Setting up a Ubuntu-CentOS Server from scratch: Firewall & UFW - LightDestory - 09-11-2019
*This tutorial is part of a series, visit the main thread to learn more*
Nowadays, when we get a server, securing it up is one of the most important and critical step on our "to-do" list. We don't want any one to make us troubles, right? To do so, one of the main protagonist of this step is the firewall.
On this tutorial, we will learn what is a firewall, why it is so important and how to use it on Ubuntu Server & CentOS thanks to a very simple software called UFW (Uncomplicated firewall).
Let's start with some information!
- What is a firewall?
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on a set of 'rules' that the SysAdmin sets up. We can imagine the firewall as a barrier between a trusted internal network and untrusted external network, such as the Internet. Believe me, Internet isn't secure at all!There are two form of firewall:- Hardware firewall, a dedicated device used by enterprises that it is usually located between the routers, which communicates with Internet, and the switches. Its role is to manage the connection to the DMZ by the customers, think about public services such as website/blog for example, and monitoring and protect the remote access to the company internal network. We can say that it operates over all the company network. I will not deep-in on enterprise networking because it is a very interesting but complex topic, that myself studied on the last year of high school so I am not a expert.
- Software firewall or Personal firewall, is a software which controls network traffic to and from a computer, thus it usually protects only the computer on which it is installed. Typically it works as an application layer firewall*.
On this tutorial we will focus on software firewall.
- How it works and why it is so important?
We can identify two types of firewall operation:- Packet filtering: the firewall reads up all the packets' metadata that are passing via your network interface, if some metadata matches a rules then the firewall will act. All firewalls can do this. It is done at the network layer.
- "Data validation": the firewall doesn't just read the packets' metadata; it will also look at the actual data transported. It knows how certain protocols work, for example FTP or HTTP. If the data that is in the packet is not valid for that protocol the packet will be dropped.
We are talking about rules, we already said that they are made by SysAdmin, but what are they? Well, to put is simple they are a pair < ACTION , SUBJECT > where:- ACTION: can be set to "allow" or "deny" and it indicates the behavior of the firewall;
- SUBJECT: it can be a web port, a ip address or, for some particular firewall, an application target. It indicates to who the rule will be applied.
You can now understand why firewall is so important, with it we can manage all the outgoing and incoming traffic of our server: every packet that tries to get out/in needs firewall's approval.Good practices tells us to deny all the incoming traffic and allow all the outgoing traffic, we will then create rules to allow specific incoming traffic such as SSH (port 22), HTTP (port 80), HTTPS (port 443), Mailing (port 25).
- Why UFW?
UFW (Uncomplicated firewall) is a wrapper for IPTABLES. A wrapper is a software that provides a easy commands for a more complex tool. If you are interested on IPTABLES, @"Hidden Refuge" made a thread about a basic usage of it.
I think that UFW is very simple and easy to learn. It is not perfect, it has its own limitation but for general firewall usage works!
Now, we can start our tutorial (The commands should be run as sudo or root):
Installation:- UBUNTU: If you are using Ubuntu Server, then you have already installed it. Nothing to do.
- CentOS: If you are running CentOS you have probably installed FirewallD, we need to stop its service, if enabled, and install UFW:
- First, we need to stop, if running, the firewallD service. The following command will do that:
Code: systemctl stop firewalld
- With the following command you will disable to boot load, if enabled, of the FirewallD service:
Code: systemctl disable firewalld
- Now, UFW is available on the EPEL repository so we need to install it with the following command:
Code: yum install -y epel-release
- Finally, we can install UFW with the following command:
Note that "-y" is a flag to skip the confirmation question.
Starting and Enabling:
Now that ufw is installed we need to start it and enable it on boot.- First, we use a UFW command that should start and enable boot load:
- It can happen that the previous command doesn't enable the boot load, so to make sure it is enable run:
Code: systemctl enable ufw
Usage:
Now let's see how to use it:- To see the current status and which rules are up, use the following command:
- For good practice we will block incoming traffic and allow outgoing:
- [*}To deny all the incoming traffic, run the following command:
Code: ufw default deny incoming
[*}To allow all the outgoing traffic, run the following command:
Code: ufw default allow outgoing
- To allow/deny a specific port, run the following command:
Code: ufw [allow/deny] [port]/[protocol: "tcp" or "udp", default=tcp]
- To allow/deny a range of ports, run the following command:
Code: ufw [allow/deny] [fisrt_port]:[last_port]/[protocol: "tcp" or "udp", default=tcp]
- To allow/deny all the connections from a specific STATIC IP, run the following command:
Code: ufw [allow/deny] from [IP]
- To allow/deny the connections on a specific port from a specific STATIC IP, run the following command:
Code: ufw [allow/deny] from [IP] to any port [port]
- To delete a rule, you need to know its index using the following command:
Now you can delete the rule with the following command:
- If you want to stop the firewall for a moment, run the following command:
- If you want to start the firewall after running the previous command, run the following command:
- If you want to disable the boot load of the firewall, run the following command:
Code: systemctl disable ufw
What makes UFW my favorite? The APP SYSTEM:
Usually on Ubuntu systems the app list will be populated by installing software via special triggers, meanwhile on CentOS the UFW package from EPEL will come preloaded with a lot of APPS!- If you want to see your app list, use the following command:
- If you want to see more information about an app, use the following command:
Code: ufw app info 'APP_NAME'
- If you allow/deny a specific app profile, use the following command:
Code: ufw [allow/deny] 'APP_NAME'
- To allow/deny an app profile for a specific STATIC IP, run the following command:
Code: ufw [allow/deny] from [IP] to any app 'APP_NAME'
- If you want to delete an enabled app profile, just follow the same steps to delete a rule.
You can create custom app profile by creating a file inside:
Code: /ect/ufw/applications.d/
We will create a file called for example 'test', then we need to fill this structure:
Code: [APP_NAME]
title=A one line title
description=A longer description with more information
ports=1,2,3,4,5,6,7,8,9,10/tcp|50/udp|53
This file will create an app that is called 'APP_NAME' and will allow 1 to 10 ports on tcp protocol, allow port 50 on udp and allow 53 on both tcp and udp. You can use the ',' to list ports that will be activated with the same protocol, you can use '|' create a new list of ports.
Remember that after making changes on the rules, to make them effective you need to restart the firewall using the following command:
Code: systemctl restart ufw
RE: Setting up a Ubuntu-CentOS Server from scratch: Firewall & UFW - rudra - 09-16-2019
I was sincerely hoping that you would do a bare bones iptables tutorial. But oh well.. not all our wishes come true.
This is a good tutorial. But you kind of crammed everything back to back. Could you please do a section where you write the instructions that a new vps user could follow to secure his new setup; with some explanations of course. Hope you get what i am talking about.
RE: Setting up a Ubuntu-CentOS Server from scratch: Firewall & UFW - LightDestory - 09-16-2019
(09-16-2019, 01:06 PM)rudra Wrote: I was sincerely hoping that you would do a bare bones iptables tutorial. But oh well.. not all our wishes come true.
This is a good tutorial. But you kind of crammed everything back to back. Could you please do a section where you write the instructions that a new vps user could follow to secure his new setup; with some explanations of course. Hope you get what i am talking about.
I would like to make a tutorial of iptables, but I first need to master it. I need to know what I am going to write on the tutorials. My current iptables skill is a little more than what you can get from @"Hidden Refuge" tutorial thread. Moreover since he has already posted it, I didn't want to "override" his work.
Regarding the commands section, I was writting the tutorial thinking about a user that know how move inside Unix systems, maybe I undervalued it. I will try to add more basic commands on the tutorial.
RE: Setting up a Ubuntu-CentOS Server from scratch: Firewall & UFW - humanpuff69 - 09-17-2019
Ufw is great . it make port blocking easier than using iptables . Ufw also require less command than ip tables do
For advanced user using real iptables is prefered because they can more fine tune the rules
|