Ubuntu UFW Firewall Rule order problem

This article takes Ubuntu 14.04 as an example to talk about the UFW firewall rule order problem.

--------------------------------You should use the split line gracefully here--------------------------------

First say the principle and then spit groove!

There are access control features in the Linux system and many other software, such as firewalls in the system, ACLs in Cisco iOS (Access control Lists), and access Module in the Web server. In some implementations of access control, some access control functions are related to the order, such as prohibiting all other hosts from accessing the native port but allowing one host to access the native port, or allowing all hosts to access the native port but prohibit a host from accessing the port. Such examples can be easily reflected in the NetFilter iptables and Apache httpd 2.2 release, which is mainly about Ubuntu UFW.

First of all to correct for most people, UFW is not a firewall, although it is called Ubuntu Firewall, but it itself does not have a firewall function, it is only a management NetFilter firewall tools, its core is NetFilter iptables. This is easy to find in UFW man, UFW is a program for managing NetFilter, and the purpose of this tool is to help users simplify the complex use of iptables.

Before I say Ubuntu UFW, I want to talk about the iptables in CentOS, in CentOS, iptables rules are read from a file (/etc/sysconfig/iptables), from top to bottom, The next rule can override the previous rule, for example, there are 2 deny rules under the default rule:

-A input-j REJECT--reject-with icmp-host-prohibited
-A forward-j REJECT--reject-with icmp-host-prohibited

The meaning of these two rules is to reject other non-conforming packets and send an ICMP host prohibited message to the rejected host. And these two rules can be considered as iptables to the default rules, because before these default rules, there are: INPUT ACCEPT [0:0] Such a rule, these rules represent all allowed by default.

What is it that says so much, exactly what to express? I do not know if there is such an impression that the direct use of the iptables command in CentOS to insert a rule, and does not work, because it is inserted by default in the Reject rule? For example, "Iptables-a input-p tcp-m State--state new-m TCP--dport 8088-j ACCEPT" was found to be bad because it was plugged into "-A input-j REJECT--rejec T-with icmp-host-prohibited "below, to be useful, that must be inserted in front of it, such as execution" Iptables-i input-p tcp-m State--state new-m TCP--dport 8088-j ACCEPT "so that it will be added to the front of the input chain, and it will work as expected.

Now again Ubuntu UFW. Ubuntu UFW This app is a bit strange, it's always like Ubuntu system, like everything included, although UFW is not simply included,ufw to do something like a script and have a bunch of related files, It is called ufw-framework, and can be seen through man ufw-framework with its introductory information and related files, and it can be seen that it is not run as a normal service but as a script (for example, a standard SysV style mentioned in man) Initscript used by the UFW command), if you want to study in depth, you can look at the man page and see the relevant documents and materials.

Before we talk about how to use UFW, we should continue to emphasize. First of all, Ubuntu is a very unfriendly system for engineers, it is only dear to its developers, after all, developers have developed, so many engineers like me do not like to use Ubuntu, and many developers but because it looks easy to use and choose Ubuntu. Here's a quote I said earlier, "if you're going to choose a release for your Linux, don't choose Ubuntu anyway, If you have to insist on choosing Ubuntu also must choose 12.xx (precise), do not choose 14.xx (trusty), and do not upgrade to trusty. Ubuntu14.xx before good, 14.xx after a lot of pits, this and CentOS7 have a little like, mostly because of systemd reason, about systemd evil can refer to this article, http://www.zdnet.com/article/ Linus-torvalds-and-others-on-linuxs-systemd/. ”

--------------------------------You should use the split line gracefully here--------------------------------

Finally, here's a brief introduction to how UFW is going to use it. This article only tells the order question does not speak the grammar question, the grammar question may query the man page or other website's wonderful article. Here are just a few other things that are not mentioned in the article, from the actual production environment and many tests gained experience.

That iptables through-a and-I to differentiate insert or add, UFW also have, and UFW nature is the same as Iptables style configuration file (this file is/lib/ufw/user.rules, this file is like the/etc/under CentOS Sysconfig/iptables files, the user-defined rules are recorded, the specific content of what grammar can be viewed.

Here is an example of SSH default Port 22, which allows all hosts to access the native 22 port but prohibits a host (10.20.0.1) from accessing Port 22.

If you are configuring the UFW firewall for the first time, you can do this:

sudo ufw reset# Reset Firewall
sudo ufw enable# enable firewall
sudo ufw default reject# configuration defaults, rejecting
sudo ufw deny from 10.20.0.1# denies an IP access, or executes sudo ufw deny from 10.20.0.1 to 10.20.0.130 Port 22
sudo ufw allow 22/tcp# allows all hosts access to port 22
sudo ufw status# view UFW status

If the UFW has already been configured and the rules are already there, then do it:

sudo ufw status numbered# view UFW status According to the digital book sequence, pay attention to the V6 without tube
sudo UFW insert 1 deny from 10.20.0.1# or sudo UFW insert 1 deny from 10.20.0.1 to 10.20.0.130 Port 22

sudo ufw allow 22/tcp
sudo UFW status

After the above configuration, such as the/lib/ufw/user.rules file will appear as follows:

# # # tuple # # # deny any of 10.20.0.130 any 10.20.0.1 in
-A ufw-user-input-p tcp-d 10.20.0.130--dport 22-s 10.20.0.1-j DROP
-A ufw-user-input-p udp-d 10.20.0.130--dport 22-s 10.20.0.1-j DROP

# # # tuple # # Allow TCP $0.0.0.0/0 any 0.0.0.0/0 in
-A Ufw-user-input-p TCP--dport 22-j ACCEPT

Above the # # #开始的注释能使ufw正确识别通过ufw命令添加的规则, You can manually use the iptables command to rewrite . So it is possible to add such a rule through the command.

For example:

Iptables-i ufw-user-input-p tcp-d 10.20.0.130--dport 22-s 10.20.0.1-j DROP
Iptables-i ufw-user-input-p udp-d 10.20.0.130--dport 22-s 10.20.0.1-j DROP

Iptables-i ufw-user-input-p TCP--dport 22-j ACCEPT

Why can I rewrite it manually? Reasons can be viewed by first enabling UFW and then using the Iptables-save command:

-A ufw-user-input-s 10.20.0.1/32-d 10.20.0.130/32-p tcp-m tcp--dport 22-j DROP
-A ufw-user-input-s 10.20.0.1/32-d 10.20.0.130/32-p udp-m UDP--dport 22-j DROP
-A ufw-user-input-p tcp-m tcp--dport 22-j ACCEPT
-A ufw-user-limit-m limit--limit 3/min-j LOG--log-prefix "[UFW limit BLOCK]"
-A ufw-user-limit-j REJECT--reject-with icmp-port-unreachable
-A Ufw-user-limit-accept-j Accept

Through this piece of information can be found, in fact, this is the same as the/etc/sysconfig/iptables file.

A simple sentence, that is, first deny, after the Allow,deny rules inserted into the Allow rule before, so as to play a forbidden role.

The text is not particularly detailed, but definitely can have an enlightening effect, I hope that when you set the Deny rule by UFW not good, can think of this article, haha.

--------------------------------You should use the split line gracefully here--------------------------------

Some of the available references or materials:

Cisco Configuring IP Access Lists http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602- Confaccesslists.html#acl

Apache httpd 2.2 Access Control http://httpd.apache.org/docs/2.2/howto/access.html

Apache httpd 2.4 Access Control http://httpd.apache.org/docs/2.4/howto/access.html

Apache httpd Access Control–order http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html#order

Tag:ubuntu UFW usage, UFW rule invalid, Ubuntu configuration firewall, Ubuntu UFW principle, Ubuntu UFW rule Order

--end--

This article is from "Communication, My Favorites" blog, please make sure to keep this source http://dgd2010.blog.51cto.com/1539422/1697519

Ubuntu UFW Firewall Rule order problem