UFW: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
(5 intermediate revisions by the same user not shown)
Line 8: Line 8:


==App==
==App==
{|
{|class='wikitable mw-collapsible'
!scope='col' colspan='2' style='width:1100px'|
App
|-
|valign='top'|
|valign='top'|
<syntaxhighlight lang="ini">
<syntaxhighlight lang="ini">
Line 28: Line 31:
sudo ufw app list
sudo ufw app list
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|valign='top'|
|valign='top'|
Line 46: Line 45:
sudo ufw status numbered
sudo ufw status numbered
</syntaxhighlight>
</syntaxhighlight>
|}
|}


==Allow==
==Allow==
{|class='wikitable mw-collapsible mw-collapsed'
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' colspan='5' style='width:1000px'|
!scope='col' colspan='5' style='width:1100px'|
Allow » Basic
UFW » Allow » Basic
|-
|-
!scope="col"| Name !!scope="col"| Allow
!scope="col"| Name !!scope="col"| Allow
Line 69: Line 67:
|-
|-
!scope="col" colspan="5"|
!scope="col" colspan="5"|
Allow » Special
UFW » Allow » Special
|-
|-
!scope="col"| Name !!scope="col"| Allow
!scope="col"| Name !!scope="col"| Allow
Line 86: Line 84:
|-
|-
!scope="col" colspan="5"|
!scope="col" colspan="5"|
Allow » Minikube » Bridge
UFW » Allow » Minikube » Bridge
|-
|-
|colspan="5"|
|colspan="5"|
Line 97: Line 95:


==Status==
==Status==
{|
{|class='wikitable mw-collapsible'
| valign="top" |
!scope='col' colspan='3' style='width:1100px'|
UFW » Status
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo systemctl status ufw
sudo systemctl status ufw
Line 105: Line 106:
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo ufw delete allow 3306
sudo ufw delete allow 3306
Line 112: Line 113:
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo ufw delete allow 9800:9801/tcp
sudo ufw delete allow 9800:9801/tcp
Line 118: Line 119:
sudo ufw delete allow 3306/tcp
sudo ufw delete allow 3306/tcp
</syntaxhighlight>
</syntaxhighlight>
|}
|}


==Verify==
==Verify==
{|
{|class='wikitable mw-collapsible mw-collapsed'
| valign="top" |
!scope='col' style='width:1100px'|
'''UFW » Allowed » Ports'''
UFW » Verify
|-
!scope='col'| UFW » Allowed » Ports
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
REMOTE_HOST="cid.chorke.org";\
REMOTE_HOST="cid.chorke.org";\
Line 132: Line 136:
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
</syntaxhighlight>
</syntaxhighlight>
 
|-
| valign="top" |
!scope='col'| UFW » Denied » Ports
'''UFW » Denied » Ports'''
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
REMOTE_HOST="cid.chorke.org";\
REMOTE_HOST="cid.chorke.org";\
Line 144: Line 149:
|}
|}


==UFW » SSH » Gateway==
==Gateway » SSH==
{|class='wikitable mw-collapsible mw-collapsed'
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' colspan='2' style='width:1200px'|
!scope='col' colspan='2' style='width:1100px'|
UFW » SSH » Gateway
UFW » Gateway » SSH
|-
|-
|valign='top'|
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
cat << EXE | sudo bash
systemctl status ufw
ufw app list
ufw app list
systemctl status ufw
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
Line 173: Line 178:


ufw allow from hetzner-aa.public.ipv4 to any app OpenSSH
ufw allow from hetzner-aa.public.ipv4 to any app OpenSSH
sudo ufw --force enable
ufw --force enable
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
Line 184: Line 189:


ufw allow from hetzner-aa.public.ipv4 to any port 22 proto tcp
ufw allow from hetzner-aa.public.ipv4 to any port 22 proto tcp
sudo ufw --force enable
ufw --force enable
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
|}
==Gateway » TCP==
{|class='wikitable mw-collapsible'
!scope='col' colspan='2' style='width:1100px'|
UFW » Gateway » TCP
|-
|-
|valign='top' colspan='2'|
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
cat << EXE | sudo bash
iptables -S
ufw        allow from 192.168.49.2/32 to any port 9000:9010 proto tcp
ufw        allow from 192.168.49.2/32 to any port      3000 proto tcp
ufw status numbered
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
ufw delete allow from 192.168.49.2/32 to any port 9000:9010 proto tcp
ufw delete allow from 192.168.49.2/32 to any port      3000 proto tcp
ufw status numbered
EXE
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
ufw        allow 9000:9010/tcp
ufw        allow      3000/tcp
ufw status numbered
EXE
</syntaxhighlight>
 
| valign="top" |
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
ufw delete allow 9000:9010/tcp
ufw delete allow      3000/tcp
ufw status numbered
ufw status numbered
systemctl status ufw
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
Line 199: Line 236:


==Playground==
==Playground==
{|
{|class='wikitable mw-collapsible mw-collapsed'
| valign="top" |
!scope='col' colspan='3' style='width:1500px'|
Playground
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
netstat -uap|grep nginx
netstat -uap|grep nginx
Line 226: Line 266:
sudo ufw status
sudo ufw status
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|valign='top'|
|valign='top'|
Line 263: Line 299:
sudo ufw --dry-run allow http
sudo ufw --dry-run allow http
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|valign='top'|
|valign='top'|
Line 294: Line 326:
sudo ufw app list
sudo ufw app list
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|valign='top' colspan='2'|
|valign='top' colspan='2'|
Line 310: Line 338:
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|colspan='2'|
|colspan='2'|
Line 384: Line 408:
ufw status numbered
ufw status numbered
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|valign='top'|
|valign='top'|
Line 406: Line 426:
sudo snap services lxd
sudo snap services lxd
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|valign='top'|
|valign='top'|
Line 428: Line 444:
sudo ip6tables-restore < /etc/iptables/rules.v6
sudo ip6tables-restore < /etc/iptables/rules.v6
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|valign='top'|
|valign='top'|
Line 454: Line 466:


==References==
==References==
{|
{|class='wikitable mw-collapsible'
| valign="top" |
!scope='col' colspan='3' style='width:1100px'|
References
|-
|valign='top'|
* [https://askubuntu.com/questions/996340/ UFW » Restrict SSH & FTP to certain IP]
* [https://askubuntu.com/questions/996340/ UFW » Restrict SSH & FTP to certain IP]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04]
Line 466: Line 481:
| valign="top" |
| valign="top" |


|-
| colspan="3" |
----
|-
|-
| valign="top" |
| valign="top" |
Line 502: Line 514:
* [[CIDR]]
* [[CIDR]]
* [[Port]]
* [[Port]]
|}
|}

Latest revision as of 00:31, 12 July 2025

cat <<-'EXE'|sudo bash
apt-get update;echo
apt list -a --upgradable
apt-get install -y ufw nmap telnet
EXE

App

App 

cat << INI | sudo tee /etc/ufw/applications.d/chorke >/dev/null
[Chorke]
title=Chorke Academia, Inc.
description=Chorke Academia, Inc. App
ports=1983/tcp
INI

cat /etc/ufw/applications.d/chorke
ls -lah /etc/ufw/applications.d/

sudo ufw app update Chorke
sudo ufw app info Chorke
sudo ufw app list

sudo ufw allow from 10.19.83.10 to any app Chorke
sudo ufw allow  Chorke
sudo ufw status verbose

sudo ufw delete allow from 10.19.83.10 to any app Chorke
sudo ufw delete allow Chorke
sudo ufw status numbered

Allow

UFW » Allow » Basic

Name Allow Name Allow
HTTP sudo ufw allow http RDP sudo ufw allow 5900/tcp
OpenSSH sudo ufw allow OpenSSH MySQL sudo ufw allow 3306/tcp
LXD Bridge sudo ufw allow in on lxdbr0 PostgreSQL sudo ufw allow 5432/tcp
LXD Bridge sudo ufw route allow in on lxdbr0 Micro Services sudo ufw allow 9000:9010/tcp
LXD Bridge sudo ufw route allow out on lxdbr0 MinIO Object Storage sudo ufw allow 9800:9801/tcp

UFW » Allow » Special

Name Allow Name Allow
OpenVPN sudo ufw allow 1194/udp GitLab sudo ufw allow 1080/tcp
MongoDB sudo ufw allow 27017/tcp Git sudo ufw allow 9418/tcp
HTTPS sudo ufw allow 443/tcp SMTP sudo ufw allow 25/tcp
Email Submission sudo ufw allow 587/tcp SMTPS sudo ufw allow 465/tcp
HTTP ALT sudo ufw allow 8000/tcp SMTP RAP sudo ufw allow 162/tcp

UFW » Allow » Minikube » Bridge 

MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')"
sudo ufw allow in on ${MINIKUBE_BRIDGE}
sudo ufw status numbered

Status

UFW » Status 

sudo systemctl status ufw
sudo ufw status verbose
sudo ufw enable

sudo ufw delete allow 3306
sudo ufw status numbered
sudo ufw delete N

sudo ufw delete allow 9800:9801/tcp
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 3306/tcp

Verify

UFW » Verify

UFW » Allowed » Ports 
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="22 25 80 162 443 465 587";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;32mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
UFW » Denied » Ports 
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="3306 4321 5432 5900 8080";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;31mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done

Gateway » SSH

UFW » Gateway » SSH 

cat << EXE | sudo bash
systemctl status ufw 
ufw app list
EXE

cat << EXE | sudo bash
iptables -S
ufw status numbered 
EXE

cat << EXE | sudo bash
ufw allow 'Nginx HTTP'
ufw allow 'Nginx HTTPS'

ufw allow from hetzner-aa.public.ipv4 to any app OpenSSH
ufw --force enable
EXE

cat << EXE | sudo bash
ufw allow 80/tcp
ufw allow 443/tcp

ufw allow from hetzner-aa.public.ipv4 to any port 22 proto tcp
ufw --force enable
EXE

Gateway » TCP

UFW » Gateway » TCP 

cat << EXE | sudo bash
ufw        allow from 192.168.49.2/32 to any port 9000:9010 proto tcp
ufw        allow from 192.168.49.2/32 to any port      3000 proto tcp
ufw status numbered
EXE

cat << EXE | sudo bash
ufw delete allow from 192.168.49.2/32 to any port 9000:9010 proto tcp
ufw delete allow from 192.168.49.2/32 to any port      3000 proto tcp
ufw status numbered
EXE

cat << EXE | sudo bash
ufw        allow 9000:9010/tcp
ufw        allow      3000/tcp
ufw status numbered
EXE

cat << EXE | sudo bash
ufw delete allow 9000:9010/tcp
ufw delete allow      3000/tcp
ufw status numbered
EXE

Playground

Playground 

netstat -uap|grep nginx
apt list --installed
sudo ufw status
netstat -lpn
netstat -a

sudo ss -tulpn | grep LISTEN | grep resolve
sudo ss -tulpn | grep LISTEN | grep minio
sudo ss -tulpn | grep LISTEN | grep sshd
sudo ss -tulwn | grep LISTEN
sudo ss -tulpn | grep LISTEN

sudo lsof -i -P -n | grep LISTEN
sudo ss -tulpn     | grep LISTEN
sudo ufw allow 'Nginx HTTP'
sudo ufw app list
sudo ufw status

sudo systemctl status ufw
sudo apt-get install gufw
sudo ufw status numbered
sudo ufw status verbose
sudo ufw disable
sudo ufw enable
sudo ufw status

nc -uv vpn.shahed.biz 1194   # udp
nc -tv vpn.shahed.biz 80     # tcp
nc -tv vpn.shahed.biz 53     # tcp
sudo nmap -sT localhost      # tcp
sudo nmap -sU localhost      # udp
nc -uv localhost 1194        # udp
nc -tv localhost 80          # tcp

sudo -i -u minikube
echo $(ip r g $(minikube ip)|awk '{print $3}'|head -n1)

sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz

sudo ufw --dry-run allow https
sudo ufw --dry-run allow http

journalctl -xeu mongod.service
systemctl daemon-reload
journalctl -xe|less
journalctl -xe|tail
journalctl -xe

sudo ufw app info 'Apache Secure'
sudo ufw app info 'Apache Full'
sudo ufw app info 'Apache'
sudo ufw app info OpenSSH
sudo ufw app info CUPS

cat /etc/ufw/applications.d/apache2-utils.ufw.profile
cat /etc/ufw/applications.d/openssh-server
cat /etc/ufw/applications.d/cups 
ls -alh /etc/ufw/applications.d/
sudo ufw app list

sudo ufw allow from 10.19.83.110 to any app OpenSSH
sudo ufw allow from 10.19.83.110 to any port 22/tcp

sudo ufw delete allow from 10.19.83.110 to any app OpenSSH
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp

ssh -qt deploy@10.19.83.1 ssh -qt deploy@10.19.83.10 bash
sudo su

cat << EXE | sudo bash
systemctl status ufw 
ufw enable

ufw allow 22/tcp
ufw allow 25/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8000/tcp

ufw allow 67/udp
ufw allow 68/udp
ufw allow 162/udp

ufw allow out 25/tcp
ufw allow out 255/tcp
ufw allow out 465/tcp
ufw allow out 587/tcp
ufw allow out 993/tcp
ufw allow out 5587/tcp

ufw deny from 185.147.125.0/24 to any
ufw allow from 10.19.83.1 to any port 22 proto tcp

iptables -S
ufw status numbered
systemctl status ufw 
EXE

sudo su
BACKUP_DATE_TIME="$(date +'D%Y%m%d-T%H%M')-Z$(date +'%z'|tr '+-' 'PM')"
stat -c "%a %n" /etc/ufw/{before,before6,user,user6,after,after6}.rules

mkdir -p ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/
iptables-save  > ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v4
ip6tables-save > ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v6

mkdir -p ${HOME}/.config/ufw/${BACKUP_DATE_TIME}/
rsync -avz /etc/ufw/{before,before6,user,user6,after,after6}.rules \
${HOME}/.config/ufw/${BACKUP_DATE_TIME}/

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# iptables-restore  < ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v4
# ip6tables-restore < ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v6

# rsync -avz ${HOME}/.config/ufw/${BACKUP_DATE_TIME}/*.rules /etc/ufw/
# chmod 640 /etc/ufw/{before,before6,user,user6,after,after6}.rules
# ufw enable

iptables -S
ufw status numbered

sudo iptables -t nat -L -n -v
sudo iptables -L -n -v

sudo systemctl restart docker
sudo systemctl status  docker

sudo snap restart  lxd
sudo snap services lxd

sudo iptables -S
sudo iptables -L

sudo iptables-save  > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

sudo iptables-restore  < /etc/iptables/rules.v4
sudo ip6tables-restore < /etc/iptables/rules.v6

nmap --reason  dev.chorke.org -Pn -p21,22
mtr -wrbzc 100 dev.chorke.org
ping -c5       dev.chorke.org
mtr -r         dev.chorke.org

References

References

Retrieved from "https://wiki.chorke.org/index.php?title=UFW&oldid=15381"