Commands Linux Network Security

Ufw (uncomplicated firewall)

AdrianLeave a Comment on Ufw (uncomplicated firewall) 
documentation
https://help.ubuntu.com/lts/serverguide/firewall.html
http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html
http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw-framework.8.html

important files
/etc/ufw/user.rules

Uncomplicated Firewall
# https://help.ubuntu.com/community/UFW
sudo ufw show added
sudo ufw status verbose
sudo ufw show listening
sudo ufw limit ssh
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 32400
sudo ufw allow in from 192.168.1.0/24
sudo ufw allow in on eth1 to 192.168.0.1/32 port 3389 proto tcp comment 'allow RDP access from LAN'
sudo ufw allow from 86.124.74.35/32 to any proto gre comment 'allow VPN with MarchenGarten'
sudo ufw allow from 82.41.48.239 to any port 3389 proto tcp
sudo ufw allow from 79.115.71.191 to any port 2181:2183 proto tcp comment 'ZK access from mioveni'
sudo ufw allow in on enp1s0 to any port 8083
# sudo ufw delete limit 1443
# sudo ufw delete 11 -> removes rule with order number 11
tailf /var/log/kern.log | grep "\[UFW BLOCK\]"
tailf /var/log/syslog | grep "\[UFW BLOCK\]"

transmission firewall with peer-port-random-on-start = false
grep port /********/.config/transmission-daemon/settings.json
sed -i s/"peer-port-random-on-start\": true"/"peer-port-random-on-start\": false"/ /********/.config/transmission-daemon/settings.json
peerport="`grep peer-port\\" /********/.config/transmission-daemon/settings.json | awk '{sub(/,/,\"\",$2); print $2;}'`"
sudo ufw allow $peerport

transmission firewall with peer-port-random-on-start = true
sed -i s/"peer-port-random-on-start\": false"/"peer-port-random-on-start\": true"/ /********/.config/transmission-daemon/settings.json
grep peer-port-random-low /********/.config/transmission-daemon/settings.json
grep peer-port-random-high /********/.config/transmission-daemon/settings.json
# sudo ufw allow proto udp to any port 49152:65535
# sudo ufw allow proto tcp to any port 49152:65535
sudo ufw allow 49152:65535/tcp
sudo ufw allow 49152:65535/udp

show ufw logs
tailf /var/log/kern.log | grep "\[UFW BLOCK\]"
tailf /var/log/syslog | grep "\[UFW BLOCK\]"

enable at startup
# theoretically should work only this but practically doesn't:
sudo sed -i s/"ENABLED=no"/"ENABLED=yes"/ /etc/ufw/ufw.conf
# you should add this too to /etc/rc.local before "exit 0" line:
if ! ufw enable; then 
	echo "Can't start ufw!"
else
	echo "UFW started!"
fi

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
sudo sed -i s/"IPV6=yes"/"IPV6=no"/ /etc/default/ufw

Configuring port forwarding (add rules to /etc/ufw/before.rules)
# see also http://askubuntu.com/questions/660972/port-forwarding-with-ufw
sudo sed -i s/"DEFAULT_FORWARD_POLICY=\"DROP"/"DEFAULT_FORWARD_POLICY=\"ACCEPT"/ /etc/default/ufw
sudo sed -i s/"#net\/ipv4\/ip_forward"/"net\/ipv4\/ip_forward"/ /etc/ufw/sysctl.conf

turn off ipv6 autoconfiguration
sudo sed -i s/"#net\/ipv6\/conf\/default\/autoconf=0"/"net\/ipv6\/conf\/default\/autoconf=0"/ /etc/ufw/sysctl.conf
sudo sed -i s/"#net\/ipv6\/conf\/all\/autoconf=0"/"net\/ipv6\/conf\/all\/autoconf=0"/ /etc/ufw/sysctl.conf

configuration status
grep -nr 'ENABLED' /etc/ufw/ufw.conf
grep -nr -P "DEFAULT_FORWARD_POLICY|IPV6=" /etc/default/ufw
grep -nr -P "net\/ipv4\/ip_forward|net\/ipv6\/conf\/default\/autoconf|net\/ipv6\/conf\/all\/autoconf" /etc/ufw/sysctl.conf

deny access to an ip
sudo ufw deny from 146.185.223.4

limit access to an ip
sudo ufw insert 1 limit from 154.16.3.214 comment 'uri abuser limited to anywhere'
sudo ufw insert 1 limit in proto tcp from 154.16.3.214 to 192.168.1.31 port 80,443,49152:65535 comment 'tcp abuser limited to 192.168.1.31 on 80,443,49152:65535'
sudo ufw insert 1 limit in proto udp from 154.16.3.214 to 192.168.1.31 port 80,443,49152:65535 comment 'udp abuser limited to 192.168.1.31 on 80,443,49152:65535'

Redirect from 172.20.19.7:80 to 127.0.0.1:3000 (172.20.19.7 is on eth0 interface)
http://ipset.netfilter.org/iptables-extensions.man.html

# http://serverfault.com/questions/211536/iptables-port-redirect-not-working-for-localhost
# The locally generated packets does not pass via the PREROUTING chain!
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -a | grep 'net.ipv4.ip_forward'

https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
http://unix.stackexchange.com/questions/111433/iptables-redirect-outside-requests-to-127-0-0-1
sudo sysctl -w net.ipv4.conf.eth0.route_localnet=1
sudo sysctl -a | grep 'net.ipv4.conf.eth0.route_localnet'

# It seems that you could configure the above in /etc/ufw/sysctl.conf too though I haven't tested it.
/etc/default/ufw should have DEFAULT_FORWARD_POLICY="ACCEPT"

# in /etc/ufw/before.rules before filter section:
*nat
:PREROUTING ACCEPT [0:0]
# -A = append last
# -I = insert first
#
# sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000
# -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000
#
# sudo iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3000
-I PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3000
#
COMMIT

# you'll need also the rule below  
sudo ufw allow to 127.0.0.1 port 3000
# otherwise external users won't be allowed on port 80 and you'll see logs like this:
[UFW BLOCK] IN=eth0 OUT= MAC=3c:11:11:f0:21:11:00:11:0f:09:00:04:08:00 SRC=11.111.114.201 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54696 DF PROTO=TCP SPT=9194 DPT=3000 WINDOW=26280 RES=0x00 SYN URGP=0

sudo ufw disable && sudo ufw enable

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.