{"id":3578,"date":"2016-09-12T14:48:36","date_gmt":"2016-09-12T12:48:36","guid":{"rendered":"https:\/\/adrhc.go.ro\/wordpress\/?p=3578"},"modified":"2018-12-29T17:52:36","modified_gmt":"2018-12-29T15:52:36","slug":"uncomplicated-firewall","status":"publish","type":"post","link":"https:\/\/adrhc.go.ro\/blog\/uncomplicated-firewall\/","title":{"rendered":"Ufw (uncomplicated firewall)"},"content":{"rendered":"<pre>\r\n<strong>documentation<\/strong>\r\n<a href=\"https:\/\/help.ubuntu.com\/lts\/serverguide\/firewall.html\" target=\"_blank\">https:\/\/help.ubuntu.com\/lts\/serverguide\/firewall.html<\/a>\r\n<a href=\"http:\/\/manpages.ubuntu.com\/manpages\/xenial\/en\/man8\/ufw.8.html\" target=\"_blank\">http:\/\/manpages.ubuntu.com\/manpages\/xenial\/en\/man8\/ufw.8.html<\/a>\r\n<a href=\"http:\/\/manpages.ubuntu.com\/manpages\/xenial\/en\/man8\/ufw-framework.8.html\" target=\"_blank\">http:\/\/manpages.ubuntu.com\/manpages\/xenial\/en\/man8\/ufw-framework.8.html<\/a>\r\n\r\n<strong>important files<\/strong>\r\n\/etc\/ufw\/user.rules\r\n\r\n<strong>Uncomplicated Firewall<\/strong>\r\n# https:\/\/help.ubuntu.com\/community\/UFW\r\nsudo ufw show added\r\nsudo ufw status verbose\r\nsudo ufw show listening\r\nsudo ufw limit ssh\r\nsudo ufw allow 80\r\nsudo ufw allow 443\r\nsudo ufw allow 32400\r\nsudo ufw allow in from 192.168.1.0\/24\r\nsudo ufw allow in on eth1 to 192.168.0.1\/32 port 3389 proto tcp comment 'allow RDP access from LAN'\r\nsudo ufw allow from 86.124.74.35\/32 to any proto gre comment 'allow VPN with MarchenGarten'\r\nsudo ufw allow from 82.41.48.239 to any port 3389 proto tcp\r\nsudo ufw allow from 79.115.71.191 to any port 2181:2183 proto tcp comment 'ZK access from mioveni'\r\nsudo ufw allow in on enp1s0 to any port 8083\r\n# sudo ufw delete limit 1443\r\n# sudo ufw delete 11 -> removes rule with order number 11\r\ntailf \/var\/log\/kern.log | grep \"\\[UFW BLOCK\\]\"\r\ntailf \/var\/log\/syslog | grep \"\\[UFW BLOCK\\]\"\r\n\r\n<strong>transmission firewall with peer-port-random-on-start = false<\/strong>\r\ngrep port \/********\/.config\/transmission-daemon\/settings.json\r\nsed -i s\/\"peer-port-random-on-start\\\": true\"\/\"peer-port-random-on-start\\\": false\"\/ \/********\/.config\/transmission-daemon\/settings.json\r\npeerport=\"`grep peer-port\\\\\" \/********\/.config\/transmission-daemon\/settings.json | awk '{sub(\/,\/,\\\"\\\",$2); print $2;}'`\"\r\nsudo ufw allow $peerport\r\n\r\n<strong>transmission firewall with peer-port-random-on-start = true<\/strong>\r\nsed -i s\/\"peer-port-random-on-start\\\": false\"\/\"peer-port-random-on-start\\\": true\"\/ \/********\/.config\/transmission-daemon\/settings.json\r\ngrep peer-port-random-low \/********\/.config\/transmission-daemon\/settings.json\r\ngrep peer-port-random-high \/********\/.config\/transmission-daemon\/settings.json\r\n# sudo ufw allow proto udp to any port 49152:65535\r\n# sudo ufw allow proto tcp to any port 49152:65535\r\nsudo ufw allow 49152:65535\/tcp\r\nsudo ufw allow 49152:65535\/udp\r\n\r\n<strong>show ufw logs<\/strong>\r\ntailf \/var\/log\/kern.log | grep \"\\[UFW BLOCK\\]\"\r\ntailf \/var\/log\/syslog | grep \"\\[UFW BLOCK\\]\"\r\n\r\n<strong>enable at startup<\/strong>\r\n# theoretically should work only this but practically doesn't:\r\nsudo sed -i s\/\"ENABLED=no\"\/\"ENABLED=yes\"\/ \/etc\/ufw\/ufw.conf\r\n# you should add this too to \/etc\/rc.local before \"exit 0\" line:\r\nif ! ufw enable; then \r\n\techo \"Can't start ufw!\"\r\nelse\r\n\techo \"UFW started!\"\r\nfi\r\n\r\n# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback\r\n# accepted). You will need to 'disable' and then 'enable' the firewall for\r\n# the changes to take affect.\r\nsudo sed -i s\/\"IPV6=yes\"\/\"IPV6=no\"\/ \/etc\/default\/ufw\r\n\r\n<strong>Configuring port forwarding (add rules to \/etc\/ufw\/before.rules)<\/strong>\r\n# see also http:\/\/askubuntu.com\/questions\/660972\/port-forwarding-with-ufw\r\nsudo sed -i s\/\"DEFAULT_FORWARD_POLICY=\\\"DROP\"\/\"DEFAULT_FORWARD_POLICY=\\\"ACCEPT\"\/ \/etc\/default\/ufw\r\nsudo sed -i s\/\"#net\\\/ipv4\\\/ip_forward\"\/\"net\\\/ipv4\\\/ip_forward\"\/ \/etc\/ufw\/sysctl.conf\r\n\r\n<strong>turn off ipv6 autoconfiguration<\/strong>\r\nsudo sed -i s\/\"#net\\\/ipv6\\\/conf\\\/default\\\/autoconf=0\"\/\"net\\\/ipv6\\\/conf\\\/default\\\/autoconf=0\"\/ \/etc\/ufw\/sysctl.conf\r\nsudo sed -i s\/\"#net\\\/ipv6\\\/conf\\\/all\\\/autoconf=0\"\/\"net\\\/ipv6\\\/conf\\\/all\\\/autoconf=0\"\/ \/etc\/ufw\/sysctl.conf\r\n\r\n<strong>configuration status<\/strong>\r\ngrep -nr 'ENABLED' \/etc\/ufw\/ufw.conf\r\ngrep -nr -P \"DEFAULT_FORWARD_POLICY|IPV6=\" \/etc\/default\/ufw\r\ngrep -nr -P \"net\\\/ipv4\\\/ip_forward|net\\\/ipv6\\\/conf\\\/default\\\/autoconf|net\\\/ipv6\\\/conf\\\/all\\\/autoconf\" \/etc\/ufw\/sysctl.conf\r\n\r\n<strong>deny access to an ip<\/strong>\r\nsudo ufw deny from 146.185.223.4\r\n\r\n<strong>limit access to an ip<\/strong>\r\nsudo ufw insert 1 limit from 154.16.3.214 comment 'uri abuser limited to anywhere'\r\nsudo ufw insert 1 limit in proto tcp from 154.16.3.214 to 192.168.1.31 port 80,443,49152:65535 comment 'tcp abuser limited to 192.168.1.31 on 80,443,49152:65535'\r\nsudo ufw insert 1 limit in proto udp from 154.16.3.214 to 192.168.1.31 port 80,443,49152:65535 comment 'udp abuser limited to 192.168.1.31 on 80,443,49152:65535'\r\n\r\n<strong>Redirect from 172.20.19.7:80 to 127.0.0.1:3000 (172.20.19.7 is on eth0 interface)<\/strong>\r\n<a href=\"http:\/\/ipset.netfilter.org\/iptables-extensions.man.html\" target=\"_blank\">http:\/\/ipset.netfilter.org\/iptables-extensions.man.html<\/a>\r\n\r\n# <a href=\"http:\/\/serverfault.com\/questions\/211536\/iptables-port-redirect-not-working-for-localhost\" target=\"_blank\">http:\/\/serverfault.com\/questions\/211536\/iptables-port-redirect-not-working-for-localhost<\/a>\r\n# The locally generated packets does not pass via the PREROUTING chain!\r\nsudo sysctl -w net.ipv4.ip_forward=1\r\nsudo sysctl -a | grep 'net.ipv4.ip_forward'\r\n\r\n<a href=\"https:\/\/www.kernel.org\/doc\/Documentation\/networking\/ip-sysctl.txt\" target=\"_blank\">https:\/\/www.kernel.org\/doc\/Documentation\/networking\/ip-sysctl.txt<\/a>\r\n<a href=\"http:\/\/unix.stackexchange.com\/questions\/111433\/iptables-redirect-outside-requests-to-127-0-0-1\" target=\"_blank\">http:\/\/unix.stackexchange.com\/questions\/111433\/iptables-redirect-outside-requests-to-127-0-0-1<\/a>\r\nsudo sysctl -w net.ipv4.conf.eth0.route_localnet=1\r\nsudo sysctl -a | grep 'net.ipv4.conf.eth0.route_localnet'\r\n\r\n# It seems that you could configure the above in \/etc\/ufw\/sysctl.conf too though I haven't tested it.\r\n\/etc\/default\/ufw should have DEFAULT_FORWARD_POLICY=\"ACCEPT\"\r\n\r\n# in \/etc\/ufw\/before.rules before filter section:\r\n*nat\r\n:PREROUTING ACCEPT [0:0]\r\n# -A = append last\r\n# -I = insert first\r\n#\r\n# sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000\r\n# -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000\r\n#\r\n# sudo iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3000\r\n-I PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3000\r\n#\r\nCOMMIT\r\n\r\n# you'll need also the rule below  \r\nsudo ufw allow to 127.0.0.1 port 3000\r\n# otherwise external users won't be allowed on port 80 and you'll see logs like this:\r\n[UFW BLOCK] IN=eth0 OUT= MAC=3c:11:11:f0:21:11:00:11:0f:09:00:04:08:00 SRC=11.111.114.201 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54696 DF PROTO=TCP SPT=9194 DPT=3000 WINDOW=26280 RES=0x00 SYN URGP=0\r\n\r\nsudo ufw disable && sudo ufw enable\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>documentation https:\/\/help.ubuntu.com\/lts\/serverguide\/firewall.html http:\/\/manpages.ubuntu.com\/manpages\/xenial\/en\/man8\/ufw.8.html http:\/\/manpages.ubuntu.com\/manpages\/xenial\/en\/man8\/ufw-framework.8.html important files \/etc\/ufw\/user.rules Uncomplicated Firewall # https:\/\/help.ubuntu.com\/community\/UFW sudo ufw show added sudo ufw status verbose sudo ufw show listening sudo ufw limit ssh sudo ufw allow 80 sudo ufw allow 443 sudo ufw allow 32400 sudo [&hellip;]<\/p>\n<div class=\"link-more\"><a href=\"https:\/\/adrhc.go.ro\/blog\/uncomplicated-firewall\/#more-3578\" class=\"more-link\">Continue reading &#10142; <span class=\"screen-reader-text\">Ufw (uncomplicated firewall)<\/span><\/a><\/div>","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,11,49,50],"tags":[95],"class_list":["post-3578","post","type-post","status-publish","format-standard","hentry","category-commands","category-linux","category-network","category-security","tag-ufw"],"_links":{"self":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/posts\/3578","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/comments?post=3578"}],"version-history":[{"count":0,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/posts\/3578\/revisions"}],"wp:attachment":[{"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/media?parent=3578"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/categories?post=3578"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adrhc.go.ro\/blog\/wp-json\/wp\/v2\/tags?post=3578"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}