UFW: Difference between revisions
Jump to navigation
Jump to search
Created page with "<syntaxhighlight lang="bash"> cat <<-'EXE'|sudo bash apt-get update;echo apt list -a --upgradable apt-get install -y ufw nmap telnet EXE </syntaxhighlight> <syntaxhighlight lang="bash"> sudo ufw allow http sudo ufw allow OpenSSH sudo ufw allow in on lxdbr0 sudo ufw route allow in on lxdbr0 sudo ufw route allow out on lxdbr0 sudo ufw status verbose sudo systemctl status ufw sudo ufw enable </syntaxhighlight> <syntaxhighlight lang="bash"> sudo ufw allow 5900/tcp sudo u..." |
No edit summary |
||
| (66 intermediate revisions by the same user not shown) | |||
| Line 7: | Line 7: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==App== | |||
{|class='wikitable mw-collapsible' | |||
!scope='col' colspan='2' style='width:1100px'| | |||
App | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="ini"> | |||
cat << INI | sudo tee /etc/ufw/applications.d/chorke >/dev/null | |||
[Chorke] | |||
title=Chorke Academia, Inc. | |||
description=Chorke Academia, Inc. App | |||
ports=1983/tcp | |||
INI | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
cat /etc/ufw/applications.d/chorke | |||
ls -lah /etc/ufw/applications.d/ | |||
sudo ufw app update Chorke | |||
sudo ufw app info Chorke | |||
sudo ufw app list | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo ufw allow from 10.19.83.10 to any app Chorke | |||
sudo ufw allow Chorke | |||
sudo ufw status verbose | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo ufw delete allow from 10.19.83.10 to any app Chorke | |||
sudo ufw delete allow Chorke | |||
sudo ufw status numbered | |||
</syntaxhighlight> | |||
|} | |||
==Allow== | |||
{|class='wikitable mw-collapsible mw-collapsed' | |||
!scope='col' colspan='5' style='width:1100px'| | |||
UFW » Allow » Basic | |||
|- | |||
!scope="col"| Name !!scope="col"| Allow | |||
|rowspan="6"| | |||
!scope="col"| Name !!scope="col"| Allow | |||
|- | |||
| HTTP || <code>sudo ufw allow http</code> || RDP || <code>sudo ufw allow 5900/tcp</code> | |||
|- | |||
| OpenSSH || <code>sudo ufw allow OpenSSH</code> || MySQL || <code>sudo ufw allow 3306/tcp</code> | |||
|- | |||
| LXD Bridge || <code>sudo ufw allow in on lxdbr0</code> || PostgreSQL || <code>sudo ufw allow 5432/tcp</code> | |||
|- | |||
| LXD Bridge || <code>sudo ufw route allow in on lxdbr0</code> || Micro Services || <code>sudo ufw allow 9000:9010/tcp</code> | |||
|- | |||
| LXD Bridge || <code>sudo ufw route allow out on lxdbr0</code> || MinIO Object Storage || <code>sudo ufw allow 9800:9801/tcp</code> | |||
|- | |||
!scope="col" colspan="5"| | |||
UFW » Allow » Special | |||
|- | |||
!scope="col"| Name !!scope="col"| Allow | |||
|rowspan="6"| | |||
!scope="col"| Name !!scope="col"| Allow | |||
|- | |||
| OpenVPN || <code>sudo ufw allow 1194/udp</code> || GitLab || <code>sudo ufw allow 1080/tcp</code> | |||
|- | |||
| MongoDB || <code>sudo ufw allow 27017/tcp</code> || Git || <code>sudo ufw allow 9418/tcp</code> | |||
|- | |||
| HTTPS || <code>sudo ufw allow 443/tcp</code> || SMTP || <code>sudo ufw allow 25/tcp</code> | |||
|- | |||
| Email Submission || <code>sudo ufw allow 587/tcp</code> || SMTPS || <code>sudo ufw allow 465/tcp</code> | |||
|- | |||
| HTTP ALT || <code>sudo ufw allow 8000/tcp</code> || SMTP RAP || <code>sudo ufw allow 162/tcp</code> | |||
|- | |||
!scope="col" colspan="5"| | |||
UFW » Allow » Minikube » Bridge | |||
|- | |||
|colspan="5"| | |||
<syntaxhighlight lang="bash"> | |||
MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')" | |||
sudo ufw allow in on ${MINIKUBE_BRIDGE} | |||
sudo ufw status numbered | |||
</syntaxhighlight> | |||
|} | |||
==Status== | |||
{|class='wikitable mw-collapsible' | |||
!scope='col' colspan='3' style='width:1100px'| | |||
UFW » Status | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo systemctl status ufw | |||
sudo ufw status verbose | sudo ufw status verbose | ||
sudo ufw enable | sudo ufw enable | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sudo ufw allow 5900/ | sudo ufw delete allow 3306 | ||
sudo ufw status | sudo ufw status numbered | ||
sudo ufw delete N | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo ufw delete allow 9800:9801/tcp | |||
sudo ufw delete allow 9000:9010/tcp | |||
sudo ufw delete allow 3306/tcp | |||
</syntaxhighlight> | |||
|} | |||
==Verify== | |||
{|class='wikitable mw-collapsible mw-collapsed' | |||
!scope='col' style='width:1100px'| | |||
UFW » Verify | |||
|- | |||
!scope='col'| UFW » Allowed » Ports | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
REMOTE_HOST="cid.chorke.org";\ | |||
REMOTE_PORTS="22 25 80 162 443 465 587";\ | |||
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \ | |||
printf "\033[1;32mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\ | |||
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done | |||
</syntaxhighlight> | |||
|- | |||
!scope='col'| UFW » Denied » Ports | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
REMOTE_HOST="cid.chorke.org";\ | |||
REMOTE_PORTS="3306 4321 5432 5900 8080";\ | |||
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \ | |||
printf "\033[1;31mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\ | |||
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done | |||
</syntaxhighlight> | |||
|} | |||
==Gateway » SSH== | |||
{|class='wikitable mw-collapsible mw-collapsed' | |||
!scope='col' colspan='2' style='width:1100px'| | |||
UFW » Gateway » SSH | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
cat << EXE | sudo bash | |||
systemctl status ufw | |||
ufw app list | |||
EXE | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
cat << EXE | sudo bash | |||
iptables -S | |||
ufw status numbered | |||
EXE | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
cat << EXE | sudo bash | |||
ufw allow 'Nginx HTTP' | |||
ufw allow 'Nginx HTTPS' | |||
ufw allow from hetzner-aa.public.ipv4 to any app OpenSSH | |||
ufw --force enable | |||
EXE | |||
</syntaxhighlight> | |||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | |||
cat << EXE | sudo bash | |||
ufw allow 80/tcp | |||
ufw allow 443/tcp | |||
ufw allow from hetzner-aa.public.ipv4 to any port 22 proto tcp | |||
ufw --force enable | |||
EXE | |||
</syntaxhighlight> | |||
|} | |||
sudo ufw allow | ==Gateway » TCP== | ||
sudo ufw allow | {|class='wikitable mw-collapsible' | ||
sudo ufw allow | !scope='col' colspan='2' style='width:1100px'| | ||
UFW » Gateway » TCP | |||
|- | |||
|valign='top' colspan='2'| | |||
<syntaxhighlight lang="bash"> | |||
cat << EXE | sudo bash | |||
ufw allow from 192.168.49.2/32 to any port 9000:9010 proto tcp | |||
ufw allow from 192.168.49.2/32 to any port 3000 proto tcp | |||
ufw status numbered | |||
EXE | |||
</syntaxhighlight> | |||
---- | |||
<syntaxhighlight lang="bash"> | |||
cat << EXE | sudo bash | |||
ufw delete allow from 192.168.49.2/32 to any port 9000:9010 proto tcp | |||
ufw delete allow from 192.168.49.2/32 to any port 3000 proto tcp | |||
ufw status numbered | |||
EXE | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
cat << EXE | sudo bash | |||
ufw allow 9000:9010/tcp | |||
ufw allow 3000/tcp | |||
ufw status numbered | |||
EXE | |||
</syntaxhighlight> | |||
ufw | | valign="top" | | ||
ufw status | <syntaxhighlight lang="bash"> | ||
cat << EXE | sudo bash | |||
ufw delete allow 9000:9010/tcp | |||
ufw delete allow 3000/tcp | |||
ufw status numbered | |||
EXE | |||
</syntaxhighlight> | </syntaxhighlight> | ||
|} | |||
==Playground== | ==Playground== | ||
{| | {|class='wikitable mw-collapsible mw-collapsed' | ||
| valign= | !scope='col' colspan='3' style='width:1500px'| | ||
Playground | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
ufw status | netstat -uap|grep nginx | ||
apt list --installed | |||
sudo ufw status | |||
netstat -lpn | |||
netstat -a | netstat -a | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| valign="top" | | | valign="top" | | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sudo ss -tulpn | grep LISTEN | grep resolve | |||
sudo ss -tulpn | grep LISTEN | grep minio | |||
sudo ss -tulpn | grep LISTEN | grep sshd | |||
sudo ss -tulwn | grep LISTEN | sudo ss -tulwn | grep LISTEN | ||
sudo ss -tulpn | grep LISTEN | sudo ss -tulpn | grep LISTEN | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| valign="top" | | | valign="top" | | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sudo lsof -i -P -n | grep LISTEN | |||
sudo ss -tulpn | grep LISTEN | |||
sudo ufw allow 'Nginx HTTP' | |||
sudo ufw app list | |||
sudo ufw status | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo systemctl status ufw | |||
sudo apt-get install gufw | |||
sudo ufw status numbered | |||
sudo ufw status verbose | |||
sudo ufw disable | |||
sudo ufw enable | |||
sudo ufw status | sudo ufw status | ||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
nc -uv vpn.shahed.biz 1194 # udp | |||
nc -tv vpn.shahed.biz 80 # tcp | |||
nc -tv vpn.shahed.biz 53 # tcp | |||
sudo nmap -sT localhost # tcp | |||
sudo nmap -sU localhost # udp | |||
nc -uv localhost 1194 # udp | |||
nc -tv localhost 80 # tcp | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo -i -u minikube | |||
echo $(ip r g $(minikube ip)|awk '{print $3}'|head -n1) | |||
sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz | |||
sudo ufw --dry-run allow https | |||
sudo ufw --dry-run allow http | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
journalctl -xeu mongod.service | |||
systemctl daemon-reload | |||
journalctl -xe|less | |||
journalctl -xe|tail | |||
journalctl -xe | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo ufw app info 'Apache Secure' | |||
sudo ufw app info 'Apache Full' | |||
sudo ufw app info 'Apache' | |||
sudo ufw app info OpenSSH | |||
sudo ufw app info CUPS | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
cat /etc/ufw/applications.d/apache2-utils.ufw.profile | |||
cat /etc/ufw/applications.d/openssh-server | |||
cat /etc/ufw/applications.d/cups | |||
ls -alh /etc/ufw/applications.d/ | |||
sudo ufw app list | sudo ufw app list | ||
sudo ufw allow ' | </syntaxhighlight> | ||
sudo | |- | ||
sudo | |valign='top' colspan='2'| | ||
<syntaxhighlight lang="bash"> | |||
sudo ufw allow from 10.19.83.110 to any app OpenSSH | |||
sudo ufw allow from 10.19.83.110 to any port 22/tcp | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo ufw delete allow from 10.19.83.110 to any app OpenSSH | |||
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp | |||
</syntaxhighlight> | |||
|- | |||
|colspan='2'| | |||
<syntaxhighlight lang="bash"> | |||
ssh -qt deploy@10.19.83.1 ssh -qt deploy@10.19.83.10 bash | |||
sudo su | |||
cat << EXE | sudo bash | |||
systemctl status ufw | |||
ufw enable | |||
ufw allow 22/tcp | |||
ufw allow 25/tcp | |||
ufw allow 80/tcp | |||
ufw allow 443/tcp | |||
ufw allow 8000/tcp | |||
ufw allow 67/udp | |||
ufw allow 68/udp | |||
ufw allow 162/udp | |||
ufw allow out 25/tcp | |||
ufw allow out 255/tcp | |||
ufw allow out 465/tcp | |||
ufw allow out 587/tcp | |||
ufw allow out 993/tcp | |||
ufw allow out 5587/tcp | |||
ufw deny from 185.147.125.0/24 to any | |||
ufw allow from 10.19.83.1 to any port 22 proto tcp | |||
iptables -S | |||
ufw status numbered | |||
systemctl status ufw | |||
EXE | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo su | |||
BACKUP_DATE_TIME="$(date +'D%Y%m%d-T%H%M')-Z$(date +'%z'|tr '+-' 'PM')" | |||
stat -c "%a %n" /etc/ufw/{before,before6,user,user6,after,after6}.rules | |||
mkdir -p ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/ | |||
iptables-save > ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v4 | |||
ip6tables-save > ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v6 | |||
mkdir -p ${HOME}/.config/ufw/${BACKUP_DATE_TIME}/ | |||
rsync -avz /etc/ufw/{before,before6,user,user6,after,after6}.rules \ | |||
${HOME}/.config/ufw/${BACKUP_DATE_TIME}/ | |||
iptables -F | |||
iptables -X | |||
iptables -t nat -F | |||
iptables -t nat -X | |||
iptables -t mangle -F | |||
iptables -t mangle -X | |||
iptables -t raw -F | |||
iptables -t raw -X | |||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |||
# iptables-restore < ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v4 | |||
# ip6tables-restore < ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v6 | |||
# rsync -avz ${HOME}/.config/ufw/${BACKUP_DATE_TIME}/*.rules /etc/ufw/ | |||
# chmod 640 /etc/ufw/{before,before6,user,user6,after,after6}.rules | |||
# ufw enable | |||
iptables -S | |||
ufw status numbered | |||
</syntaxhighlight> | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo iptables -t nat -L -n -v | |||
sudo iptables -L -n -v | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo systemctl restart docker | |||
sudo systemctl status docker | |||
</syntaxhighlight> | </syntaxhighlight> | ||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo snap restart lxd | |||
sudo snap services lxd | |||
</syntaxhighlight> | |||
|- | |- | ||
| | |valign='top'| | ||
---- | <syntaxhighlight lang="bash"> | ||
sudo iptables -S | |||
sudo iptables -L | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo iptables-save > /etc/iptables/rules.v4 | |||
sudo ip6tables-save > /etc/iptables/rules.v6 | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | |||
sudo iptables-restore < /etc/iptables/rules.v4 | |||
sudo ip6tables-restore < /etc/iptables/rules.v6 | |||
</syntaxhighlight> | |||
|- | |- | ||
|valign='top'| | |valign='top'| | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
nmap --reason dev.chorke.org -Pn -p21,22 | |||
mtr -wrbzc 100 dev.chorke.org | |||
ping -c5 dev.chorke.org | |||
mtr -r dev.chorke.org | |||
</syntaxhighlight> | </syntaxhighlight> | ||
|valign='top'| | |valign='top'| | ||
<syntaxhighlight lang="bash"> | |||
</syntaxhighlight> | |||
|valign='top'| | |valign='top'| | ||
<syntaxhighlight lang="bash"> | |||
</syntaxhighlight> | |||
|} | |} | ||
==References== | ==References== | ||
{| | {|class='wikitable mw-collapsible' | ||
| valign= | !scope='col' colspan='3' style='width:1100px'| | ||
References | |||
|- | |||
|valign='top'| | |||
* [https://askubuntu.com/questions/996340/ UFW » Restrict SSH & FTP to certain IP] | |||
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04] | * [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04] | ||
* [https://askubuntu.com/questions/409013/ UFW » Create an App Profile] | |||
* [https://ubuntu.com/server/docs/firewalls UFW » Firewalls] | |||
* [https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29 UFW] | |||
| valign="top" | | | valign="top" | | ||
| Line 89: | Line 481: | ||
| valign="top" | | | valign="top" | | ||
|- | |- | ||
| valign="top" | | | valign="top" | | ||
| Line 118: | Line 507: | ||
| valign="top" | | | valign="top" | | ||
* [https://www.linode.com/docs/guides/diagnosing-network-issues-with-mtr/ MTR » Diagnosing Network Issues] | |||
* [[Chorke Academia Backup]] | |||
* [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]] | |||
* [[Linux User Creation]] | |||
* [[IPTables]] | |||
* [[CIDR]] | |||
* [[Port]] | |||
|} | |} | ||
Latest revision as of 00:31, 12 July 2025
cat <<-'EXE'|sudo bash
apt-get update;echo
apt list -a --upgradable
apt-get install -y ufw nmap telnet
EXE
App
|
App | |
|---|---|
cat << INI | sudo tee /etc/ufw/applications.d/chorke >/dev/null
[Chorke]
title=Chorke Academia, Inc.
description=Chorke Academia, Inc. App
ports=1983/tcp
INI
|
cat /etc/ufw/applications.d/chorke
ls -lah /etc/ufw/applications.d/
sudo ufw app update Chorke
sudo ufw app info Chorke
sudo ufw app list
|
sudo ufw allow from 10.19.83.10 to any app Chorke
sudo ufw allow Chorke
sudo ufw status verbose
|
sudo ufw delete allow from 10.19.83.10 to any app Chorke
sudo ufw delete allow Chorke
sudo ufw status numbered
|
Allow
|
UFW » Allow » Basic | ||||
|---|---|---|---|---|
| Name | Allow | Name | Allow | |
| HTTP | sudo ufw allow http |
RDP | sudo ufw allow 5900/tcp
| |
| OpenSSH | sudo ufw allow OpenSSH |
MySQL | sudo ufw allow 3306/tcp
| |
| LXD Bridge | sudo ufw allow in on lxdbr0 |
PostgreSQL | sudo ufw allow 5432/tcp
| |
| LXD Bridge | sudo ufw route allow in on lxdbr0 |
Micro Services | sudo ufw allow 9000:9010/tcp
| |
| LXD Bridge | sudo ufw route allow out on lxdbr0 |
MinIO Object Storage | sudo ufw allow 9800:9801/tcp
| |
|
UFW » Allow » Special | ||||
| Name | Allow | Name | Allow | |
| OpenVPN | sudo ufw allow 1194/udp |
GitLab | sudo ufw allow 1080/tcp
| |
| MongoDB | sudo ufw allow 27017/tcp |
Git | sudo ufw allow 9418/tcp
| |
| HTTPS | sudo ufw allow 443/tcp |
SMTP | sudo ufw allow 25/tcp
| |
| Email Submission | sudo ufw allow 587/tcp |
SMTPS | sudo ufw allow 465/tcp
| |
| HTTP ALT | sudo ufw allow 8000/tcp |
SMTP RAP | sudo ufw allow 162/tcp
| |
|
UFW » Allow » Minikube » Bridge | ||||
MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')"
sudo ufw allow in on ${MINIKUBE_BRIDGE}
sudo ufw status numbered
| ||||
Status
|
UFW » Status | ||
|---|---|---|
sudo systemctl status ufw
sudo ufw status verbose
sudo ufw enable
|
sudo ufw delete allow 3306
sudo ufw status numbered
sudo ufw delete N
|
sudo ufw delete allow 9800:9801/tcp
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 3306/tcp
|
Verify
|
UFW » Verify |
|---|
| UFW » Allowed » Ports |
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="22 25 80 162 443 465 587";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;32mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
|
| UFW » Denied » Ports |
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="3306 4321 5432 5900 8080";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;31mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
|
Gateway » SSH
|
UFW » Gateway » SSH | |
|---|---|
cat << EXE | sudo bash
systemctl status ufw
ufw app list
EXE
|
cat << EXE | sudo bash
iptables -S
ufw status numbered
EXE
|
cat << EXE | sudo bash
ufw allow 'Nginx HTTP'
ufw allow 'Nginx HTTPS'
ufw allow from hetzner-aa.public.ipv4 to any app OpenSSH
ufw --force enable
EXE
|
cat << EXE | sudo bash
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow from hetzner-aa.public.ipv4 to any port 22 proto tcp
ufw --force enable
EXE
|
Gateway » TCP
|
UFW » Gateway » TCP | |
|---|---|
cat << EXE | sudo bash
ufw allow from 192.168.49.2/32 to any port 9000:9010 proto tcp
ufw allow from 192.168.49.2/32 to any port 3000 proto tcp
ufw status numbered
EXE
cat << EXE | sudo bash
ufw delete allow from 192.168.49.2/32 to any port 9000:9010 proto tcp
ufw delete allow from 192.168.49.2/32 to any port 3000 proto tcp
ufw status numbered
EXE
| |
cat << EXE | sudo bash
ufw allow 9000:9010/tcp
ufw allow 3000/tcp
ufw status numbered
EXE
|
cat << EXE | sudo bash
ufw delete allow 9000:9010/tcp
ufw delete allow 3000/tcp
ufw status numbered
EXE
|
Playground
|
Playground | ||
|---|---|---|
netstat -uap|grep nginx
apt list --installed
sudo ufw status
netstat -lpn
netstat -a
|
sudo ss -tulpn | grep LISTEN | grep resolve
sudo ss -tulpn | grep LISTEN | grep minio
sudo ss -tulpn | grep LISTEN | grep sshd
sudo ss -tulwn | grep LISTEN
sudo ss -tulpn | grep LISTEN
|
sudo lsof -i -P -n | grep LISTEN
sudo ss -tulpn | grep LISTEN
sudo ufw allow 'Nginx HTTP'
sudo ufw app list
sudo ufw status
|
sudo systemctl status ufw
sudo apt-get install gufw
sudo ufw status numbered
sudo ufw status verbose
sudo ufw disable
sudo ufw enable
sudo ufw status
|
nc -uv vpn.shahed.biz 1194 # udp
nc -tv vpn.shahed.biz 80 # tcp
nc -tv vpn.shahed.biz 53 # tcp
sudo nmap -sT localhost # tcp
sudo nmap -sU localhost # udp
nc -uv localhost 1194 # udp
nc -tv localhost 80 # tcp
|
sudo -i -u minikube
echo $(ip r g $(minikube ip)|awk '{print $3}'|head -n1)
sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz
sudo ufw --dry-run allow https
sudo ufw --dry-run allow http
|
journalctl -xeu mongod.service
systemctl daemon-reload
journalctl -xe|less
journalctl -xe|tail
journalctl -xe
|
sudo ufw app info 'Apache Secure'
sudo ufw app info 'Apache Full'
sudo ufw app info 'Apache'
sudo ufw app info OpenSSH
sudo ufw app info CUPS
|
cat /etc/ufw/applications.d/apache2-utils.ufw.profile
cat /etc/ufw/applications.d/openssh-server
cat /etc/ufw/applications.d/cups
ls -alh /etc/ufw/applications.d/
sudo ufw app list
|
sudo ufw allow from 10.19.83.110 to any app OpenSSH
sudo ufw allow from 10.19.83.110 to any port 22/tcp
|
sudo ufw delete allow from 10.19.83.110 to any app OpenSSH
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp
| |
ssh -qt deploy@10.19.83.1 ssh -qt deploy@10.19.83.10 bash
sudo su
cat << EXE | sudo bash
systemctl status ufw
ufw enable
ufw allow 22/tcp
ufw allow 25/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8000/tcp
ufw allow 67/udp
ufw allow 68/udp
ufw allow 162/udp
ufw allow out 25/tcp
ufw allow out 255/tcp
ufw allow out 465/tcp
ufw allow out 587/tcp
ufw allow out 993/tcp
ufw allow out 5587/tcp
ufw deny from 185.147.125.0/24 to any
ufw allow from 10.19.83.1 to any port 22 proto tcp
iptables -S
ufw status numbered
systemctl status ufw
EXE
|
sudo su
BACKUP_DATE_TIME="$(date +'D%Y%m%d-T%H%M')-Z$(date +'%z'|tr '+-' 'PM')"
stat -c "%a %n" /etc/ufw/{before,before6,user,user6,after,after6}.rules
mkdir -p ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/
iptables-save > ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v4
ip6tables-save > ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v6
mkdir -p ${HOME}/.config/ufw/${BACKUP_DATE_TIME}/
rsync -avz /etc/ufw/{before,before6,user,user6,after,after6}.rules \
${HOME}/.config/ufw/${BACKUP_DATE_TIME}/
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables-restore < ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v4
# ip6tables-restore < ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v6
# rsync -avz ${HOME}/.config/ufw/${BACKUP_DATE_TIME}/*.rules /etc/ufw/
# chmod 640 /etc/ufw/{before,before6,user,user6,after,after6}.rules
# ufw enable
iptables -S
ufw status numbered
| |
sudo iptables -t nat -L -n -v
sudo iptables -L -n -v
|
sudo systemctl restart docker
sudo systemctl status docker
|
sudo snap restart lxd
sudo snap services lxd
|
sudo iptables -S
sudo iptables -L
|
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6
|
sudo iptables-restore < /etc/iptables/rules.v4
sudo ip6tables-restore < /etc/iptables/rules.v6
|
nmap --reason dev.chorke.org -Pn -p21,22
mtr -wrbzc 100 dev.chorke.org
ping -c5 dev.chorke.org
mtr -r dev.chorke.org
|
||
References
|
References | ||
|---|---|---|