In this exercise we will see examples of how to set up simple simple host protection using ufw to configure the iptables firewall.
$ sudo -s
# This exercise requires the Apache daemon to be running. If you disabled it in a previous exercise, please start it up by issuing the following command:
# service apache2 start# apt-get install ufwThis will install iptables as a dependency if it is not already installed.
# ufw status
Status: inactive
# iptables -L -n -v
Chain INPUT (policy ACCEPT 44579 packets, 8596K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 52080 packets, 4315K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 25720 packets, 2713K bytes)
pkts bytes target prot opt in out source destinationThe iptables output shows that the firewall is "permit everything" - there are no rules in any of the chains, and the "policy" of ACCEPT is the default if no rule matches.
When we enable the firewall, it's important we don't block ssh or we could lock ourselves out!
ufw may already know about some applications, including OpenSSH, so we can just apply the rule it knows about.
# ufw app list
Available applications:
Apache
Apache Full
Apache Secure
OpenSSH
# ufw allow OpenSSH
Rules updated
Rules updated (v6)This policy allows SSH from any IP address. If that's not what you want, you could have added a more specific rule by hand.
Now let's go ahead and enable the firewall:
# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
# ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)If you like, you can check the iptables ruleset again:
# iptables -L -n -v... but this shows a long configuration over multiple screens. Buried in this you may be able to locate the rule which actually permits ssh:
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* 'dapp_OpenSSH' */"ufw status" is much easier!
Try connecting to your host using a web browser. What happens? You should find that the connection times out, as the packets are being dropped.
Let's say we want to allow web connections only from machines on the classroom network. To do this, add a rule which permits connections from classroom addresses (any port) to any IP address on the web ports.
# ufw allow proto tcp from 10.10.0.0/16u to any port 80,443
Rule added
# ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
80,443/tcp ALLOW 10.10.0.0/16
OpenSSH (v6) ALLOW Anywhere (v6)Are you now able to access your host using your web browser?
There are two ways you can delete a rule. It is possible to repeat the whole rule with "delete", e.g. ufw delete allow proto tcp from 10.10.0.0/16 to any port 80,443
However a simpler way is to delete a rule based on its position. Do the following to delete your web access rule:
# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] OpenSSH ALLOW IN Anywhere
[ 2] 80,443/tcp ALLOW IN 10.10.0.0/16
[ 3] OpenSSH (v6) ALLOW IN Anywhere (v6)
# ufw delete 2
Deleting:
allow from 10.10.0.0/16 to any port 80,443 proto tcp
Proceed with operation (y|n)? y
Rule deleted
# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] OpenSSH ALLOW IN Anywhere
[ 2] OpenSSH (v6) ALLOW IN Anywhere (v6)Exercise: add a rule which allows web access just from your own laptop's IP address. You should be able to work out how to do this!
Check that your laptop is able to access your webserver, but your neighbor's laptop cannot.
Finally, turn off ufw completely. This is useful for debugging problems, and for our labs we want to make sure that ufw is not going to get in the way of any other exercises.
# ufw disable
Firewall stopped and disabled on system startup
# ufw status
Status: inactiveIf you are in a root shell, type "exit" to return to your normal user shell.