ufw - program for managing a netfilter firewall
发表于 : 2008-10-31 21:27
Netkiller Linux 手札
Debian/Ubuntu Cookbook
Neo Chan
中国广东省深圳市宝安区龙华镇
518109
+86 755 29812080
+86 755 29812080
<openunix@163.com>
文档出处
http://netkiller.8800.org/
http://netkiller.hikz.com/
http://netkiller.mefound.com
版权 © 2006, 2007, 2008 Netkiller(Neo Chan). All rights reserved.
版权声明
你可以任意转载,转载请与作者联系,转载时请务必标明文章原始出处和作者信息及本声明。
文档最近一次更新于 Fri Oct 31 13:07:29 UTC 2008
对初学Linux的爱好者忠告
玩Linux最忌reboot(重新启动)这是windows玩家坏习惯
Linux 只要接上电源你就不要再想用reboot,shutdown,halt,poweroff命令,Linux系统和应用软件一般备有 reload,reconfigure,restart/start/stop...不需要安装软件或配置服务器后使用reboot重新引导计算机
在 Linux系统里SIGHUP信号被定义为刷新配置文件,有些程序没有提供reload参数,你可以给进程发送HUP信号,让它刷新配置文件,而不用 restart.通过pkill,killall,kill 都可以发送HUP信号例如: pkill -HUP httpd
ufw - program for managing a netfilter firewall
1.
Installation
sudo apt-get install ufw
2.
Enable | Disable
sudo ufw enable | disable
neo@master:~$ sudo ufw enable
Firewall started and enabled on system startup
3.
Default Rule
sudo ufw default deny
sudo ufw default allow
neo@master:~$ sudo ufw default deny
Default policy changed to 'deny'
(be sure to update your rules accordingly)
4.
Rule Allow|Deny
sudo ufw allow|deny [service]
打开或关闭某个端口,例如:
sudo ufw allow smtp 允许所有的外部IP访问本机的25/tcp (smtp)端口
sudo ufw allow 22/tcp 允许所有的外部IP访问本机的22/tcp (ssh)端口
sudo ufw allow 53 允许外部访问53端口(tcp/udp)
sudo ufw allow from 172.16.1.100 允许此IP访问所有的本机端口
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp 禁止外部访问smtp服务
sudo ufw delete allow smtp 删除上面建立的某条规则
UFW 使用范例
UFW 使用范例:
允许 53 端口
$ sudo ufw allow 53
禁用 53 端口
$ sudo ufw delete allow 53
允许 80 端口
$ sudo ufw allow 80/tcp
禁用 80 端口
$ sudo ufw delete allow 80/tcp
允许 smtp 端口
$ sudo ufw allow smtp
删除 smtp 端口的许可
$ sudo ufw delete allow smtp
允许某特定 IP
$ sudo ufw allow from 192.168.254.254
删除上面的规则
$ sudo ufw delete allow from 192.168.254.254
$ sudo ufw allow ssh
$ sudo ufw allow www
$ sudo ufw allow smtp
neo@master:~$ sudo ufw allow ssh
Rule added
5.
Status
sudo ufw status
neo@master:~$ sudo ufw allow www
Rule added
neo@master:~$ sudo ufw status
Firewall loaded
To Action From
-- ------ ----
25:tcp ALLOW Anywhere
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere
6.
Rule Delete
sudo ufw delete allow|deny RULE
neo@master:~$ sudo ufw status
Firewall loaded
To Action From
-- ------ ----
25:tcp ALLOW Anywhere
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere
neo@master:~$ sudo ufw delete allow smtp
Rule deleted
neo@master:~$ sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere
7.
logging
sudo ufw logging on|off
neo@master:~$ sudo ufw logging ON
Logging enabled
8.
iptales
neo@master:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK FORWARD]: '
RETURN all -- anywhere anywhere
Chain ufw-after-input (1 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp dpt:netbios-ns
RETURN udp -- anywhere anywhere udp dpt:netbios-dgm
RETURN tcp -- anywhere anywhere tcp dpt:netbios-ssn
RETURN tcp -- anywhere anywhere tcp dpt:microsoft-ds
RETURN udp -- anywhere anywhere udp dpt:bootps
RETURN udp -- anywhere anywhere udp dpt:bootpc
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK INPUT]: '
RETURN all -- anywhere anywhere
Chain ufw-after-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT all -- base-address.mcast.net/4 anywhere
ACCEPT all -- anywhere base-address.mcast.net/4
ufw-user-input all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK NOT-TO-ME]: '
DROP all -- anywhere anywhere
Chain ufw-user-forward (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp dpt:www
RETURN all -- anywhere anywhere
Chain ufw-user-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Debian/Ubuntu Cookbook
Neo Chan
中国广东省深圳市宝安区龙华镇
518109
+86 755 29812080
+86 755 29812080
<openunix@163.com>
文档出处
http://netkiller.8800.org/
http://netkiller.hikz.com/
http://netkiller.mefound.com
版权 © 2006, 2007, 2008 Netkiller(Neo Chan). All rights reserved.
版权声明
你可以任意转载,转载请与作者联系,转载时请务必标明文章原始出处和作者信息及本声明。
文档最近一次更新于 Fri Oct 31 13:07:29 UTC 2008
对初学Linux的爱好者忠告
玩Linux最忌reboot(重新启动)这是windows玩家坏习惯
Linux 只要接上电源你就不要再想用reboot,shutdown,halt,poweroff命令,Linux系统和应用软件一般备有 reload,reconfigure,restart/start/stop...不需要安装软件或配置服务器后使用reboot重新引导计算机
在 Linux系统里SIGHUP信号被定义为刷新配置文件,有些程序没有提供reload参数,你可以给进程发送HUP信号,让它刷新配置文件,而不用 restart.通过pkill,killall,kill 都可以发送HUP信号例如: pkill -HUP httpd
ufw - program for managing a netfilter firewall
1.
Installation
sudo apt-get install ufw
2.
Enable | Disable
sudo ufw enable | disable
neo@master:~$ sudo ufw enable
Firewall started and enabled on system startup
3.
Default Rule
sudo ufw default deny
sudo ufw default allow
neo@master:~$ sudo ufw default deny
Default policy changed to 'deny'
(be sure to update your rules accordingly)
4.
Rule Allow|Deny
sudo ufw allow|deny [service]
打开或关闭某个端口,例如:
sudo ufw allow smtp 允许所有的外部IP访问本机的25/tcp (smtp)端口
sudo ufw allow 22/tcp 允许所有的外部IP访问本机的22/tcp (ssh)端口
sudo ufw allow 53 允许外部访问53端口(tcp/udp)
sudo ufw allow from 172.16.1.100 允许此IP访问所有的本机端口
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp 禁止外部访问smtp服务
sudo ufw delete allow smtp 删除上面建立的某条规则
UFW 使用范例
UFW 使用范例:
允许 53 端口
$ sudo ufw allow 53
禁用 53 端口
$ sudo ufw delete allow 53
允许 80 端口
$ sudo ufw allow 80/tcp
禁用 80 端口
$ sudo ufw delete allow 80/tcp
允许 smtp 端口
$ sudo ufw allow smtp
删除 smtp 端口的许可
$ sudo ufw delete allow smtp
允许某特定 IP
$ sudo ufw allow from 192.168.254.254
删除上面的规则
$ sudo ufw delete allow from 192.168.254.254
$ sudo ufw allow ssh
$ sudo ufw allow www
$ sudo ufw allow smtp
neo@master:~$ sudo ufw allow ssh
Rule added
5.
Status
sudo ufw status
neo@master:~$ sudo ufw allow www
Rule added
neo@master:~$ sudo ufw status
Firewall loaded
To Action From
-- ------ ----
25:tcp ALLOW Anywhere
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere
6.
Rule Delete
sudo ufw delete allow|deny RULE
neo@master:~$ sudo ufw status
Firewall loaded
To Action From
-- ------ ----
25:tcp ALLOW Anywhere
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere
neo@master:~$ sudo ufw delete allow smtp
Rule deleted
neo@master:~$ sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
80:udp ALLOW Anywhere
7.
logging
sudo ufw logging on|off
neo@master:~$ sudo ufw logging ON
Logging enabled
8.
iptales
neo@master:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK FORWARD]: '
RETURN all -- anywhere anywhere
Chain ufw-after-input (1 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp dpt:netbios-ns
RETURN udp -- anywhere anywhere udp dpt:netbios-dgm
RETURN tcp -- anywhere anywhere tcp dpt:netbios-ssn
RETURN tcp -- anywhere anywhere tcp dpt:microsoft-ds
RETURN udp -- anywhere anywhere udp dpt:bootps
RETURN udp -- anywhere anywhere udp dpt:bootpc
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK INPUT]: '
RETURN all -- anywhere anywhere
Chain ufw-after-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT all -- base-address.mcast.net/4 anywhere
ACCEPT all -- anywhere base-address.mcast.net/4
ufw-user-input all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK NOT-TO-ME]: '
DROP all -- anywhere anywhere
Chain ufw-user-forward (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp dpt:www
RETURN all -- anywhere anywhere
Chain ufw-user-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere