-
Installation
sudo apt-get install ufw
-
Enable | Disable
sudo ufw enable | disable
neo@master:~$ sudo ufw enable Firewall started and enabled on system startup
-
Default Rule
sudo ufw default deny
sudo ufw default allow
neo@master:~$ sudo ufw default deny Default policy changed to 'deny' (be sure to update your rules accordingly)
-
Rule Allow|Deny
sudo ufw allow|deny [service]
打开或关闭某个端口,例如:
sudo ufw allow smtp 允许所有的外部IP访问本机的25/tcp (smtp)端口
sudo ufw allow 22/tcp 允许所有的外部IP访问本机的22/tcp (ssh)端口
sudo ufw allow 53 允许外部访问53端口(tcp/udp)
sudo ufw allow from 172.16.1.100 允许此IP访问所有的本机端口
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp 禁止外部访问smtp服务
sudo ufw delete allow smtp 删除上面建立的某条规则UFW 使用范例
UFW 使用范例:
允许 53 端口
$ sudo ufw allow 53
禁用 53 端口
$ sudo ufw delete allow 53
允许 80 端口
$ sudo ufw allow 80/tcp
禁用 80 端口
$ sudo ufw delete allow 80/tcp
允许 smtp 端口
$ sudo ufw allow smtp
删除 smtp 端口的许可
$ sudo ufw delete allow smtp
允许某特定 IP
$ sudo ufw allow from 192.168.254.254
删除上面的规则
$ sudo ufw delete allow from 192.168.254.254
$ sudo ufw allow ssh
$ sudo ufw allow www
$ sudo ufw allow smtpneo@master:~$ sudo ufw allow ssh Rule added
-
Status
sudo ufw status
neo@master:~$ sudo ufw allow www Rule added neo@master:~$ sudo ufw status Firewall loaded To Action From -- ------ ---- 25:tcp ALLOW Anywhere 22:tcp ALLOW Anywhere 22:udp ALLOW Anywhere 80:tcp ALLOW Anywhere 80:udp ALLOW Anywhere
-
Rule Delete
sudo ufw delete allow|deny RULE
neo@master:~$ sudo ufw status Firewall loaded To Action From -- ------ ---- 25:tcp ALLOW Anywhere 22:tcp ALLOW Anywhere 22:udp ALLOW Anywhere 80:tcp ALLOW Anywhere 80:udp ALLOW Anywhere neo@master:~$ sudo ufw delete allow smtp Rule deleted neo@master:~$ sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp ALLOW Anywhere 22:udp ALLOW Anywhere 80:tcp ALLOW Anywhere 80:udp ALLOW Anywhere
-
logging
sudo ufw logging on|off
neo@master:~$ sudo ufw logging ON Logging enabled
-
iptales
neo@master:~$ sudo iptables -L Chain INPUT (policy DROP) target prot opt source destination ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK FORWARD]: ' RETURN all -- anywhere anywhere Chain ufw-after-input (1 references) target prot opt source destination RETURN udp -- anywhere anywhere udp dpt:netbios-ns RETURN udp -- anywhere anywhere udp dpt:netbios-dgm RETURN tcp -- anywhere anywhere tcp dpt:netbios-ssn RETURN tcp -- anywhere anywhere tcp dpt:microsoft-ds RETURN udp -- anywhere anywhere udp dpt:bootps RETURN udp -- anywhere anywhere udp dpt:bootpc LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK INPUT]: ' RETURN all -- anywhere anywhere Chain ufw-after-output (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain ufw-before-forward (1 references) target prot opt source destination ufw-user-forward all -- anywhere anywhere RETURN all -- anywhere anywhere Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DROP all -- anywhere anywhere ctstate INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere ACCEPT all -- base-address.mcast.net/4 anywhere ACCEPT all -- anywhere base-address.mcast.net/4 ufw-user-input all -- anywhere anywhere RETURN all -- anywhere anywhere Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere RETURN all -- anywhere anywhere Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK NOT-TO-ME]: ' DROP all -- anywhere anywhere Chain ufw-user-forward (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT udp -- anywhere anywhere udp dpt:www RETURN all -- anywhere anywhere Chain ufw-user-output (1 references) target prot opt source destination RETURN all -- anywhere anywhere
$ sudo vim /etc/default/ufw # /etc/default/ufw # # set to yes to apply rules to support IPv6 (no means only IPv6 on loopback # accepted). You will need to 'disable' and then 'enable' the firewall for # the changes to take affect. IPV6=no # set the default input policy to ACCEPT, DROP or REJECT. Please note that if # you change this you will most likely want to adjust your rules DEFAULT_INPUT_POLICY="DROP" # set the default output policy to ACCEPT, DROP, or REJECT. Please note that # if you change this you will most likely want to adjust your rules DEFAULT_OUTPUT_POLICY="ACCEPT" # set the default forward policy to ACCEPT, DROP or REJECT. Please note that # if you change this you will most likely want to adjust your rules #DEFAULT_FORWARD_POLICY="DROP" DEFAULT_FORWARD_POLICY="ACCEPT" # set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please # note that setting this to ACCEPT may be a security risk. See 'man ufw' for # details DEFAULT_APPLICATION_POLICY="SKIP" # By default, ufw only touches its own chains. Set this to 'yes' to have ufw # manage the built-in chains too. Warning: setting this to 'yes' will break # non-ufw managed firewall rules MANAGE_BUILTINS=no # # IPT backend # # only enable if using iptables backend IPT_SYSCTL=/etc/ufw/sysctl.conf # extra connection tracking modules to load IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc"
neo@netkiller:~$ sudo ufw allow 67/udp Rules updated neo@netkiller:~$ sudo ufw allow 68/udp Rules updated
neo@netkiller:~$ sudo ufw allow 137/tcp Rule added neo@netkiller:~$ sudo ufw allow 445/tcp Rule added neo@netkiller:~$ sudo ufw allow 138/udp Rule added neo@netkiller:~$ sudo ufw allow 139/udp Rule added
原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。
