По принцип настройките на Firewall за линункс са истинско предизвикателство. За да бъде една стена ефективна са нужни огромни познания и много внимателна преценка за конкретните нужди. В замяна на това получавате най-добрата възможна защита. За жалост не съм голям разбирач, и въпреки че съм чел в интернет много за iptables, не съм стигнал до никъде. Късмет е че има и не е една и не две програми, които подпомагат писането на правила за iptables, но и при тях се налага да се отдели много време за да ги изучим, а след това се забравят много бързо. В моя конкретен случай това не ме задоволява. Така попаднах на ufw. Там нещата на повърхността са лесни и се помнят също толкова лесно.
За елементарна настройка на стената елементарни команди:
# ufw status – проверяваме сегашното състояние. В моя случай резултатът беше:
Status: inactive
Добавяне на пълна забрана за външен достъп:
# ufw default deny
Добавяне на изключение за SSH:
# ufw allow 22
Добавяне на изключение за Apache:
# ufw allow 80
И активиране на firewall-а:
# ufw enable
А сега резултата, който се вижда с ufw status verbose:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
– —— —-
22 ALLOW IN Anywhere
80 ALLOW IN Anywhere
От това се разбира, че защитната стена е активна, записва в лог файл само важни събития, че целия изходящ трафик е разрешен, входящия е забранен с изключение на портове 22 и 80.
За натоварени сървъри може да спрем записа в лог файлове:
# ufw logging off
и т.н.
И за десерт – резултата в IPTables от тези 4-5 команди:
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all — anywhere anywhere
ufw-before-input all — anywhere anywhere
ufw-after-input all — anywhere anywhere
ufw-after-logging-input all — anywhere anywhere
ufw-reject-input all — anywhere anywhere
ufw-track-input all — anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all — anywhere anywhere
ufw-before-forward all — anywhere anywhere
ufw-after-forward all — anywhere anywhere
ufw-after-logging-forward all — anywhere anywhere
ufw-reject-forward all — anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all — anywhere anywhere
ufw-before-output all — anywhere anywhere
ufw-after-output all — anywhere anywhere
ufw-after-logging-output all — anywhere anywhere
ufw-reject-output all — anywhere anywhere
ufw-track-output all — anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp — anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp — anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp — anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp — anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp — anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp — anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all — anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all — anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
ufw-logging-deny all — anywhere anywhere state INVALID
DROP all — anywhere anywhere state INVALID
ACCEPT icmp — anywhere anywhere icmp destination-unreachable
ACCEPT icmp — anywhere anywhere icmp source-quench
ACCEPT icmp — anywhere anywhere icmp time-exceeded
ACCEPT icmp — anywhere anywhere icmp parameter-problem
ACCEPT icmp — anywhere anywhere icmp echo-request
ACCEPT udp — anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all — anywhere anywhere
ACCEPT all — BASE-ADDRESS.MCAST.NET/4 anywhere
ACCEPT all — anywhere BASE-ADDRESS.MCAST.NET/4
ufw-user-input all — anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
ufw-user-output all — anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
Chain ufw-logging-deny (2 references)
target prot opt source destination
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all — anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all — anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all — anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all — anywhere anywhere limit: avg 3/min burst 10
DROP all — anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all — anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all — anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all — anywhere anywhere
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp — anywhere anywhere state NEW
ACCEPT udp — anywhere anywhere state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpt:ssh
ACCEPT udp — anywhere anywhere udp dpt:ssh
ACCEPT tcp — anywhere anywhere tcp dpt:www
ACCEPT udp — anywhere anywhere udp dpt:www
Chain ufw-user-limit (0 references)
target prot opt source destination
REJECT all — anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all — anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
RETURN all — anywhere anywhere
Chain ufw-user-logging-input (0 references)
target prot opt source destination
RETURN all — anywhere anywhere
Chain ufw-user-logging-output (0 references)
target prot opt source destination
RETURN all — anywhere anywhere
Chain ufw-user-output (1 references)
target prot opt source destination