| | 1 | = Firewall exercises using ufw = |
| | 2 | In this exercise we will see examples of how to set up simple simple host protection using ufw to configure the iptables firewall. All the commands in this exercise need to be done as '''root'''. If you are not already root, start a root shell like this: |
| | 3 | {{{ |
| | 4 | $ sudo -s |
| | 5 | # |
| | 6 | }}} |
| | 7 | |
| | 8 | === Installation === |
| | 9 | note : In this lab session you don't have to install ufw as it comes default with ubuntu |
| | 10 | {{{ |
| | 11 | # apt-get install ufw |
| | 12 | }}} |
| | 13 | This will install iptables as a dependency if it is not already installed. |
| | 14 | |
| | 15 | === Check initial state === |
| | 16 | |
| | 17 | Use the ufw status commands |
| | 18 | {{{ |
| | 19 | # ufw status |
| | 20 | Status: inactive |
| | 21 | }}} |
| | 22 | |
| | 23 | And iptables command |
| | 24 | {{{ |
| | 25 | # iptables -L -n -v |
| | 26 | Chain INPUT (policy ACCEPT 44579 packets, 8596K bytes) |
| | 27 | pkts bytes target prot opt in out source destination |
| | 28 | |
| | 29 | Chain FORWARD (policy ACCEPT 52080 packets, 4315K bytes) |
| | 30 | pkts bytes target prot opt in out source destination |
| | 31 | |
| | 32 | Chain OUTPUT (policy ACCEPT 25720 packets, 2713K bytes) |
| | 33 | pkts bytes target prot opt in out source destination |
| | 34 | }}} |
| | 35 | The iptables output shows that the firewall is "permit everything" - there are no rules in any of the chains, and the "policy" of ACCEPT is the default if no rule matches. |
| | 36 | |
| | 37 | === Prepare to enable === |
| | 38 | |
| | 39 | When we enable the firewall, it's important we '''don't block ssh''' or we could lock ourselves out! |
| | 40 | |
| | 41 | ufw may already know about some applications, including OpenSSH, so we can just apply the rule it knows about. |
| | 42 | {{{ |
| | 43 | # ufw app list |
| | 44 | Available applications: |
| | 45 | Apache |
| | 46 | Apache Full |
| | 47 | Apache Secure |
| | 48 | OpenSSH |
| | 49 | }}} |
| | 50 | |
| | 51 | Alow OpenSSH |
| | 52 | {{{ |
| | 53 | # ufw allow OpenSSH |
| | 54 | Rules updated |
| | 55 | Rules updated (v6) |
| | 56 | }}} |
| | 57 | This policy allows SSH from any IP address. If that's not what you want, you could have added a more specific rule by hand. |
| | 58 | |
| | 59 | === Enable firewall === |
| | 60 | |
| | 61 | Now let's go ahead and enable the firewall: |
| | 62 | {{{ |
| | 63 | # ufw enable |
| | 64 | }}} |
| | 65 | |
| | 66 | Command may disrupt existing ssh connections. Proceed with operation (y|n)? y |
| | 67 | Firewall is active and enabled on system startup |
| | 68 | {{{ |
| | 69 | # ufw status |
| | 70 | Status: active |
| | 71 | |
| | 72 | To Action From |
| | 73 | -- ------ ---- |
| | 74 | OpenSSH ALLOW Anywhere |
| | 75 | OpenSSH (v6) ALLOW Anywhere (v6) |
| | 76 | }}} |
| | 77 | |
| | 78 | If you like, you can check the iptables ruleset again: |
| | 79 | {{{ |
| | 80 | # iptables -L -n -v |
| | 81 | }}} |
| | 82 | |
| | 83 | ... but this shows a long configuration over multiple screens. Buried in this you may be able to locate the rule which actually permits ssh: |
| | 84 | {{{ |
| | 85 | Chain ufw-user-input (1 references) |
| | 86 | pkts bytes target prot opt in out source destination |
| | 87 | 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* 'dapp_OpenSSH' */ |
| | 88 | }}} |
| | 89 | "ufw status" is much easier! |
| | 90 | |
| | 91 | === Firewall rules === |
| | 92 | Let's try a simple firewall rule. Lets block everyone from ssh in to your ubuntu VM except for your host machine. Before adding the rule ask your neighbor to try ssh in to your Ubuntu VM. He should be able to log in. |
| | 93 | |
| | 94 | Now add the following rules. Note that you have to give them in given sequence. |
| | 95 | {{{ |
| | 96 | #ufw allow proto tcp from < IP of Your host machine >/32 to any port 22 |
| | 97 | Rule added |
| | 98 | }}} |
| | 99 | This rule is explained as you are allowing all tcp packets coming from your host machine to the port 22(SSH port) |
| | 100 | |
| | 101 | Now add the following rule to deny packets from any other ip addresses to port 22 |
| | 102 | {{{ |
| | 103 | #ufw deny OpenHHS |
| | 104 | Rules updated |
| | 105 | Rules updated (v6) |
| | 106 | }}} |
| | 107 | |
| | 108 | Check the status |
| | 109 | {{{ |
| | 110 | # ufw status |
| | 111 | Status: active |
| | 112 | |
| | 113 | To Action From |
| | 114 | -- ------ ---- |
| | 115 | OpenSSH DENY Anywhere |
| | 116 | 22/tcp ALLOW <Your host IP address>/32 |
| | 117 | OpenSSH (v6) DENY Anywhere (v6) |
| | 118 | }}} |
| | 119 | |
| | 120 | Now ask your neighbor to ssh in to your VM |
| | 121 | |
| | 122 | === Disable ufw === |
| | 123 | |
| | 124 | Finally, turn off ufw completely. This is useful for debugging problems, and for our labs we want to make sure that ufw is not going to get in the way of any other exercises. |
| | 125 | {{{ |
| | 126 | # ufw disable |
| | 127 | Firewall stopped and disabled on system startup |
| | 128 | # ufw status |
| | 129 | Status: inactive |
| | 130 | }}} |
| | 131 | If you are in a root shell, type "exit" to return to your normal user shell. |
