Changes between Initial Version and Version 1 of NspwUprouse/Agenda/ufw


Ignore:
Timestamp:
Sep 5, 2021, 12:06:12 PM (3 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • NspwUprouse/Agenda/ufw

    v1 v1  
     1= Firewall exercises using ufw =
     2In this exercise, we will see examples of how to set up a simple host protection using the Uncomplicated Firewall (ufw) to configure the iptables firewall. All the commands in this exercise need to be done as '''root'''. If you are not already root, start a root shell like this:
     3{{{
     4$ sudo -s
     5#
     6}}}
     7
     8=== Installation ===
     9note: In this lab session you don't have to install ufw as it comes default with ubuntu
     10{{{
     11# apt-get install ufw
     12}}}
     13This will install iptables as a dependency if it is not already installed.
     14
     15=== Check initial state ===
     16
     17Use the ufw status commands
     18{{{
     19# ufw status
     20Status: inactive
     21}}}
     22
     23And iptables command
     24{{{
     25# iptables -L -n -v
     26Chain INPUT (policy ACCEPT 44579 packets, 8596K bytes)
     27 pkts bytes target     prot opt in     out     source               destination
     28
     29Chain FORWARD (policy ACCEPT 52080 packets, 4315K bytes)
     30 pkts bytes target     prot opt in     out     source               destination
     31
     32Chain OUTPUT (policy ACCEPT 25720 packets, 2713K bytes)
     33 pkts bytes target     prot opt in     out     source               destination
     34}}}
     35The iptables output shows that the firewall is "permit everything" - there are no rules in any of the chains, and the "policy" of ACCEPT is the default if no rule matches.
     36
     37=== Prepare to enable ===
     38
     39When we enable the firewall, it's important we '''don't block ssh''' or we could lock ourselves out!
     40
     41ufw may already know about some applications, including OpenSSH, so we can just apply the rule it knows about.
     42{{{
     43# ufw app list
     44Available applications:
     45  Apache
     46  Apache Full
     47  Apache Secure
     48  OpenSSH
     49}}}
     50
     51Alow OpenSSH
     52{{{
     53# ufw allow OpenSSH
     54Rules updated
     55Rules updated (v6)
     56}}}
     57This policy allows SSH from any IP address. If that's not what you want, you could have added a more specific rule by hand.
     58
     59=== Enable firewall ===
     60
     61Now let's go ahead and enable the firewall:
     62{{{
     63# ufw enable
     64}}}
     65
     66Command may disrupt existing ssh connections. Proceed with the operation (y|n)? y
     67The firewall is active and enabled on system startup
     68{{{
     69# ufw status
     70Status: active
     71
     72To                         Action      From
     73--                         ------      ----
     74OpenSSH                    ALLOW       Anywhere
     75OpenSSH (v6)               ALLOW       Anywhere (v6)
     76}}}
     77
     78If you like, you can check the iptables ruleset again:
     79{{{
     80# iptables -L -n -v
     81}}}
     82
     83... but this shows a long configuration over multiple screens. Buried in this you may be able to locate the rule which actually permits ssh:
     84{{{
     85Chain ufw-user-input (1 references)
     86 pkts bytes target     prot opt in     out     source               destination
     87    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* 'dapp_OpenSSH' */
     88}}}
     89"ufw status" is much easier!
     90
     91=== Firewall rules ===
     92 Let's try a simple firewall rule. Let's block everyone from ssh into your Ubuntu VM except for your host machine. Before adding the rule ask your neighbor to try ssh into your Ubuntu VM. He should be able to log in.
     93
     94Now add the following rules. Note that you have to give them in the given sequence.
     95{{{
     96#ufw allow proto tcp from < IP of Your host machine >/32 to any port 22
     97Rule added
     98}}}
     99This rule is explained as you are allowing all TCP packets coming from your host machine to port 22(SSH port)
     100
     101Now add the following rule to deny packets from any other IP addresses to port 22
     102{{{
     103#ufw deny OpenSSH
     104Rules updated
     105Rules updated (v6)
     106}}}
     107
     108Check the status
     109{{{
     110# ufw status
     111Status: active
     112
     113To                         Action      From
     114--                         ------      ----
     115OpenSSH                    DENY        Anywhere
     11622/tcp                     ALLOW       <Your host IP address>/32
     117OpenSSH (v6)               DENY       Anywhere (v6)
     118}}}
     119
     120Now ask your neighbor to ssh into your VM
     121
     122=== Disable ufw ===
     123
     124Finally, turn off ufw completely. This is useful for debugging problems, and for our labs we want to make sure that ufw is not going to get in the way of any other exercises.
     125{{{
     126# ufw disable
     127Firewall stopped and disabled on system startup
     128# ufw status
     129Status: inactive
     130}}}
     131If you are in a root shell, type "exit" to return to your normal user shell.