Quantcast
Linux Hacks

Linux Hack of the Week #20: Uncomplicating Firewalls For the Rest of Us

Who doesn’t love firewalls? Firewalls give us that warm fuzzy feeling disallowing nasty traffic into our squeaky clean computers. However, it turns out that firewalls are not always that easy to configure.

The primary firewall for Linux is called Iptables. Iptables is configured with techno-black magic rules that specify your zone, your port, your interface, and all the details that sometimes you probably don’t care too much about.

Luckily, Iptables has a plethora of different front ends to simplify configuration for input, output, forwards, NATing (insert your favorite firewall phrase here). In this article, we will cover one such tool called UFW.

Enter UFW

The name UFW stands for Uncomplicated FireWall. On modern versions of Ubuntu, UFW is installed by default. You can also easily install it with one command:

Enabling

Once UFW is installed, enable it with sudo ufw enable:

Note: You should not be enabling UFW over an SSH connection. Doing so will cause you to unexpectedly lose your session and lock you out! It is recommended to enable the ssh rule beforehand (See Configuring Rules for UFW).

Once enabled you can check UFW status with sudo ufw status verbose:

Having a set of sane defaults is a good step for securing a machine from unwanted traffic. By default, UFW denies all incoming traffic and allows all outgoing traffic.

Configuring Rules for UFW

UFW has a wide variety of ways to configure rules for all sorts of network configurations. One of the more common use cases is allowing traffic for trusted applications.

Allowing/Disallowing Apps

A service that is ubiquitous for remote administration is SSH. Allow it by running the following:

Verify your rules list:

Notice that the status lists 22 which is the port that SSH uses by default.

You can ask UFW to list the currently allows apps:

To disallow an app, use the deny keyword. Let’s say you are running a web server and you do NOT want to allow HTTP traffic (strictly HTTPS traffic). You can disallow HTTP traffic this way:

Allowing/Disallowing Traffic Over Specific Ports

Let’s say you have a different security policy and SSH is listening on port 2222. You can enable it like this:

Notice, the allow command specified tcp. You can specify tcp or udp when defining rules.

Just like denying apps, you run a similar command for denying ports. Telnet is an old outdated tool for running remote commands against servers. To disallow traffic for telnet (port 23) run the following:

Deleting a rule

Going back to the HTTP example, your server now has a redirect of HTTP to HTTPS traffic. You can remove the rule from earlier by doing:

Note: This will not explicitly allow HTTP. You must allow it explicitly (see SSH example above).

The same syntax can be used for deleting a rule for ports: (using port 2222 from earlier)

Conclusion

Firewalls on Linux are not always easy to configure. Having a firewall with a solid configuration can help protect a machine from a wide variety of malicious traffic.

About Automox

Automox is a cloud-based patch management and endpoint protection platform that provides the foundation for a strong security framework by automating the fundamentals of security hygiene to reduce a company’s attack surface by over 80 percent. A powerful set of user-defined controls enables IT managers to filter and report on the vulnerability status of their infrastructure and intuitively manage cross-platform OS patching, third party patching, software deployment, and configuration management. To sign up for a free, 15-day trial of Automox’s cloud-based, automated patch management solution, visit www.automox.com/signup.

 

Christian Bernard, Software Engineer

Author Christian Bernard, Software Engineer

More posts by Christian Bernard, Software Engineer

Leave a Reply