Ubuntu 12.04 LTS Precise Pangolin: Building a Firewall

The default firewall configuration tool for Ubuntu is known as ‘UFW’. Developed to ease iptables firewall configuration, UFW provides a user-friendly way to create an IPv4 or IPv6 host-based firewall that will serve to protect your computer from un-authorised access and in this article I am going to show you how to setup, configure and manage your security needs on Ubuntu 12.04 LTS Precise Pangolin.

So let’s get started …

Remove AppArmor

Ubuntu 12.04 comes pre-installed with AppArmor. A kernel-level subsystem that works by implementing a unique policy profile for each of the applications and services that you want to protect and in order to reduce the risk of attack, all forms of access to an application or process are denied unless you specifically define a profile that identifies a list of capabilities and/or file system access rights. Therefore, if someone discovers a way to inject or launch malicious code through Apache or MySQL (or even a web browser or chat based application), that exploit will most likely fail or not work if the application or service in question is protected by an AppArmor profile that does not allow any ‘code execution privileges’.

Depending on your circumstances, you should consider this step to be optional. AppArmor in many respects it is not dissimilar to SELinux (as found on most RedHat based systems) and if you do intend to use it or explore its potential I would skip this step and begin your research by reading the server guide found at https://help.ubuntu.com/12.04/serverguide/apparmor.html

Apparmor is without doubt a very competent and secure solution and yes, if you haven’t already enabled AppArmor on your desktops and server then you could be missing out on an incredibly powerful tool but in many situations it can also prove to be overly complicated, if not time consuming and for the purpose of this article we will not be using it.

So I will take this opportunity to show you how to disable and remove AppArmor in order that we can concentrate on the traditional approach to a firewall security.

Grant yourself ‘root’ privileges like so:

sudo su

Authorise yourself in the normal way and then remove it like this:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils

Finally, reboot your machine to ensure the relevant changes take place:

reboot

Hello IPTables

There is no better introduction to the Linux kernel and the included Netfilter subsystem than simply ‘looking under the hood’. In Terminal or your console, type:

sudo /sbin/iptables -L

The response will look similar to this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Which clearly shows the default and ‘empty rule set’.

The purpose of iptables is to control how a packet reaches your computer. Each packet will be passed through the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it via the iptables program, and for this reason iptables is all you need to manage your firewall.

It all looks and sounds very complicated at this stage, but don’t worry this is Ubuntu, and Canonical really did make this very easy …

So what about UFW

If you have read my previous articles, you would have noticed that I have mentioned the UFW.

Also known as the uncomplictaed firewall, it is not (and should not be considered a firewall as such), but its purpose is to provide a ‘human’ approach to managing your IPTables that serve to block, filter, manipulate or redirect network traffic.

So let’s make sure it is installed and for those with the desktop version the installation also provides access to the graphical companion called gUFW.

In Terminal type:

sudo apt-get install ufw gufw

In Console type:

sudo apt-get install ufw gufw

Getting started with UFW

To enable the firewall, use:

sudo ufw enable

To disable the firewall at any time, use:

sudo ufw disable

To enable the firewall ‘log’, use:

sudo ufw logging on

To disable the ‘logging’ at any time, use:

sudo ufw logging off

All log files can be found in /var/log

To set the default policy, use:

sudo ufw default allow

To remove the default policy, use:

sudo ufw default deny

The recommended approach is to deny access to all ports/services and to slowly open the ports/services you need. Remember, by setting the default policy you will be exposing your entire system; so it is often better to begin by closing all ports/services and opening as and when they are required.

And to check the status of your firewall use:

sudo ufw status

or

sudo ufw status verbose

Easy so far … and if you were looking for the graphical utility, simply open the ‘Dash’ and search for GUFW.

Managing the UFW

In the following section I will now ‘walk you through’ the management of ports with plenty of examples.

Allow and Deny

For those of you who would like to allow access to any specific port use:

sudo ufw allow port_number

Similarly, to deny access to any specific port use:

sudo ufw deny port_number

Remember to replace ‘port_number’ with a specific port number …

Time for some ‘port-based’ examples:

‘Allow’ access to port 53

sudo ufw allow 53

Delete ‘Allow’ access to port 53

sudo ufw delete allow 53

‘Allow’ access to port 80

sudo ufw allow 80/tcp

Delete ‘Allow’ access to port 80

sudo ufw delete allow 80/tcp

Managing Services with UFW

Now let’s turn to the even easier process of managing services.

Allow and Deny

To allow access to any specific port use:

sudo ufw allow service_name

Similarly, to deny access to any specific port use:

sudo ufw deny service_name

Remember to replace ‘service_name’ with a specific service name, but if you do not know what your service is called, you can always obtain a list of running services by simply typing:

less /etc/services

Time for some ‘service based’ examples:

‘Allow’ access to port smtp

sudo ufw allow smtp

‘Deny’ access to port smtp

sudo ufw deny smtp

Delete ‘Allow’ access to port smtp

sudo ufw delete allow smtp

Delete ‘Deny’ access to port smtp

sudo ufw delete deny smtp

‘Allow’ access to port ssh

sudo ufw allow ssh

‘Deny’ access to port ssh

sudo ufw deny ssh

Delete ‘Allow’ access to port ssh

sudo ufw delete allow ssh

Delete ‘Deny’ access to port ssh

sudo ufw delete deny ssh

I hope you can now see how simple this is …

Mixing it up with advanced syntax

For those of you who wish to employ a series of more complicated rulesets, the syntax will change slightly but the process remains the same:

To allow by a specific IP address use,

sudo ufw allow from XXX.XXX.XXX.XXX

To allow by a specific subnet we invoke netmask and use

sudo ufw allow from XXX.XXX.XXX.XXX/XX

And finally, to allow by a specific port and an IP address you can use,

sudo ufw allow from XXX.XXX.XXX.XXX to AAA port YY

Alternatively you may use the ‘deny’ command and block access by using a not too dis-similar process from that shown above.
To block by a specific IP address use,

sudo ufw deny from XXX.XXX.XXX.XXX

To block by a specific subnet we invoke netmask and use

sudo ufw deny from XXX.XXX.XXX.XXX/XX

And finally, to block by a specific port and an IP address you can use,

sudo ufw deny from XXX.XXX.XXX.XXX to AAA port YY

Where XXX.XXX.XXX.XXX is the specific IP address, AAA is a specific protocol and YY is the specific port number.

For example:
To allow the ip address 192.168.1.14 access to port 53 for all protocols you would type:

sudo ufw allow from 192.168.1.14 to any port 53

Or, to allow the ip address 192.168.1.32 access to port 22 for all protocols you would type:

sudo ufw allow from 192.168.1.32 to any port 22

A protocol is either TCP, UDP or BOTH (any)

A word of caution

When attempting to block access to a specific IP address you should be aware that the rules should follow a set order of logic.

In theory, this would mean that if the first rule provides full access to a specific port or service then any attempt to block that user afterwards will be ignored. So in practice, instead of simply deleting all your rules and re-ordering them, it would be a lot easier to open the source file and include a new section like so:

Grant yourself ‘root’ privileges like so:

sudo su/pre>
And then:
For Terminal users use,
gedit /etc/ufw/before.rules

For console users (replacing ‘nano’ with your preferred text editor) use,

nano /etc/ufw/before.rules

Look for the lines in ‘before.rules’ that look something like this:

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP

And add your ‘drop’ rules directly afterwards like so:

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
MY FIRST DROP RULE GOES HERE
MY SECOND DROP RULE GOES HERE
MY THIRD DROP RULE GOES HERE

And that’s it. Very shortly you should be running a very secure environment.

So until next time …
I hope you continue to enjoy using Ubuntu 12.04 LTS Precise Pangolin.

If you enjoyed reading this post, you’ll love Learnable; the place to learn fresh skills and techniques from the masters. Members get instant access to all of SitePoint’s ebooks and interactive online courses, like Ubuntu Linux.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • RM

    Ah yes, good ole Linux on the desktop experience. This was so obvious and easy! Sometimes I wonder why it only has 0.2% of the market share.

    • uhu

      Thanks for the informative comment from Redmond ;-)

  • PsiJet

    @RM: Because it requires this thing called typing. People prefer to click and make it work.

    Personally I have no problem with typing things out. I tend to remember it easier.

  • http://www.modits.com.au AbdullahAJM

    G’day,

    I have been a long time reader of Site Point but have never commented, I just wanted to point out that the link to “previous articles” is broken, it’s missing the colon from the beginning of the URL it currently links as http// instead of http://

    However I will also state that I expected more from a Site Point article. Site Point usually hosts articles which actually give a detailed and useful insight into configuring and implementing the subject at hand (in this case ufw), however this article is an exception, I’m better off leaving it disabled and using iptables the old way, until I have time for man “x” hopping, From what I can see here the ufw concept is brilliant, this article is not!

    As for removing App Armour, I want to point out that these things are added to distributions as a default setting for a reason, that is securing the computer and it’s applications, only an idiot would remove security features except that they replaced them with something better!

  • Max

    I enjoyed the intro to ufw. In my opinion, I think its much easier than deciphering whats going on than with iptables rules. Though, iptables isn’t difficult in itself.

    I do have problems with this article stating one should disable AppArmor, because “in many situations it can also prove to be overly complicated, if not time consuming and for the purpose of this article we will not be using it.” Fine, you said disable it, but why? Other than stating its was complicated (I assume for you it was), you give no other valid concerns regarding AppArmor.

    Considering this tutorial is about firewalls and configuring one using ufw, AppArmor is irrelevant. Its safe to say the section about AppArmor can be removed entirely.

    Other than that, I enjoyed the article.

    • http://modefour.net Jonathan Hobson

      Hi Max

      Thank you for your comment but just to clarify.

      The purpose of the article was to concentrate on a traditional approach to a firewall security

      Apparmor is a security model for processors rather than users. It does not have a GUI and it can be frustrating for users who wish to run lots of software packages and/or services (i.e. IRC, MySQL, Apache, Postfix etc …).

      Yes, Apparmor is installed by default but unless you actually spend many hours creating a profile for each and every application then you are not using it.

      As the official wiki documentation informs us, “If a profile is not available for an application, users may create a profile and add it to /etc/apparmor.d. If a profile is not defined for a particular binary, the binary is not confined.” (https://wiki.ubuntu.com/AppArmor/).

      Perhaps a tutorial on Apparmor may be something for the future.

      Hope that helps