Ubuntu Reference Guide

part of the WillPowered Inc. network
© 2011 William Hall <5/> - This site uses HTML5

Security\UFW

Ubuntu and other Linux distributions have always used iptables to control access to your computer via a network, aka a firewall. Various software is available to help configure iptables as they are very difficult to configure directly. As of Ubuntu 8.04, Ubuntu ships with a basic configuration tool called ufw. ufw is disabled by default and can only be used from a terminal.

The following should be done in a terminal on the computer, not from another computer using SSH (PuTTY) as you don't want to accidentally lock yourself out (but nothing stops you from doing this from SSH, just think about what you are doing).

The first step is to set the default policy to block everything.

$ sudo ufw enable $ sudo ufw default deny

Now you can create rules to allow access on certain ports only. The following information will let you enable the use of apache web server, SSH (putty) and Samba. Officially, rules are added and deleted using the following syntax. | indicates a choice between two options, [ ] indicate optional parts of syntax and you should enter either your own content or "any" in the < >.

$ sudo ufw allow|deny [proto <protocol>] [from <address> [port <port>]] [to <address> [port <port>]]

Unofficially, shorter rules are allowed.

$ sudo ufw allow|deny <port>

Or

$ sudo ufw allow|deny <port>/<protocol>

In this case we could use the shorter syntax but the longer syntax enables more security. We can limit access again to within our own network by using 192.168.1.0/24 or whatever is appropriate (or 192.168.0.0/16). Rules can be deleted using "sudo ufw delete" followed by the rule you wish to delete.

When Nautilus browses the network, it receives information on a random port. In order to receive this information, it is critical that you enable all incoming traffic for your local subnet. This is done with the following command.

$ sudo ufw allow from 192.168.1.0/24 to any

If you will not use Nautilus to browse the network and connect to shares on the fly, follow the following commands to lock down your server further. Also, mounting shares properly using fstab does not involve Nautilus. In this case, unlock the following ports and protocols:

$ sudo ufw allow proto tcp from 192.168.1.0/24 to any port 139 $ sudo ufw allow proto tcp from 192.168.1.0/24 to any port 445 $ sudo ufw allow proto udp from 192.168.1.0/24 to any port 137 $ sudo ufw allow proto udp from 192.168.1.0/24 to any port 138

It is probably better practice to not use specific IP ranges since access from alternate ranges will probably be blocked so the below rules use "any" instead. These rules are also better suited for webservers.

SSH uses port 22 and the web typically uses port 80, both using tcp. The following commands enable them.

$ sudo ufw allow proto tcp from any to any port 22 $ sudo ufw allow proto tcp from any to any port 80

The firewalls status and all the current rules can be viewed by entering the following command.

$ sudo ufw status