Ubuntu 12.04 LTS Precise Pangolin: Building a Firewall
The default firewall configuration tool for Ubuntu is known as ‘UFW’. Developed to ease iptables firewall configuration, UFW provides a user-friendly way to create an IPv4 or IPv6 host-based firewall that will serve to protect your computer from un-authorised access and in this article I am going to show you how to setup, configure and manage your security needs on Ubuntu 12.04 LTS Precise Pangolin.
So let’s get started …
Remove AppArmor
Ubuntu 12.04 comes pre-installed with AppArmor. A kernel-level subsystem that works by implementing a unique policy profile for each of the applications and services that you want to protect and in order to reduce the risk of attack, all forms of access to an application or process are denied unless you specifically define a profile that identifies a list of capabilities and/or file system access rights. Therefore, if someone discovers a way to inject or launch malicious code through Apache or MySQL (or even a web browser or chat based application), that exploit will most likely fail or not work if the application or service in question is protected by an AppArmor profile that does not allow any ‘code execution privileges’.
Depending on your circumstances, you should consider this step to be optional. AppArmor in many respects it is not dissimilar to SELinux (as found on most RedHat based systems) and if you do intend to use it or explore its potential I would skip this step and begin your research by reading the server guide found at https://help.ubuntu.com/12.04/serverguide/apparmor.html
Apparmor is without doubt a very competent and secure solution and yes, if you haven’t already enabled AppArmor on your desktops and server then you could be missing out on an incredibly powerful tool but in many situations it can also prove to be overly complicated, if not time consuming and for the purpose of this article we will not be using it.
So I will take this opportunity to show you how to disable and remove AppArmor in order that we can concentrate on the traditional approach to a firewall security.
Grant yourself ‘root’ privileges like so:
sudo su
Authorise yourself in the normal way and then remove it like this:
/etc/init.d/apparmor stop update-rc.d -f apparmor remove apt-get remove apparmor apparmor-utils
Finally, reboot your machine to ensure the relevant changes take place:
reboot
Hello IPTables
There is no better introduction to the Linux kernel and the included Netfilter subsystem than simply ‘looking under the hood’. In Terminal or your console, type:
sudo /sbin/iptables -L
The response will look similar to this:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Which clearly shows the default and ’empty rule set’.
The purpose of iptables is to control how a packet reaches your computer. Each packet will be passed through the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it via the iptables program, and for this reason iptables is all you need to manage your firewall.
It all looks and sounds very complicated at this stage, but don’t worry this is Ubuntu, and Canonical really did make this very easy …
So what about UFW
If you have read my previous articles, you would have noticed that I have mentioned the UFW.
Also known as the uncomplictaed firewall, it is not (and should not be considered a firewall as such), but its purpose is to provide a ‘human’ approach to managing your IPTables that serve to block, filter, manipulate or redirect network traffic.
So let’s make sure it is installed and for those with the desktop version the installation also provides access to the graphical companion called gUFW.
In Terminal type:
sudo apt-get install ufw gufw
In Console type:
sudo apt-get install ufw gufw
Getting started with UFW
To enable the firewall, use:
sudo ufw enable
To disable the firewall at any time, use:
sudo ufw disable
To enable the firewall ‘log’, use:
sudo ufw logging on
To disable the ‘logging’ at any time, use:
sudo ufw logging off
All log files can be found in /var/log
To set the default policy, use:
sudo ufw default allow
To remove the default policy, use:
sudo ufw default deny
The recommended approach is to deny access to all ports/services and to slowly open the ports/services you need. Remember, by setting the default policy you will be exposing your entire system; so it is often better to begin by closing all ports/services and opening as and when they are required.
And to check the status of your firewall use:
sudo ufw status
or
sudo ufw status verbose
Easy so far … and if you were looking for the graphical utility, simply open the ‘Dash’ and search for GUFW.
Managing the UFW
In the following section I will now ‘walk you through’ the management of ports with plenty of examples.
Allow and Deny
For those of you who would like to allow access to any specific port use:
sudo ufw allow port_number
Similarly, to deny access to any specific port use:
sudo ufw deny port_number
Remember to replace ‘port_number’ with a specific port number …
Time for some ‘port-based’ examples:
‘Allow’ access to port 53
sudo ufw allow 53
Delete ‘Allow’ access to port 53
sudo ufw delete allow 53
‘Allow’ access to port 80
sudo ufw allow 80/tcp
Delete ‘Allow’ access to port 80
sudo ufw delete allow 80/tcp
Managing Services with UFW
Now let’s turn to the even easier process of managing services.
Allow and Deny
To allow access to any specific port use:
sudo ufw allow service_name
Similarly, to deny access to any specific port use:
sudo ufw deny service_name
Remember to replace ‘service_name’ with a specific service name, but if you do not know what your service is called, you can always obtain a list of running services by simply typing:
less /etc/services
Time for some ‘service based’ examples:
‘Allow’ access to port smtp
sudo ufw allow smtp
‘Deny’ access to port smtp
sudo ufw deny smtp
Delete ‘Allow’ access to port smtp
sudo ufw delete allow smtp
Delete ‘Deny’ access to port smtp
sudo ufw delete deny smtp
‘Allow’ access to port ssh
sudo ufw allow ssh
‘Deny’ access to port ssh
sudo ufw deny ssh
Delete ‘Allow’ access to port ssh
sudo ufw delete allow ssh
Delete ‘Deny’ access to port ssh
sudo ufw delete deny ssh
I hope you can now see how simple this is …
Mixing it up with advanced syntax
For those of you who wish to employ a series of more complicated rulesets, the syntax will change slightly but the process remains the same:
To allow by a specific IP address use,
sudo ufw allow from XXX.XXX.XXX.XXX
To allow by a specific subnet we invoke netmask and use
sudo ufw allow from XXX.XXX.XXX.XXX/XX
And finally, to allow by a specific port and an IP address you can use,
sudo ufw allow from XXX.XXX.XXX.XXX to AAA port YY
Alternatively you may use the ‘deny’ command and block access by using a not too dis-similar process from that shown above.
To block by a specific IP address use,
sudo ufw deny from XXX.XXX.XXX.XXX
To block by a specific subnet we invoke netmask and use
sudo ufw deny from XXX.XXX.XXX.XXX/XX
And finally, to block by a specific port and an IP address you can use,
sudo ufw deny from XXX.XXX.XXX.XXX to AAA port YY
Where XXX.XXX.XXX.XXX is the specific IP address, AAA is a specific protocol and YY is the specific port number.
For example:
To allow the ip address 192.168.1.14 access to port 53 for all protocols you would type:
sudo ufw allow from 192.168.1.14 to any port 53
Or, to allow the ip address 192.168.1.32 access to port 22 for all protocols you would type:
sudo ufw allow from 192.168.1.32 to any port 22
A protocol is either TCP, UDP or BOTH (any)
A word of caution
When attempting to block access to a specific IP address you should be aware that the rules should follow a set order of logic.
In theory, this would mean that if the first rule provides full access to a specific port or service then any attempt to block that user afterwards will be ignored. So in practice, instead of simply deleting all your rules and re-ordering them, it would be a lot easier to open the source file and include a new section like so:
Grant yourself ‘root’ privileges like so:
sudo su/pre> And then: For Terminal users use,
gedit /etc/ufw/before.rules
For console users (replacing ‘nano’ with your preferred text editor) use,
nano /etc/ufw/before.rules
Look for the lines in ‘before.rules’ that look something like this:
# drop INVALID packets (logs these in loglevel medium and higher) -A ufw-before-input -m state --state INVALID -j ufw-logging-deny -A ufw-before-input -m state --state INVALID -j DROP
And add your ‘drop’ rules directly afterwards like so:
# drop INVALID packets (logs these in loglevel medium and higher) -A ufw-before-input -m state --state INVALID -j ufw-logging-deny -A ufw-before-input -m state --state INVALID -j DROP MY FIRST DROP RULE GOES HERE MY SECOND DROP RULE GOES HERE MY THIRD DROP RULE GOES HERE
And that’s it. Very shortly you should be running a very secure environment.
So until next time …
I hope you continue to enjoy using Ubuntu 12.04 LTS Precise Pangolin.
If you enjoyed reading this post, you’ll love Learnable; the place to learn fresh skills and techniques from the masters. Members get instant access to all of SitePoint’s ebooks and interactive online courses, like Ubuntu Linux.