Linux firewall settings

UFW Firewall

UFW Firewall is a host-side Iptables class firewall Configuration tool. The purpose of this tool is to provide users with an easy-to-navigate interface, just like package integration and dynamic detection of open ports.

Since the 2.4 version of the Linux kernel, a very good firewall tool has been provided. This tool can divide, filter, forward, and so on the network data of the Access service, and then realize the functions such as firewall, Nat and so on.
In general, we will use the famous iptables and other programs to manage the firewall rules. Iptables can define firewall rules flexibly and are very powerful. But the resulting side effect is that the configuration is too complex. has always been known for its ease of use Ubuntu in its release, comes with a relatively iptables simple firewall configuration tool: UFW.
UFW is not enabled by default. In other words, the ports in Ubuntu are open by default. Start UFW with the following command:

UFW Installation and use

2. Installation
   sudo apt-get install UFW

4. Enable
   sudo UFW enable
   sudo ufw default deny
   After running the above two commands, the firewall is turned on and turned on automatically when the system starts. All external access to the native is turned off, but the native access is normal externally.

6. Turn ON/off
   sudo ufw allow|deny [service]
   Open or close a port, for example:
   sudo UFW allow SMTP allows all external IPs to access native 25/TCP (SMTP) ports
   sudo ufw allow 22/tcp allows all external IP access to the native 22/tcp (SSH) port
   sudo UFW allow 53 allows external access to 53 ports (TCP/UDP)
   sudo ufw allow from 192.168.1.100 allows this IP access to all native ports
   sudo ufw allow proto UDP 192.168.0.1 port 192.168.0.2 port 53
   sudo UFW deny SMTP prevents external access to the SMTP service
   sudo ufw delete allow SMTP to delete a rule established above

7. View firewall status
   sudo UFW status
   For general users, only the following settings are required:
   sudo apt-get install UFW
   sudo UFW enable
   sudo ufw default deny
   The above three commands are safe enough, if you need to open some services, then use sudo ufw allow to open.
   Turn firewall on/off (the default setting is ' Disable ')
   sudo ufw enable|disable
   Convert log status
   sudo ufw logging On|off
   Set default policy (e.g. "mostly open" vs "mostly closed")
   sudo ufw default Allow|deny
   Licensed or shielded port (you can view the list of services in "status"). You can specify a service name that exists in/etc/services in the "Protocol: port" mode, or through the meta-data of the package. The ' Allow ' parameter will add the entry to/etc/ufw/maps, while ' deny ' is the opposite. The basic syntax is as follows:
   sudo ufw allow|deny [service]
   Displays the listening state of the firewall and port, see/var/lib/ufw/maps. The numbers in parentheses will not be displayed.
   sudo UFW status
   UFW Use Example:
   Allow Port 53
   SUDOUfw al lo w53 forbidden With 53 port sudo ufw delete Allow 53
   Allow Port 80
   SUDOUFWALLOw80/tcp< Span id= "mathjax-span-50" class= "Texatom" > Forbidden with 80 End port sudo ufw delete Allow 80/tcp
   Allow SMTP ports
   SUDOUFWALLOWSMTPBy deleting except Smt p port Xu can sudo ufw delete Allow SMTP
   Allow a specific IP
   SUDOUFWALLOWFROM192.168.254.254 delete except on gauge sudo ufw delete allow from 192.168.254.254

9. Load
   sudo ufw reload

Ubuntu iptables Settings

Remove the existing rules from the original iptables
Iptables-f
Iptables-x

Discard all packets that do not match the three chain rules
Iptables-p INPUT DROP
Iptables-p OUTPUT DROP
Iptables-p FORWARD DROP

Settings: Input and OUTPUT links for local process lo; eth1 input chain
Iptables-a input-i lo-j ACCEPT
Iptables-a input-i eth1-m state-state established,related-j ACCEPT
Iptables-a input-i eth1-m state-state new,invalid-j LOG
Iptables-a Output-o lo-j ACCEPT

Output settings for the other main allowed ports:

• Dns
  Iptables-a output-o eth1-p tcp-sport 1024:65535-dport 53-j ACCEPT
  Iptables-a output-o eth1-p udp-sport 1024:65535-dport 53-j ACCEPT

• HTTP
  Iptables-a output-o eth1-p tcp-sport 1024:65535-dport 80-j ACCEPT

• HTTPS
  Iptables-a output-o eth1-p tcp-sport 1024:65535-dport 443-j ACCEPT

• Email acceptance and Delivery
  Iptables-a output-o eth1-p tcp-sport 1024:65535-dport 110-j ACCEPT
  Iptables-a output-o eth1-p tcp-sport 1024:65535-dport 25-j ACCEPT

• FTP Data and control
  Iptables-a output-o eth1-p tcp-sport 1024:65535-dport 20-j ACCEPT
  Iptables-a output-o eth1-p tcp-sport 1024:65535-dport 21-j ACCEPT

• Dhcp
  Iptables-a output-o eth1-p tcp-sport 1024:65535-dport 68-j ACCEPT
  Iptables-a output-o eth1-p udp-sport 1024:65535-dport 68-j ACCEPT

• Pop3s Email Secure receive
  Iptables-a output-o eth1-p tcp-sport 1024:65535-dport 995-j ACCEPT

• Time Synchronization Server NTP
  Iptables-a output-o eth1-p tcp-sport 1024:65535-dport 123-j ACCEPT

• Refuse to eth1 other remaining
  Iptables-a output-o eth1-match state-state new,invalid-j LOG

Finally, there are commands about the Iptables store:
Code:
Iptables-save >/etc/iptables.up.rule-There's a place you want to save

Code:
Iptables-restore </etc/iptables.up.rules-call

Because the iptables will need to be entered or called again after each machine reboot, for easy operation, use
Code:
sudo gedit/etc/network/interfaces

In
Code:
Auto Ath0
Iface Ath0 inet DHCP
After adding
Code:
Pre-up Iptables-restore </etc/iptables.up.rules-initiates automatic call to stored iptables

Code:
Post-down iptables-save >/etc/iptables.up.rule #关机时 to store the current iptables

Linux firewall settings