ufw - program for managing a netfilter firewall

Web、Mail、Ftp、DNS、Proxy、VPN、Samba、LDAP 等基础网络服务
回复
neo.chan
帖子: 23
注册时间: 2008-10-09 21:41
来自: 深圳
联系:

ufw - program for managing a netfilter firewall

#1

帖子 neo.chan » 2008-10-31 21:27

Netkiller Linux 手札
Debian/Ubuntu Cookbook
Neo Chan



中国广东省深圳市宝安区龙华镇
518109
+86 755 29812080
+86 755 29812080
<openunix@163.com>
文档出处
http://netkiller.8800.org/
http://netkiller.hikz.com/
http://netkiller.mefound.com

版权 © 2006, 2007, 2008 Netkiller(Neo Chan). All rights reserved.

版权声明

你可以任意转载,转载请与作者联系,转载时请务必标明文章原始出处和作者信息及本声明。

文档最近一次更新于 Fri Oct 31 13:07:29 UTC 2008

对初学Linux的爱好者忠告

玩Linux最忌reboot(重新启动)这是windows玩家坏习惯

Linux 只要接上电源你就不要再想用reboot,shutdown,halt,poweroff命令,Linux系统和应用软件一般备有 reload,reconfigure,restart/start/stop...不需要安装软件或配置服务器后使用reboot重新引导计算机

在 Linux系统里SIGHUP信号被定义为刷新配置文件,有些程序没有提供reload参数,你可以给进程发送HUP信号,让它刷新配置文件,而不用 restart.通过pkill,killall,kill 都可以发送HUP信号例如: pkill -HUP httpd


ufw - program for managing a netfilter firewall

1.

Installation

sudo apt-get install ufw
2.

Enable | Disable

sudo ufw enable | disable

neo@master:~$ sudo ufw enable
Firewall started and enabled on system startup


3.

Default Rule

sudo ufw default deny

sudo ufw default allow

neo@master:~$ sudo ufw default deny
Default policy changed to 'deny'
(be sure to update your rules accordingly)


4.

Rule Allow|Deny

sudo ufw allow|deny [service]

打开或关闭某个端口,例如:


sudo ufw allow smtp  允许所有的外部IP访问本机的25/tcp (smtp)端口
sudo ufw allow 22/tcp 允许所有的外部IP访问本机的22/tcp (ssh)端口
sudo ufw allow 53 允许外部访问53端口(tcp/udp)
sudo ufw allow from 172.16.1.100 允许此IP访问所有的本机端口
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp 禁止外部访问smtp服务
sudo ufw delete allow smtp 删除上面建立的某条规则

UFW 使用范例


UFW 使用范例:

允许 53 端口

$ sudo ufw allow 53

禁用 53 端口

$ sudo ufw delete allow 53

允许 80 端口

$ sudo ufw allow 80/tcp

禁用 80 端口

$ sudo ufw delete allow 80/tcp

允许 smtp 端口

$ sudo ufw allow smtp

删除 smtp 端口的许可

$ sudo ufw delete allow smtp

允许某特定 IP

$ sudo ufw allow from 192.168.254.254

删除上面的规则

$ sudo ufw delete allow from 192.168.254.254

$ sudo ufw allow ssh
$ sudo ufw allow www
$ sudo ufw allow smtp

neo@master:~$ sudo ufw allow ssh
Rule added


5.

Status

sudo ufw status

neo@master:~$ sudo ufw allow www
Rule added
neo@master:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
25:tcp ALLOW Anywhere
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere


6.

Rule Delete

sudo ufw delete allow|deny RULE

neo@master:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
25:tcp ALLOW Anywhere
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere

neo@master:~$ sudo ufw delete allow smtp
Rule deleted
neo@master:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere



7.

logging

sudo ufw logging on|off

neo@master:~$ sudo ufw logging ON
Logging enabled


8.

iptales

neo@master:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere

Chain ufw-after-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK FORWARD]: '
RETURN all -- anywhere anywhere

Chain ufw-after-input (1 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp dpt:netbios-ns
RETURN udp -- anywhere anywhere udp dpt:netbios-dgm
RETURN tcp -- anywhere anywhere tcp dpt:netbios-ssn
RETURN tcp -- anywhere anywhere tcp dpt:microsoft-ds
RETURN udp -- anywhere anywhere udp dpt:bootps
RETURN udp -- anywhere anywhere udp dpt:bootpc
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK INPUT]: '
RETURN all -- anywhere anywhere

Chain ufw-after-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT all -- base-address.mcast.net/4 anywhere
ACCEPT all -- anywhere base-address.mcast.net/4
ufw-user-input all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK NOT-TO-ME]: '
DROP all -- anywhere anywhere

Chain ufw-user-forward (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp dpt:www
RETURN all -- anywhere anywhere

Chain ufw-user-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
回复