Ubuntuufw firewall rule sequence Problems

This document uses Ubuntu14.04 as an example to explain the ufw firewall rule sequence. ------------------------------ Here we should use the split line elegantly -------------------------------- let's talk about the principle first and then talk about it! Access Control (AccessControl) is available in Linux and many other software systems, such as firewall in the system and ACL (AccessCon) in Ciscoios.

This article uses Ubuntu 14.04 as an example to explain the ufw firewall rule sequence.

------------------------------ Here we should use the split line elegantly --------------------------------

Let's talk about the principle first!

In Linux and many other software systems, the Access Control function is available, such as the firewall in the system, the Access Control Lists in Cisco ios, And the Access Module in the Web server. In some access control implementations, some access control functions are related to the sequence. For example, all other hosts are prohibited from accessing the local port but one host is allowed to access the local port, you can also allow all hosts to access the local port, but prohibit a host from accessing the local port. This example can be easily reflected in netfilter iptables and Apache httpd 2.2. Here we will focus on Ubuntu ufw.

First, we need to correct it for most people. ufw is not a firewall. Although it is called Ubuntu firewall, it does not have the firewall function. It is just a tool for managing the netfilter firewall, the core is the iptables of netfilter. This is easy to find in ufw man that ufw is a program for managing netfilter. This tool aims to help users simplify the complex use of iptables.

Before talking about Ubuntu ufw, let's talk about iptables in CentOS. In CentOS, iptables Rules read the configuration from top to bottom in a file (/etc/sysconfig/iptables, the latter rule can overwrite the previous rule. For example, there are two denial rules under the default rule:

-A input-j REJECT -- reject-with icmp-host-prohibited

-A forward-j REJECT -- reject-with icmp-host-prohibited

The two rules mean to reject other packets that do not comply with the rules and send an icmp host prohibited message to the rejected host. These two rules can be considered as a supplement to the default rules by iptables, because before these default rules, there are rules such as input accept [0: 0], which indicate that all rules are allowed by default.

So what exactly do we need to express? I don't know if this is the case. In CentOS, inserting a rule directly using the iptables command does not work because it is inserted to the REJECT rule by default? For example, if "iptables-a input-p tcp-m state -- state NEW-m tcp -- dport 8088-j ACCEPT" is executed, the reason is that it is inserted under "-a input-j REJECT -- reject-with icmp-host-prohibited". To work well, it must be inserted before it, for example, Run "iptables-I INPUT-p tcp-m state -- state NEW-m tcp -- dport 8088-j ACCEPT", so that it will be added to the frontend of the INPUT chain, it also plays an expected role.

Now let's talk about Ubuntu ufw. Ubuntu ufw is a bit strange. It is always like the Ubuntu system, like everything embedded ded, even though ufw is not a simple embedded ded, ufw has made some script-like things and a bunch of related files, which are called ufw-framework. You can view its introduction Information and Related Files Through man ufw-framework, we can see that it is not run as a common service but as a script (for example, a standard SysV style initscript used by the ufw command mentioned in man ), if you want to study it in depth, you can take a look at man page and relevant documents and materials.

We should continue to emphasize how ufw is used. First of all, it should be noted that Ubuntu is a very unfriendly System for engineers. It only loves its developers. After all, it is developed by developers, therefore, many engineers like me do not like Ubuntu, but many developers choose Ubuntu because it looks simple and easy to use. Here is a passage I have mentioned: "If you want to select a release version for your Linux, do not select Ubuntu in any way, if you have to choose Ubuntu, you must also select 12.xx( precise), instead of 14.xx( trusty), and do not upgrade to trusty. Ubuntu14.xx was good before, and 14. xx had many pitfalls. This is a bit like CentOS7, mostly because of systemd. For the sins of systemd, refer to the following articles,

CentOS7/RHEL7 systemd detailed http://www.linuxidc.com/Linux/2015-04/115937.htm

Why is systemd so quickly adopted? Http://www.linuxidc.com/Linux/2014-08/105789.htm

Systemd and sysVinit Color comparison table http://www.linuxidc.com/Linux/2014-09/106455.htm

So useful! Run the systemd command to manage the Linux system! Http://www.linuxidc.com/Linux/2014-09/106490.htm

Linux init system initialization, Part 1: Systemd http://www.linuxidc.com/Linux/2014-12/110383.htm

------------------------------ Here we should use the split line elegantly --------------------------------

Finally, it is time to briefly introduce how ufw can be used. This article only talks about sequence issues, but does not about syntax issues. You can query man pages or other wonderful articles by yourself. Here, we will only talk about some other things that have gained experience from the actual production environment and multiple tests.

Iptables uses-A and-I to distinguish between insertion and addition. ufw also has the same configuration file as iptables (this file is/lib/ufw/user. rules. This file records user-defined rules like the/etc/sysconfig/iptables file in CentOS. You can view the specific content and syntax.

Here, we use ssh default port 22 as an example to list an example of allowing all hosts to access port 22 of the local machine but disabling a host (10.20.0.1) to access port 22.

If you configure the ufw firewall for the first time, you can do this:

Sudo ufw reset # reset Firewall

Sudo ufw enable # enable Firewall

Sudo ufw default reject # configure default rules and reject

Sudo ufw deny from 10.20.0.1 # deny access from an IP address, or execute sudo ufw deny from 10.20.0.1 to 10.20.0.130 port 22

Sudo ufw allow 22/tcp # allow all hosts to access port 22

Sudo ufw status # view ufw status

If the ufw has been configured and the rules already exist, do the following:

Sudo ufw status numbered # Check the ufw status in the numerical order. Note that you do not need to worry about the ufw status with v6.

Sudo ufw insert 1 deny from 10.20.0.1 # or sudo ufw insert 1 deny from 10.20.0.1 to 10.20.0.130 port 22

Sudo ufw allow 22/tcp

Sudo ufw status

After the above configuration, the/lib/ufw/user. rules file will be shown as follows:

### Tuple ### deny any 22 10.20.0.130 any 10.20.0.1 in

-A ufw-user-input-p tcp-d 10.20.0.130 -- dport 22-s 10.20.0.1-j DROP

-A ufw-user-input-p udp-d 10.20.0.130 -- dport 22-s 10.20.0.1-j DROP

### Tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in

-A ufw-user-input-p tcp -- dport 22-j ACCEPT

The preceding ### annotations enable ufw to correctly identify the rules added using the ufw command. You can manually rewrite the rules using the iptables command. Therefore, such a rule can be added through commands.

For example:

Iptables-I ufw-user-input-p tcp-d 10.20.0.130 -- dport 22-s 10.20.0.1-j DROP

Iptables-I ufw-user-input-p udp-d 10.20.0.130 -- dport 22-s 10.20.0.1-j DROP

Iptables-I ufw-user-input-p tcp -- dport 22-j ACCEPT

Why can I manually rewrite it? You can run the iptables-save command to view the cause:

-A ufw-user-input-s 10.20.0.1/32-d 10.20.0.130/32-p tcp-m tcp -- dport 22-j DROP

-A ufw-user-input-s 10.20.0.1/32-d 10.20.0.130/32-p udp-m udp -- dport 22-j DROP

-A ufw-user-input-p tcp-m tcp -- dport 22-j ACCEPT

-A ufw-user-limit-m limit -- limit 3/min-j LOG -- log-prefix "[ufw limit block]"

-A ufw-user-limit-j REJECT -- reject-with icmp-port-unreachable

-A ufw-user-limit-accept-j ACCEPT

Through this piece of information, we can find that this is actually the same as the/etc/sysconfig/iptables file.

In a simple statement, it is to insert the deny rule first, then allow, and deny rule to the front of the allow rule so that the rule can be disabled.

This article is not particularly detailed, but it is definitely helpful. I hope you will remember this article when setting deny rules using ufw, haha.

------------------------------ Here we should use the split line elegantly --------------------------------

Some available references or materials:

Cisco login ing IP Access Lists http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#acl

Apache httpd 2.2 Access Control http://httpd.apache.org/docs/2.2/howto/access.html

Apache httpd 2.4 Access Control http://httpd.apache.org/docs/2.4/howto/access.html

Apache httpd Access Control-Order http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html#order

Tag: Ubuntu ufw usage. ufw rules are invalid. Ubuntu configures the firewall, Ubuntu ufw principles, and Ubuntu ufw rules.

-- End --

For more information about Ubuntu, see Ubuntu special page http://www.linuxidc.com/topicnews.aspx? Tid = 2

This article permanently updates the link address: Http://www.linuxidc.com/Linux/2015-11/125110.htm