Home | 简体中文 | 繁体中文 | 杂文 | Github | 知乎专栏 | 51CTO学院 | CSDN程序员研修院 | OSChina 博客 | 腾讯云社区 | 阿里云栖社区 | Facebook | Linkedin | Youtube | 打赏(Donations) | About
知乎专栏多维度架构

30.4. ufw - program for managing a netfilter firewall

  1. Installation

    sudo apt-get install ufw

  2. Enable | Disable

    sudo ufw enable | disable

    neo@master:~$ sudo ufw enable
    Firewall started and enabled on system startup
    				
  3. Default Rule

    sudo ufw default deny

    sudo ufw default allow

    neo@master:~$ sudo ufw default deny
    Default policy changed to 'deny'
    (be sure to update your rules accordingly)
    	  			
  4. Rule Allow|Deny

    sudo ufw allow|deny [service]

    打开或关闭某个端口,例如:


    sudo ufw allow smtp  允许所有的外部IP访问本机的25/tcp (smtp)端口
    sudo ufw allow 22/tcp  允许所有的外部IP访问本机的22/tcp (ssh)端口
    sudo ufw allow 53  允许外部访问53端口(tcp/udp)
    sudo ufw allow from 172.16.1.100  允许此IP访问所有的本机端口
    sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
    sudo ufw deny smtp  禁止外部访问smtp服务
    sudo ufw delete allow smtp  删除上面建立的某条规则

    UFW 使用范例


    UFW 使用范例:

    允许 53 端口

    $ sudo ufw allow 53

    禁用 53 端口

    $ sudo ufw delete allow 53

    允许 80 端口

    $ sudo ufw allow 80/tcp

    禁用 80 端口

    $ sudo ufw delete allow 80/tcp

    允许 smtp 端口

    $ sudo ufw allow smtp

    删除 smtp 端口的许可

    $ sudo ufw delete allow smtp

    允许某特定 IP

    $ sudo ufw allow from 192.168.254.254

    删除上面的规则

    $ sudo ufw delete allow from 192.168.254.254

    $ sudo ufw allow ssh
    $ sudo ufw allow www
    $ sudo ufw allow smtp

    neo@master:~$ sudo ufw allow ssh
    Rule added
    				
  5. Status

    sudo ufw status

    neo@master:~$ sudo ufw allow www
    Rule added
    neo@master:~$ sudo ufw status
    Firewall loaded
    
    To                         Action  From
    --                         ------  ----
    25:tcp                     ALLOW   Anywhere
    22:tcp                     ALLOW   Anywhere
    22:udp                     ALLOW   Anywhere
    80:tcp                     ALLOW   Anywhere
    80:udp                     ALLOW   Anywhere
    				
  6. Rule Delete

    sudo ufw delete allow|deny RULE

    neo@master:~$ sudo ufw status
    Firewall loaded
    
    To                         Action  From
    --                         ------  ----
    25:tcp                     ALLOW   Anywhere
    22:tcp                     ALLOW   Anywhere
    22:udp                     ALLOW   Anywhere
    80:tcp                     ALLOW   Anywhere
    80:udp                     ALLOW   Anywhere
    
    neo@master:~$ sudo ufw delete allow smtp
    Rule deleted
    neo@master:~$ sudo ufw status
    Firewall loaded
    
    To                         Action  From
    --                         ------  ----
    22:tcp                     ALLOW   Anywhere
    22:udp                     ALLOW   Anywhere
    80:tcp                     ALLOW   Anywhere
    80:udp                     ALLOW   Anywhere
    
    				
  7. logging

    sudo ufw logging on|off

    neo@master:~$ sudo ufw logging ON
    Logging enabled
    				
  8. iptales

    neo@master:~$ sudo iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ufw-before-input  all  --  anywhere             anywhere
    ufw-after-input  all  --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ufw-before-forward  all  --  anywhere             anywhere
    ufw-after-forward  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    ufw-before-output  all  --  anywhere             anywhere
    ufw-after-output  all  --  anywhere             anywhere
    
    Chain ufw-after-forward (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK FORWARD]: '
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-after-input (1 references)
    target     prot opt source               destination
    RETURN     udp  --  anywhere             anywhere            udp dpt:netbios-ns
    RETURN     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
    RETURN     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
    RETURN     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
    RETURN     udp  --  anywhere             anywhere            udp dpt:bootps
    RETURN     udp  --  anywhere             anywhere            udp dpt:bootpc
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK INPUT]: '
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-after-output (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-before-forward (1 references)
    target     prot opt source               destination
    ufw-user-forward  all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-before-input (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED
    DROP       all  --  anywhere             anywhere            ctstate INVALID
    ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
    ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
    ufw-not-local  all  --  anywhere             anywhere
    ACCEPT     all  --  base-address.mcast.net/4  anywhere
    ACCEPT     all  --  anywhere             base-address.mcast.net/4
    ufw-user-input  all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-before-output (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
    ACCEPT     udp  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
    ufw-user-output  all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-not-local (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type LOCAL
    RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type MULTICAST
    RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type BROADCAST
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK NOT-TO-ME]: '
    DROP       all  --  anywhere             anywhere
    
    Chain ufw-user-forward (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-user-input (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:www
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-user-output (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    				

30.4.1. /etc/default/ufw

$ sudo vim /etc/default/ufw
# /etc/default/ufw
#

# set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=no

# set the default input policy to ACCEPT, DROP or REJECT.  Please note that if
# you change this you will most likely want to adjust your rules
DEFAULT_INPUT_POLICY="DROP"

# set the default output policy to ACCEPT, DROP, or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_OUTPUT_POLICY="ACCEPT"

# set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
#DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_FORWARD_POLICY="ACCEPT"

# set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# extra connection tracking modules to load
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc"

			

30.4.2. ip_forward

$ sudo vim /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
			

30.4.3. DHCP

neo@netkiller:~$ sudo ufw allow 67/udp
Rules updated
neo@netkiller:~$ sudo ufw allow 68/udp
Rules updated
			

30.4.4. Samba

neo@netkiller:~$ sudo ufw allow 137/tcp
Rule added
neo@netkiller:~$ sudo ufw allow 445/tcp
Rule added
neo@netkiller:~$ sudo ufw allow 138/udp
Rule added
neo@netkiller:~$ sudo ufw allow 139/udp
Rule added