我们都知道,Linux 系统当中有一款十分牛逼的防火墙叫做 iptables,它能做的远远超过了防火墙的范畴……不过,一般来讲,我们还是习惯于只把它当做防火墙来用。
不过,如果你只是想对某个端口进行策略,那似乎也并不需要去面对 iptables 那冗长的配置命令。现在,我就来给你介绍另外一款更加简单的防火墙:
Uncomplicated Firewall
一看名字就十分的明确“不复杂防火墙”没错,它就是 ufw,在 Ubuntu 操作系统当中已经内置,使用它可以简单快速的操作防火墙的功能,比如开关端口,访问 IP,限制连接等等等等。它与一系列 Linux 下防火墙都差不多,也是使用了 iptables 作为后台,所以,你同样可以在 iptables 上做更多的自定义,两者可以一起使用……当然了,我不推荐你这么做。iptables 的规则要优先于 ufw。
之所以推荐 ufw,是因为这货在 Ubuntu 里边内置,所以刚刚建好 vps 你就可以先用它来快速部署啦!
基础开关命令
|
ufw enable // 启用防火墙
ufw disable // 禁用防火墙
ufw reload //重新加载防火墙
ufw status // 显示防火墙状态
ufw status verbose // 查看防火墙详细状态
|
|
ufw default deny //设置默认 input 流量为拒绝
|
注意,如果你是通过 ssh 连接到服务器,那么你应该先添加规则,然后再开启防火墙,否则后果自负。
这里说一下,ufw 启用防火墙则会自动配置开机启动,禁用则会取消开机启动。
基本控制命令
一般我们可以使用 allow 和 deny 选项来允许或者禁止连接,后接端口号或者协议名称都行,用斜杠“/”分割,然后可以显式追加 TCP 还是 UDP,不追加则默认两者都算。另外,我们一般更倾向于配置 input 条目,如果你要控制output 条目,则可以在 allow 或者 deny 与端口号之间显式的强调 in 或者 out,当然默认肯定是 in。
|
ufw allow|deny [in|out] PORT [/tcp|udp]
// 允许或者阻止 进入或者流出 端口 协议
|
下面是几颗栗子:
|
ufw allow 22
//允许任何人通过端口22连入本机(包括 UDP 和 TCP)
ufw deny 53/tcp
//阻止任何人通过53端口用TCP 连入本机
ufw allow smtp
//用协议名字方式来添加条目
|
高级控制命令
|
ufw show raw
//以 iptables 格式输出当前的规则
ufw status [verbose|numbered]
//显示详细的状态,如果要删除条目,你可能需要用到 numbered
ufw delete NUM
//删除某个条目,号码参考上一条命令。
ufw delete allow 53/udp
//也可以在之前的命令当中直接添加 delete 参数来删除条目
|
与 allow、deny 选项对应的,其实还有 limit 和 reject,前者用于限制30秒内连接次数,超过6次则自动 deny 掉 IP;后者和 deny 功能相同,但不会返回“你被拒绝”的消息。
如果你有多个网卡,那么在强调 in 和 out 后追加 on 选项,可以针对某一个网卡做策略,举个栗子:
|
ufw allow in on eth0 to any port 80 proto tcp
|
添加更复杂的控制语句
通过编辑文件:
|
/etc/ufw/before.rules
//在 ufw 的所有条目之前生效
/etc/ufw/after.rules
//在 ufw 的所有条目之后生效
|
来添加更加复杂的、ufw 命令无法支持的 iptables 控制语句,比如说开启转发或者 nat 地址伪装等等,它的命令格式和 iptables 命令格式完全相同——因为这两个文件的加载方式就是 iptables-restore
当然,修改完这两个文件之后,你需要对 ufw 重启才能使它们生效。
延伸阅读
好了,基本上常用的介绍就这么多,如果你还想使用更高级的功能,请移步:
另:如果你使用桌面版,这货其实还有图形端,叫做 Gufw.
--------------------------------
UFW Notes
UFW (Uncomplicated Firewall) 使用速查,个人笔记,非入门教程。
Uncomplicated Firewall, is an interface to
iptables
that is geared towards simplifying the process of configuring a firewall. While
iptables
is a solid and flexible tool, it can be difficult for beginners to learn how to use it to properly configure a firewall.
Quick Start
1
2
3
4
5
6
|
pacman -S ufw
# gufw for GUI
# pacman -S gufw
systemctl enable --now ufw
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# install ufw
sudo vim /etc/default/ufw
# Enable IPv6 support. Default on, no need to do it.
IPV6=yes
# 默认已经配置了,无需再来一遍
sudo ufw default deny incoming
sudo ufw default allow outgoing
# ssh 请直接使用limit
# sudo ufw allow /
sudo ufw allow ssh # find port from /etc/services
sudo ufw allow 22 # equivalent
sudo ufw limit 'OpenSSH' # sudo ufw app list
|
Note:
/etc/services
, this file list all kinds of services and their corresponding ports.
1
2
|
❯ pacman -Fo /etc/services
/etc/services is owned by core/iana-etc 20190329-1
|
- By default, UFW allows ping requests.
allow
规则默认针对 incoming,因为outgoing默认是开启的,且没必要限制
deny
is different with reject
, deny
drops the packets
--dry-run
, a useful option
常用命令、规则示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
# continue ufw setup
sudo ufw enable # activate ufw
sudo ufw disable # disable
sudo ufw reset # reset all rules
sudo ufw status verbose
# show raw iptables rules
sudo ufw show raw
sudo ufw status numbered # order by number 规则序列号
sudo ufw allow http # sudo ufw allow 80 实际是设置端口规则
sudo ufw allow https # sudo ufw allow 443
# 如何区分 in out 分别设置规则
sudo ufw allow in on eth1 to any port 3306 # any指代IP
# 区分udp tcp
# 80/udp http/tcp
sudo ufw allow proto tcp from any to any port 80,443
# limit IPv6 only, 直接使用ipv6地址
# proto ipv6, is for IPv6 over IPv4 tunnels and 6to4
# range
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp
sudo ufw allow from to port
sudo ufw allow from to port proto
sudo ufw allow proto tcp from any to any port 80,443
# IP
sudo ufw allow from 203.0.113.4
sudo ufw allow from 203.0.113.4 to any port 22
sudo ufw allow from 203.0.113.0/24
sudo ufw allow from 203.0.113.0/24 to any port 22
# network interface
ip addr show
sudo ufw allow in on etho0 to any port 80
sudo ufw allow in on {network_interface} to any port 3306 # mysql
# deny
sudo ufw deny from to port
sudo ufw deny http
sudo ufw deny from 203.0.113.4
sudo ufw status numbered # order by number 规则序列号
sudo ufw delete 2
# 把原规则再输入一遍删除
sudo ufw delete allow http # allow http is the actual rule
|
Common services and ports
Service |
Port |
TCP/UDP |
ssh |
22 |
|
sftp |
115 |
|
rsync |
873 |
|
http |
80 |
|
https |
443 |
|
mysql |
3306 |
|
postgresql |
5432 |
|
smtp |
25 |
|
imap |
143 |
|
imaps |
993 |
|
pop3 |
110 |
|
pop3s |
995 |
|
Numbered rules
既然有number,就说明有优先级存在。
1
|
sudo ufw insert 1 allow from
|
logging
1
2
|
sudo ufw logging on
sudo ufw logging off
|
Recommended:
Disabling logging may be useful to
stop UFW filling up the kernel (
dmesg
) and message logs.
VPN and Forwarding
Enable forwarding for VPN like OpenVPN, WireGuard.
1
2
|
# /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
|
Pre-Definde App Policy
The PKG comes with some defaults based on the default ports of many common daemons and programs.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
ufw app list
❯ ls -al /etc/ufw/applications.d
total 52
drwxr-xr-x 2 root root 4096 Apr 2 23:22 .
drwxr-xr-x 3 root root 4096 Apr 2 23:21 ..
-rw-r--r-- 1 root root 129 Mar 26 18:10 mosh
-rw-r--r-- 1 root root 349 Dec 25 10:27 ufw-bittorent
-rw-r--r-- 1 root root 627 Dec 25 10:27 ufw-chat
-rw-r--r-- 1 root root 513 Dec 25 10:27 ufw-directoryserver
-rw-r--r-- 1 root root 89 Dec 25 10:27 ufw-dnsserver
-rw-r--r-- 1 root root 358 Dec 25 10:27 ufw-fileserver
-rw-r--r-- 1 root root 212 Dec 25 10:27 ufw-loginserver
-rw-r--r-- 1 root root 524 Dec 25 10:27 ufw-mailserver
-rw-r--r-- 1 root root 131 Dec 25 10:27 ufw-printserver
-rw-r--r-- 1 root root 155 Dec 25 10:27 ufw-proxyserver
-rw-r--r-- 1 root root 320 Dec 25 10:27 ufw-webserver
|
Custom app policy/rule. Don’t override pre-defined rules.
1
2
3
4
5
6
7
8
|
# /etc/ufw/applications.d/custom
[Deluge-my]
title=Deluge
description=Deluge BitTorrent client
ports=20202:20205/tcp
# ports=10000:10002/tcp|10003/udp
# ports=10000:10002/tcp|10003,10009/udp
|
1
2
3
|
# enable custom application rule
ufw delete allow Deluge
ufw allow Deluge-my
|
Blacklist IP Addresses
1
2
3
4
5
6
7
8
9
10
|
# /etc/ufw/before.rules
...
# blacklist section
# block just 199.115.117.99
-A ufw-before-input -s 199.115.117.99 -j DROP
# block 184.105.*.*
-A ufw-before-input -s 184.105.0.0/16 -j DROP
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
|
SSH Protection and Rate Limit
Deny connections from an IP address that has attempted to
initiate 6 or more connections in the last 30 seconds. 30s内请求达到6次,拒绝连接。
Currently only IPv4 is supported.
User Config
/etc/ufw/user.rules
and
/etc/ufw/user6.rules
for IPv4 and IPv6 respectively.
Disable ping
Disable icmp protocol
1
2
3
4
5
6
7
|
# /etc/ufw/before.rules
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
|
Manual
Default policies
- default incoming policy of deny
- forward policy of deny
- outgoing policy of allow
- see others in manual (icmp, icmpv6…)
- IPV6 is allowed by default
Other useful commands
1
2
3
4
5
|
man ufw
# --dry-run
sudo ufw reload
|
show
1
2
3
4
5
6
7
8
|
sudo ufw show REPORTS
# raw, comp0lte firewall
# builtins, before-rules, user-rules, after-rules, logging-rules, listening, added
# raw is equivalent to
iptables -n -L -v -x -t
ip6tables -n -L -v -x -t # filter, nat, mangle, raw tables
|
logging
LOG_KERN
syslog facility is used by default.
- rsyslog support may also log to
/var/log/ufw.log
Enable/disable logging.
1
2
|
sudo ufw logging on|off|LEVEL # level like low,medium,full,high
sudo ufw allow log 22/tcp # per rule logging
|
rule settings
If no direction is specified, the rule applies to
incoming traffic
For rules destined for the host itself, use
route
keyword
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
sudo ufw allow in on eth0 from 192.168.0.0/16
ufw allow out on eth1 to 10.0.0.0/8
# add comment
ufw limit 2222/tcp comment 'SSH port'
# simple syntax
ufw allow 25/tcp # ufw allow smtp
# incoming traffic rule by default
ufw allow in http
ufw reject out smpt
# fuller syntax, based on OpenBSD's PF syntax
ufw deny proto tcp to any port 80
ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
ufw deny in on tho0 to 224.0.0.1 proto igmp
ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 6459
|
route
1
|
ufw route allow in on eth1 out on eth2
|
Setup
IP forwarding to use routing rules.
1
2
3
4
5
6
7
|
# /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
net/ipov6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
# restart ufw
sudo ufw disable && sudo ufw enable
|
rate limit
Use
reject
instead of
deny
to let user know they’re rejected
1
2
|
ufw limit ssh/tcp
ufw reject auth
|
delete rules
- Use the original rule
ufw delete deny 80/tcp
- Delete rule use status number.
sudo ufw status numbered
- again for the IPv6 version of the rule
insert
and prepend
prepend
, equivalent to insert at number 1
app integration
1
2
3
4
5
6
|
ufw app list
ufw allow
ufw allow from 192.168.0.0./16 to any app
ufw app info
sudo ufw allow in "Apache Full"
|
References
------------------------
Ubuntu默认防火墙安装、启用、配置、端口、查看状态相关信息
Ubuntu附带了一个相对iptables简单很多的防火墙 配置工具:ufw
ufw防火墙 即uncomplicated firewall,不复杂的防火墙,繁琐部分的设置还是需要去到iptables.
查看防火墙状态:
sudo ufw status
防火墙版本:
sudo ufw version
安装:
sudo apt-get install ufw
启用:
sudo ufw enable
sudo ufw default deny
运行以上两条命令后,开启了防火墙,并在系统启动时自动开启。
关闭所有外部对本机的访问,但本机访问外部正常。
开启/禁用:
sudo ufw allow|deny [service]
打开或关闭某个端口:
sudo ufw allow smtp 允许所有的外部IP访问本机的25/tcp (smtp)端口
sudo ufw allow 22/tcp 允许所有的外部IP访问本机的22/tcp (ssh)端口
sudo ufw allow 53 允许外部访问53端口(tcp/udp)
sudo ufw allow from 192.168.1.100 允许此IP访问所有的本机端口
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp 禁止外部访问smtp服务
sudo ufw delete allow smtp 删除上面建立的某条规则
查看防火墙状态
sudo ufw status
一般用户,只需如下设置:
sudo apt-get install ufw
sudo ufw enable
sudo ufw default deny
以上三条命令已经足够安全了,如果你需要开放某些服务,再使用sudo ufw allow开启。
补充:
开启/关闭防火墙 (默认设置是’disable’)
sudo ufw enable|disable
eg:
sudo ufw allow 3306
为了使mysql可以远程访问,开启mysql的3306端口
转换日志状态
#ufw logging on|off
设置默认策略 (比如 “mostly open” vs “mostly closed”)
#ufw default allow|deny
许 可或者屏蔽某些入埠的包 (可以在“status” 中查看到服务列表[见后文])。可以用“协议:端口”的方式指定一个存在于/etc/services中的服务名称,也可以通过包的meta-data。 ‘allow’ 参数将把条目加入 /etc/ufw/maps ,而 ‘deny’ 则相反。基本语法如下:
#ufw allow|deny [service]
显示防火墙和端口的侦听状态,参见 /var/lib/ufw/maps。括号中的数字将不会被显示出来。
#ufw status
[注意:上文中虽然没有使用 sudo,但是命令提示符号都是“#”]
UFW 使用范例:
允许 53 端口:
$ sudo ufw allow 53
禁用 53 端口:
$ sudo ufw delete allow 53
允许 80 端口:
$ sudo ufw allow 80/tcp
禁用 80 端口:
$ sudo ufw delete allow 80/tcp
允许 smtp 端口:
$ sudo ufw allow smtp
删除 smtp 端口的许可:
$ sudo ufw delete allow smtp
允许某特定 IP:
$ sudo ufw allow from 192.168.254.254
删除上面的规则:
$ sudo ufw delete allow from 192.168.254.254