPT"

# set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
#DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_FORWARD_POLICY="ACCEPT"

# set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# extra connection tracking modules to load
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc"

			

40.4.2. ip_forward

$ sudo vim /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
			

40.4.3. DHCP

neo@netkiller:~$ sudo ufw allow 67/udp
Rules updated
neo@netkiller:~$ sudo ufw allow 68/udp
Rules updated
			

40.4.4. Samba

neo@netkiller:~$ sudo ufw allow 137/tcp
Rule added
neo@netkiller:~$ sudo ufw allow 445/tcp
Rule added
neo@netkiller:~$ sudo ufw allow 138/udp
Rule added
neo@netkiller:~$ sudo ufw allow 139/udp
Rule added