Ubuntu 12.04 LTS Precise Pangolin: Building a Firewall

Jonathan Hobson
Jonathan Hobson
Share

The default firewall configuration tool for Ubuntu is known as ‘UFW’. Developed to ease iptables firewall configuration, UFW provides a user-friendly way to create an IPv4 or IPv6 host-based firewall that will serve to protect your computer from un-authorised access and in this article I am going to show you how to setup, configure and manage your security needs on Ubuntu 12.04 LTS Precise Pangolin. So let’s get started …

Remove AppArmor

Ubuntu 12.04 comes pre-installed with AppArmor. A kernel-level subsystem that works by implementing a unique policy profile for each of the applications and services that you want to protect and in order to reduce the risk of attack, all forms of access to an application or process are denied unless you specifically define a profile that identifies a list of capabilities and/or file system access rights. Therefore, if someone discovers a way to inject or launch malicious code through Apache or MySQL (or even a web browser or chat based application), that exploit will most likely fail or not work if the application or service in question is protected by an AppArmor profile that does not allow any ‘code execution privileges’.
Depending on your circumstances, you should consider this step to be optional. AppArmor in many respects it is not dissimilar to SELinux (as found on most RedHat based systems) and if you do intend to use it or explore its potential I would skip this step and begin your research by reading the server guide found at https://help.ubuntu.com/12.04/serverguide/apparmor.html
Apparmor is without doubt a very competent and secure solution and yes, if you haven’t already enabled AppArmor on your desktops and server then you could be missing out on an incredibly powerful tool but in many situations it can also prove to be overly complicated, if not time consuming and for the purpose of this article we will not be using it. So I will take this opportunity to show you how to disable and remove AppArmor in order that we can concentrate on the traditional approach to a firewall security. Grant yourself ‘root’ privileges like so:
sudo su
Authorise yourself in the normal way and then remove it like this:
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
Finally, reboot your machine to ensure the relevant changes take place:
reboot

Hello IPTables

There is no better introduction to the Linux kernel and the included Netfilter subsystem than simply ‘looking under the hood’. In Terminal or your console, type:
sudo /sbin/iptables -L
The response will look similar to this:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Which clearly shows the default and ’empty rule set’. The purpose of iptables is to control how a packet reaches your computer. Each packet will be passed through the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it via the iptables program, and for this reason iptables is all you need to manage your firewall. It all looks and sounds very complicated at this stage, but don’t worry this is Ubuntu, and Canonical really did make this very easy …

So what about UFW

If you have read my previous articles
, you would have noticed that I have mentioned the UFW. Also known as the uncomplictaed firewall, it is not (and should not be considered a firewall as such), but its purpose is to provide a ‘human’ approach to managing your IPTables that serve to block, filter, manipulate or redirect network traffic. So let’s make sure it is installed and for those with the desktop version the installation also provides access to the graphical companion called gUFW. In Terminal type:
sudo apt-get install ufw gufw
In Console type:
sudo apt-get install ufw gufw

Getting started with UFW

To enable the firewall, use:
sudo ufw enable
To disable the firewall at any time, use:
sudo ufw disable
To enable the firewall ‘log’, use:
sudo ufw logging on
To disable the ‘logging’ at any time, use:
sudo ufw logging off
All log files can be found in /var/log
To set the default policy, use:
sudo ufw default allow
To remove the default policy, use:
sudo ufw default deny
The recommended approach is to deny access to all ports/services and to slowly open the ports/services you need. Remember, by setting the default policy you will be exposing your entire system; so it is often better to begin by closing all ports/services and opening as and when they are required.
And to check the status of your firewall use:
sudo ufw status
or
sudo ufw status verbose
Easy so far … and if you were looking for the graphical utility, simply open the ‘Dash’ and search for GUFW.

Managing the UFW

In the following section I will now ‘walk you through’ the management of ports with plenty of examples.

Allow and Deny

For those of you who would like to allow access to any specific port use:
sudo ufw allow port_number
Similarly, to deny access to any specific port use:
sudo ufw deny port_number
Remember to replace ‘port_number’ with a specific port number …

Time for some ‘port-based’ examples:

‘Allow’ access to port 53
sudo ufw allow 53
Delete ‘Allow’ access to port 53
sudo ufw delete allow 53
‘Allow’ access to port 80
sudo ufw allow 80/tcp
Delete ‘Allow’ access to port 80
sudo ufw delete allow 80/tcp

Managing Services with UFW

Now let’s turn to the even easier process of managing services.

Allow and Deny

To allow access to any specific port use:
sudo ufw allow service_name
Similarly, to deny access to any specific port use:
sudo ufw deny service_name
Remember to replace ‘service_name’ with a specific service name, but if you do not know what your service is called, you can always obtain a list of running services by simply typing:
less /etc/services

Time for some ‘service based’ examples:

‘Allow’ access to port smtp
sudo ufw allow smtp
‘Deny’ access to port smtp
sudo ufw deny smtp
Delete ‘Allow’ access to port smtp
sudo ufw delete allow smtp
Delete ‘Deny’ access to port smtp
sudo ufw delete deny smtp
‘Allow’ access to port ssh
sudo ufw allow ssh
‘Deny’ access to port ssh
sudo ufw deny ssh
Delete ‘Allow’ access to port ssh
sudo ufw delete allow ssh
Delete ‘Deny’ access to port ssh
sudo ufw delete deny ssh
I hope you can now see how simple this is …

Mixing it up with advanced syntax

For those of you who wish to employ a series of more complicated rulesets, the syntax will change slightly but the process remains the same: To allow by a specific IP address use,
sudo ufw allow from XXX.XXX.XXX.XXX
To allow by a specific subnet we invoke netmask and use
sudo ufw allow from XXX.XXX.XXX.XXX/XX
And finally, to allow by a specific port and an IP address you can use,
sudo ufw allow from XXX.XXX.XXX.XXX to AAA port YY
Alternatively you may use the ‘deny’ command and block access by using a not too dis-similar process from that shown above. To block by a specific IP address use,
sudo ufw deny from XXX.XXX.XXX.XXX
To block by a specific subnet we invoke netmask and use
sudo ufw deny from XXX.XXX.XXX.XXX/XX
And finally, to block by a specific port and an IP address you can use,
sudo ufw deny from XXX.XXX.XXX.XXX to AAA port YY
Where XXX.XXX.XXX.XXX is the specific IP address, AAA is a specific protocol and YY is the specific port number. For example: To allow the ip address 192.168.1.14 access to port 53 for all protocols you would type:
sudo ufw allow from 192.168.1.14 to any port 53
Or, to allow the ip address 192.168.1.32 access to port 22 for all protocols you would type:
sudo ufw allow from 192.168.1.32 to any port 22
A protocol is either TCP, UDP or BOTH (any)

A word of caution

When attempting to block access to a specific IP address you should be aware that the rules should follow a set order of logic. In theory, this would mean that if the first rule provides full access to a specific port or service then any attempt to block that user afterwards will be ignored. So in practice, instead of simply deleting all your rules and re-ordering them, it would be a lot easier to open the source file and include a new section like so: Grant yourself ‘root’ privileges like so:
sudo su/pre>
And then:
For Terminal users use,
gedit /etc/ufw/before.rules
For console users (replacing ‘nano’ with your preferred text editor) use,
nano /etc/ufw/before.rules
Look for the lines in ‘before.rules’ that look something like this:
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
And add your ‘drop’ rules directly afterwards like so:
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
MY FIRST DROP RULE GOES HERE
MY SECOND DROP RULE GOES HERE
MY THIRD DROP RULE GOES HERE
And that’s it. Very shortly you should be running a very secure environment. So until next time … I hope you continue to enjoy using Ubuntu 12.04 LTS Precise Pangolin. If you enjoyed reading this post, you’ll love Learnable; the place to learn fresh skills and techniques from the masters. Members get instant access to all of SitePoint’s ebooks and interactive online courses, like Ubuntu Linux.

Frequently Asked Questions (FAQs) about Building a Firewall on Ubuntu 12.04 LTS

How do I install UFW on Ubuntu 12.04 LTS?

To install UFW (Uncomplicated Firewall) on Ubuntu 12.04 LTS, you need to use the terminal. First, update your package list by typing sudo apt-get update. Then, install UFW by typing sudo apt-get install ufw. You will be asked for your password. After entering it, UFW will be installed on your system.

How do I enable UFW on Ubuntu 12.04 LTS?

To enable UFW, you need to use the terminal. Type sudo ufw enable and press enter. You will be asked for your password. After entering it, UFW will be enabled on your system. Remember, enabling UFW will apply the rules that are currently defined. So, make sure to define your rules before enabling UFW.

How do I check the status of UFW on Ubuntu 12.04 LTS?

To check the status of UFW, open the terminal and type sudo ufw status. This command will show you whether UFW is active or inactive and will list all the rules that are currently defined.

How do I add rules to UFW on Ubuntu 12.04 LTS?

To add rules to UFW, you need to use the terminal. The basic syntax for adding rules is sudo ufw allow/deny [service]. For example, to allow SSH, you would type sudo ufw allow ssh. This command will allow all incoming SSH connections.

How do I delete rules from UFW on Ubuntu 12.04 LTS?

To delete rules from UFW, you need to use the terminal. The basic syntax for deleting rules is sudo ufw delete allow/deny [service]. For example, to delete the rule that allows SSH, you would type sudo ufw delete allow ssh. This command will delete the rule that allows all incoming SSH connections.

How do I disable UFW on Ubuntu 12.04 LTS?

To disable UFW, you need to use the terminal. Type sudo ufw disable and press enter. You will be asked for your password. After entering it, UFW will be disabled on your system.

How do I configure UFW to start on boot on Ubuntu 12.04 LTS?

To configure UFW to start on boot, you need to use the terminal. Type sudo ufw enable and press enter. This command will configure UFW to start on boot.

How do I block a specific IP address with UFW on Ubuntu 12.04 LTS?

To block a specific IP address with UFW, you need to use the terminal. The basic syntax for blocking an IP address is sudo ufw deny from [IP address]. For example, to block the IP address 192.168.1.1, you would type sudo ufw deny from 192.168.1.1.

How do I allow a specific IP address with UFW on Ubuntu 12.04 LTS?

To allow a specific IP address with UFW, you need to use the terminal. The basic syntax for allowing an IP address is sudo ufw allow from [IP address]. For example, to allow the IP address 192.168.1.1, you would type sudo ufw allow from 192.168.1.1.

How do I log UFW activity on Ubuntu 12.04 LTS?

To log UFW activity, you need to use the terminal. Type sudo ufw logging on and press enter. This command will enable logging of UFW activity. The logs can be found in the /var/log/ufw.log file.