UFW: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
(30 intermediate revisions by the same user not shown)
Line 8: Line 8:


==App==
==App==
{|
{|class='wikitable mw-collapsible'
!scope='col' colspan='2' style='width:1100px'|
App
|-
|valign='top'|
|valign='top'|
<syntaxhighlight lang="ini">
<syntaxhighlight lang="ini">
Line 28: Line 31:
sudo ufw app list
sudo ufw app list
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|valign='top'|
|valign='top'|
Line 46: Line 45:
sudo ufw status numbered
sudo ufw status numbered
</syntaxhighlight>
</syntaxhighlight>
|}
|}


==Allow==
==Allow==
{|class="wikitable"|-
{|class='wikitable mw-collapsible mw-collapsed'
!scope="col" colspan="5"| Allow » Basic
!scope='col' colspan='5' style='width:1100px'|
UFW » Allow » Basic
|-
|-
!scope="col"| Name !!scope="col"| Allow
!scope="col"| Name !!scope="col"| Allow
Line 67: Line 66:
| LXD Bridge                        || <code>sudo ufw route allow out on lxdbr0</code>  ||  MinIO Object Storage              || <code>sudo ufw allow 9800:9801/tcp</code>
| LXD Bridge                        || <code>sudo ufw route allow out on lxdbr0</code>  ||  MinIO Object Storage              || <code>sudo ufw allow 9800:9801/tcp</code>
|-
|-
!scope="col" colspan="5"| Allow » Special
!scope="col" colspan="5"|
UFW » Allow » Special
|-
|-
!scope="col"| Name !!scope="col"| Allow
!scope="col"| Name !!scope="col"| Allow
Line 82: Line 82:
|-
|-
| HTTP ALT                          || <code>sudo ufw allow 8000/tcp</code>              || SMTP RAP                          || <code>sudo ufw allow 162/tcp</code>
| HTTP ALT                          || <code>sudo ufw allow 8000/tcp</code>              || SMTP RAP                          || <code>sudo ufw allow 162/tcp</code>
|}
|-
 
!scope="col" colspan="5"|
===Allow » Minikube » Bridge===
UFW » Allow » Minikube » Bridge
|-
|colspan="5"|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')"
MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')"
Line 90: Line 92:
sudo ufw status numbered
sudo ufw status numbered
</syntaxhighlight>
</syntaxhighlight>
|}


==Status==
==Status==
{|
{|class='wikitable mw-collapsible'
| valign="top" |
!scope='col' colspan='3' style='width:1100px'|
UFW » Status
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo systemctl status ufw
sudo systemctl status ufw
Line 100: Line 106:
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo ufw delete allow 3306
sudo ufw delete allow 3306
Line 107: Line 113:
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo ufw delete allow 9800:9801/tcp
sudo ufw delete allow 9800:9801/tcp
Line 113: Line 119:
sudo ufw delete allow 3306/tcp
sudo ufw delete allow 3306/tcp
</syntaxhighlight>
</syntaxhighlight>
|}


==Verify==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:1100px'|
UFW » Verify
|-
!scope='col'| UFW » Allowed » Ports
|-
|valign='top'|
<syntaxhighlight lang="bash">
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="22 25 80 162 443 465 587";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;32mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
</syntaxhighlight>
|-
!scope='col'| UFW » Denied » Ports
|-
|valign='top'|
<syntaxhighlight lang="bash">
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="3306 4321 5432 5900 8080";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;31mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
</syntaxhighlight>
|}
==Gateway » SSH==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' colspan='2' style='width:1100px'|
UFW » Gateway » SSH
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
systemctl status ufw
ufw app list
EXE
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
iptables -S
ufw status numbered
EXE
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
ufw allow 'Nginx HTTP'
ufw allow 'Nginx HTTPS'
ufw allow from hetzner-aa.public.ipv4 to any app OpenSSH
ufw --force enable
EXE
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow from hetzner-aa.public.ipv4 to any port 22 proto tcp
ufw --force enable
EXE
</syntaxhighlight>
|}
==Gateway » TCP==
{|class='wikitable mw-collapsible'
!scope='col' colspan='2' style='width:1100px'|
UFW » Gateway » TCP
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
ufw        allow from 192.168.49.2/32 to any port 9000:9010 proto tcp
ufw        allow from 192.168.49.2/32 to any port      3000 proto tcp
ufw status numbered
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
ufw delete allow from 192.168.49.2/32 to any port 9000:9010 proto tcp
ufw delete allow from 192.168.49.2/32 to any port      3000 proto tcp
ufw status numbered
EXE
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
ufw        allow 9000:9010/tcp
ufw        allow      3000/tcp
ufw status numbered
EXE
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
ufw delete allow 9000:9010/tcp
ufw delete allow      3000/tcp
ufw status numbered
EXE
</syntaxhighlight>
|}
|}


==Playground==
==Playground==
{|
{|class='wikitable mw-collapsible mw-collapsed'
| valign="top" |
!scope='col' colspan='3' style='width:1500px'|
Playground
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
netstat -uap|grep nginx
netstat -uap|grep nginx
Line 144: Line 266:
sudo ufw status
sudo ufw status
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|valign='top'|
|valign='top'|
Line 181: Line 299:
sudo ufw --dry-run allow http
sudo ufw --dry-run allow http
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|valign='top'|
|valign='top'|
Line 212: Line 326:
sudo ufw app list
sudo ufw app list
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|valign='top' colspan='2'|
|valign='top' colspan='2'|
Line 228: Line 338:
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp
</syntaxhighlight>
</syntaxhighlight>
|-
|colspan='3'|
----
|-
|-
|colspan='2'|
|colspan='2'|
Line 252: Line 358:
ufw allow 162/udp
ufw allow 162/udp


ufw allow from 10.19.83.1 to any port 22/tcp
ufw allow out 25/tcp
ufw allow out 255/tcp
ufw allow out 465/tcp
ufw allow out 587/tcp
ufw allow out 993/tcp
ufw allow out 5587/tcp
 
ufw deny from 185.147.125.0/24 to any
ufw allow from 10.19.83.1 to any port 22 proto tcp
 
iptables -S
ufw status numbered
ufw status numbered
systemctl status ufw  
systemctl status ufw  
Line 259: Line 375:


|valign='top'|
|valign='top'|
<syntaxhighlight lang="bash">
sudo su
BACKUP_DATE_TIME="$(date +'D%Y%m%d-T%H%M')-Z$(date +'%z'|tr '+-' 'PM')"
stat -c "%a %n" /etc/ufw/{before,before6,user,user6,after,after6}.rules
mkdir -p ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/
iptables-save  > ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v4
ip6tables-save > ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v6
mkdir -p ${HOME}/.config/ufw/${BACKUP_DATE_TIME}/
rsync -avz /etc/ufw/{before,before6,user,user6,after,after6}.rules \
${HOME}/.config/ufw/${BACKUP_DATE_TIME}/
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables-restore  < ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v4
# ip6tables-restore < ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v6
# rsync -avz ${HOME}/.config/ufw/${BACKUP_DATE_TIME}/*.rules /etc/ufw/
# chmod 640 /etc/ufw/{before,before6,user,user6,after,after6}.rules
# ufw enable
iptables -S
ufw status numbered
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang="bash">
sudo iptables -t nat -L -n -v
sudo iptables -L -n -v
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
sudo systemctl restart docker
sudo systemctl status  docker
</syntaxhighlight>


|valign='top'|
<syntaxhighlight lang="bash">
sudo snap restart  lxd
sudo snap services lxd
</syntaxhighlight>
|-
|-
|colspan='3'|
|valign='top'|
----
<syntaxhighlight lang="bash">
sudo iptables -S
sudo iptables -L
</syntaxhighlight>
 
|valign='top'|
<syntaxhighlight lang="bash">
sudo iptables-save  > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6
</syntaxhighlight>
 
|valign='top'|
<syntaxhighlight lang="bash">
sudo iptables-restore  < /etc/iptables/rules.v4
sudo ip6tables-restore < /etc/iptables/rules.v6
</syntaxhighlight>
|-
|-
|valign='top'|
|valign='top'|
<syntaxhighlight lang="bash">
nmap --reason  dev.chorke.org -Pn -p21,22
mtr -wrbzc 100 dev.chorke.org
ping -c5      dev.chorke.org
mtr -r        dev.chorke.org
</syntaxhighlight>


|valign='top'|
|valign='top'|
<syntaxhighlight lang="bash">
</syntaxhighlight>


|valign='top'|
|valign='top'|
<syntaxhighlight lang="bash">
</syntaxhighlight>


|}
|}


==References==
==References==
{|
{|class='wikitable mw-collapsible'
| valign="top" |
!scope='col' colspan='3' style='width:1100px'|
References
|-
|valign='top'|
* [https://askubuntu.com/questions/996340/ UFW » Restrict SSH & FTP to certain IP]
* [https://askubuntu.com/questions/996340/ UFW » Restrict SSH & FTP to certain IP]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-22-04 UFW » Set Up on Ubuntu 22.04]
Line 285: Line 481:
| valign="top" |
| valign="top" |


|-
| colspan="3" |
----
|-
|-
| valign="top" |
| valign="top" |
Line 314: Line 507:


| valign="top" |
| valign="top" |
* [https://www.linode.com/docs/guides/diagnosing-network-issues-with-mtr/ MTR » Diagnosing Network Issues]
* [[Chorke Academia Backup]]
* [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]]
* [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]]
* [[Linux User Creation]]
* [[IPTables]]
* [[CIDR]]
* [[CIDR]]
* [[Port]]
* [[Port]]
|}
|}

Latest revision as of 00:31, 12 July 2025

cat <<-'EXE'|sudo bash
apt-get update;echo
apt list -a --upgradable
apt-get install -y ufw nmap telnet
EXE

App

App 

cat << INI | sudo tee /etc/ufw/applications.d/chorke >/dev/null
[Chorke]
title=Chorke Academia, Inc.
description=Chorke Academia, Inc. App
ports=1983/tcp
INI

cat /etc/ufw/applications.d/chorke
ls -lah /etc/ufw/applications.d/

sudo ufw app update Chorke
sudo ufw app info Chorke
sudo ufw app list

sudo ufw allow from 10.19.83.10 to any app Chorke
sudo ufw allow  Chorke
sudo ufw status verbose

sudo ufw delete allow from 10.19.83.10 to any app Chorke
sudo ufw delete allow Chorke
sudo ufw status numbered

Allow

UFW » Allow » Basic

Name Allow Name Allow
HTTP sudo ufw allow http RDP sudo ufw allow 5900/tcp
OpenSSH sudo ufw allow OpenSSH MySQL sudo ufw allow 3306/tcp
LXD Bridge sudo ufw allow in on lxdbr0 PostgreSQL sudo ufw allow 5432/tcp
LXD Bridge sudo ufw route allow in on lxdbr0 Micro Services sudo ufw allow 9000:9010/tcp
LXD Bridge sudo ufw route allow out on lxdbr0 MinIO Object Storage sudo ufw allow 9800:9801/tcp

UFW » Allow » Special

Name Allow Name Allow
OpenVPN sudo ufw allow 1194/udp GitLab sudo ufw allow 1080/tcp
MongoDB sudo ufw allow 27017/tcp Git sudo ufw allow 9418/tcp
HTTPS sudo ufw allow 443/tcp SMTP sudo ufw allow 25/tcp
Email Submission sudo ufw allow 587/tcp SMTPS sudo ufw allow 465/tcp
HTTP ALT sudo ufw allow 8000/tcp SMTP RAP sudo ufw allow 162/tcp

UFW » Allow » Minikube » Bridge 

MINIKUBE_BRIDGE="br-$(docker network ls -fname=minikube --format=json|jq -r '.ID')"
sudo ufw allow in on ${MINIKUBE_BRIDGE}
sudo ufw status numbered

Status

UFW » Status 

sudo systemctl status ufw
sudo ufw status verbose
sudo ufw enable

sudo ufw delete allow 3306
sudo ufw status numbered
sudo ufw delete N

sudo ufw delete allow 9800:9801/tcp
sudo ufw delete allow 9000:9010/tcp
sudo ufw delete allow 3306/tcp

Verify

UFW » Verify

UFW » Allowed » Ports 
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="22 25 80 162 443 465 587";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;32mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done
UFW » Denied » Ports 
REMOTE_HOST="cid.chorke.org";\
REMOTE_PORTS="3306 4321 5432 5900 8080";\
echo;for REMOTE_PORT in ${REMOTE_PORTS};do \
printf "\033[1;31mtelnet %s %-5d »\033[0m\n" ${REMOTE_HOST} ${REMOTE_PORT};\
telnet ${REMOTE_HOST} ${REMOTE_PORT} & sleep 5 && kill -9 $! && echo; done

Gateway » SSH

UFW » Gateway » SSH 

cat << EXE | sudo bash
systemctl status ufw 
ufw app list
EXE

cat << EXE | sudo bash
iptables -S
ufw status numbered 
EXE

cat << EXE | sudo bash
ufw allow 'Nginx HTTP'
ufw allow 'Nginx HTTPS'

ufw allow from hetzner-aa.public.ipv4 to any app OpenSSH
ufw --force enable
EXE

cat << EXE | sudo bash
ufw allow 80/tcp
ufw allow 443/tcp

ufw allow from hetzner-aa.public.ipv4 to any port 22 proto tcp
ufw --force enable
EXE

Gateway » TCP

UFW » Gateway » TCP 

cat << EXE | sudo bash
ufw        allow from 192.168.49.2/32 to any port 9000:9010 proto tcp
ufw        allow from 192.168.49.2/32 to any port      3000 proto tcp
ufw status numbered
EXE

cat << EXE | sudo bash
ufw delete allow from 192.168.49.2/32 to any port 9000:9010 proto tcp
ufw delete allow from 192.168.49.2/32 to any port      3000 proto tcp
ufw status numbered
EXE

cat << EXE | sudo bash
ufw        allow 9000:9010/tcp
ufw        allow      3000/tcp
ufw status numbered
EXE

cat << EXE | sudo bash
ufw delete allow 9000:9010/tcp
ufw delete allow      3000/tcp
ufw status numbered
EXE

Playground

Playground 

netstat -uap|grep nginx
apt list --installed
sudo ufw status
netstat -lpn
netstat -a

sudo ss -tulpn | grep LISTEN | grep resolve
sudo ss -tulpn | grep LISTEN | grep minio
sudo ss -tulpn | grep LISTEN | grep sshd
sudo ss -tulwn | grep LISTEN
sudo ss -tulpn | grep LISTEN

sudo lsof -i -P -n | grep LISTEN
sudo ss -tulpn     | grep LISTEN
sudo ufw allow 'Nginx HTTP'
sudo ufw app list
sudo ufw status

sudo systemctl status ufw
sudo apt-get install gufw
sudo ufw status numbered
sudo ufw status verbose
sudo ufw disable
sudo ufw enable
sudo ufw status

nc -uv vpn.shahed.biz 1194   # udp
nc -tv vpn.shahed.biz 80     # tcp
nc -tv vpn.shahed.biz 53     # tcp
sudo nmap -sT localhost      # tcp
sudo nmap -sU localhost      # udp
nc -uv localhost 1194        # udp
nc -tv localhost 80          # tcp

sudo -i -u minikube
echo $(ip r g $(minikube ip)|awk '{print $3}'|head -n1)

sudo nmap -sU -sT -p U:1194,T:22,53,443 vpn.shahed.biz

sudo ufw --dry-run allow https
sudo ufw --dry-run allow http

journalctl -xeu mongod.service
systemctl daemon-reload
journalctl -xe|less
journalctl -xe|tail
journalctl -xe

sudo ufw app info 'Apache Secure'
sudo ufw app info 'Apache Full'
sudo ufw app info 'Apache'
sudo ufw app info OpenSSH
sudo ufw app info CUPS

cat /etc/ufw/applications.d/apache2-utils.ufw.profile
cat /etc/ufw/applications.d/openssh-server
cat /etc/ufw/applications.d/cups 
ls -alh /etc/ufw/applications.d/
sudo ufw app list

sudo ufw allow from 10.19.83.110 to any app OpenSSH
sudo ufw allow from 10.19.83.110 to any port 22/tcp

sudo ufw delete allow from 10.19.83.110 to any app OpenSSH
sudo ufw delete allow from 10.19.83.110 to any port 22/tcp

ssh -qt deploy@10.19.83.1 ssh -qt deploy@10.19.83.10 bash
sudo su

cat << EXE | sudo bash
systemctl status ufw 
ufw enable

ufw allow 22/tcp
ufw allow 25/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8000/tcp

ufw allow 67/udp
ufw allow 68/udp
ufw allow 162/udp

ufw allow out 25/tcp
ufw allow out 255/tcp
ufw allow out 465/tcp
ufw allow out 587/tcp
ufw allow out 993/tcp
ufw allow out 5587/tcp

ufw deny from 185.147.125.0/24 to any
ufw allow from 10.19.83.1 to any port 22 proto tcp

iptables -S
ufw status numbered
systemctl status ufw 
EXE

sudo su
BACKUP_DATE_TIME="$(date +'D%Y%m%d-T%H%M')-Z$(date +'%z'|tr '+-' 'PM')"
stat -c "%a %n" /etc/ufw/{before,before6,user,user6,after,after6}.rules

mkdir -p ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/
iptables-save  > ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v4
ip6tables-save > ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v6

mkdir -p ${HOME}/.config/ufw/${BACKUP_DATE_TIME}/
rsync -avz /etc/ufw/{before,before6,user,user6,after,after6}.rules \
${HOME}/.config/ufw/${BACKUP_DATE_TIME}/

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# iptables-restore  < ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v4
# ip6tables-restore < ${HOME}/.config/iptables/${BACKUP_DATE_TIME}/rules.v6

# rsync -avz ${HOME}/.config/ufw/${BACKUP_DATE_TIME}/*.rules /etc/ufw/
# chmod 640 /etc/ufw/{before,before6,user,user6,after,after6}.rules
# ufw enable

iptables -S
ufw status numbered

sudo iptables -t nat -L -n -v
sudo iptables -L -n -v

sudo systemctl restart docker
sudo systemctl status  docker

sudo snap restart  lxd
sudo snap services lxd

sudo iptables -S
sudo iptables -L

sudo iptables-save  > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

sudo iptables-restore  < /etc/iptables/rules.v4
sudo ip6tables-restore < /etc/iptables/rules.v6

nmap --reason  dev.chorke.org -Pn -p21,22
mtr -wrbzc 100 dev.chorke.org
ping -c5       dev.chorke.org
mtr -r         dev.chorke.org

References

References

Retrieved from "https://wiki.chorke.org/index.php?title=UFW&oldid=15381"