Firewall

The following will discuss three different methods by which you may implement a decent host based firewall for your Ubuntu Desktop Installation. This demonstration was completed using Ubuntu 11.10 Oneiric Ocelot 32 bit, however it should hold true for most versions of Ubuntu post 8.04 (pre 8.04 needs to use the iptables section as the UFW syntax was different) on both 64 bit and 32 bit systems.

The three methods we will be using will be the following

GUFW : This is the graphical user interface for Uncomplicated Firewall, the front end for iptables provided by default in Ubuntu
UFW : The CLI front end application for controlling iptables/netfilter, which is included by default in Ubuntu.
iptables : We will create an iptables script to create our firewall

It is important to understand that each of these three methods accomplish the same goal, and only one needs to be used because they are all methods for interfacing with iptables/netfilter, and kernel level packet filtering. Each method will do exactly the same and preference is needed only in what you feel more comfortable with. Personally, I find iptables more intuitive than the other two methods, so it is what I would use. However you may find GUFW or UFW more convenient: that is why I am discussing all three methods. I will not be covering Firestarter, it is similar to GUFW, and it is outdated and not supported by default. Therefore, if you choose to use Firestarter it is entirely on you. It does not offer any functionality that the following methods do not.

Without further ado, here we go.

Method 1 : GUFW

GUFW is not installed by default so if you wish to use it you must first install it from the repositories. You can do so by giving the following command in a terminal, or by downloading it from the Ubuntu Software Center.

sudo apt-get update && sudo apt-get install gufw

Once it has finished installing you may open it up, either by entering the following in a terminal

gufw

Or by running the Firewall Configuration application from the Dash. (Note for Non-Unity Users: this is located in Administration)

photo gufw

Once you have executed GUFW you will be presented with a Window that looks like this, assuming that you do not have any firewall rules currently, and UFW is disabled your window should look identical to this one.

photo new gufw

Note : Before you can make any changes you must click on the lock in the lower right hand corner of the Window and enter your sudo password.

photo lock gufw

The first order of business is to enable UFW if it is not already enabled. To do this click the slider tab next to Firewall Status, it should change to "On".

Once we have done this we can begin configuring our firewall policies. We will notice under the slider we just adjusted there is both an Incoming and and Outgoing policy, we want to make sure that both are set to Deny. This will block all traffic going in and out of our machine, don't worry we're going to allow some outbound traffic next.

The next thing we need to do is click on the little plus in the lower left hand corner of the Window. This will allow us to add new rules to our Firewall.

photo plus gufw

For this guide we will be creating restrictive policies. In order for us to do that we must know exactly what ports we need access to. This is going to be a fairly basic system and as such we are going to add rules to allow the following outbound traffic:

DHCP Access - Port 67 and 68 UDP

Web Access - Ports 80 and 443 Protocol TCP

Email Access - Ports 25 and 110 , 143 Protocol TCP

DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)

Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections. So we will use some of the added functionality of GUFW to give us this ability.

note : you may need additional services, look up the ports your services use. At the end of this post there will be a list of commonly used services and their default ports for reference.

Now that we've clicked the plus to create our new rule, we will be presented with a window that looks like this.

photo new rule gufw

The first thing we will do is allow traffic from our Transmission Application.

We choose the action Allow, the direction Out, the type Application and the application is Transmission. Once those settings are correct we click "Add".

Next we will click on the "Simple" tab in the Firewall : Add Rule window.

We will then choose the rule Allow, Direction Out, Protocol TCP, and in the line following TCP we will add the TCP ports we want access to outbound, which will look like this: 25,53,80,110,443. Note when we add an additional port we seperate it from the last with a comma. Port ranges are indicated in this manner.

6667:7000

This would indicate ports 6667 through 7000.

Once we have added our TCP outbound ports we must also remember to add any UDP outbound ports we need, in this case we will add port 53 for DNS.

We will choose the action Allow, direction is Out, Protocol is UDP and in the line beside UDP enter 53. Click on add and you are done.

(OPTIONAL)

If you wish to add more fine grained control you may do so in the advanced tab. For instance if you want to allow outbound SSH traffic only from your IP address to a specific IP address it would look like this.

photo gufw ssh

Once you have finished editing your rules as you want them, you are done and may close the Firewall: Add Rule window as well as GUFW.

Method 2 : UFW

In this section we will create the exact same rules we did above however we will do so by utilizing UFW instead of the Graphical front end for it.

This section is done entirely from the command line. We will be creating the same policies as before, default drop inbound, default drop outbound, with rules allowing the services listed below.

DHCP Access - Ports 67 and 68 UDP

Web Access - Ports 80 and 443 Protocol TCP

Email Access - Ports 25 and 110 , 143 Protocol TCP

DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)

Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections.

So now that we know where we're going we are going to fire up a terminal window and create the same rules using UFW at the CLI.

First we want to enable UFW by doing the following

sudo ufw enable

Then we want to enable our default inbound and outbound policies by doing the following

sudo ufw default deny incoming && sudo ufw default deny outgoing

Now we will add our outbound TCP rules

sudo ufw allow out 25,53,80,110,443/tcp

Then our outbound UDP rules

sudo ufw allow out 53,67,68/udp

And now our Transmission rules

sudo ufw allow out 51413/tcp
sudo ufw allow out 51413/udp
sudo ufw allow out 6969/tcp

Restart your firewall for good measure.

sudo ufw disable && sudo ufw enable

Then you're done.

Method 3 : iptables

This method in my opinion is the best because it gives you the most control over your firewall. However iptables may not be for the new user. For completeness sake I will cover it here.

Please note: iptables works best without UFW installed. So we will remove it now.

sudo apt-get remove ufw gufw

Again in this section we will be enabling the same services as before.

DHCP Access - Ports 67 and 68 UDP

Web Access - Ports 80 and 443 Protocol TCP

Email Access - Ports 25 and 110 , 143 Protocol TCP

DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)

Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections.

However, here I am going to walk you through the iptables script with the comments in the script, as opposed to step by step like the previous sections. You will want to create a file for your script, for this we will call it iptables.sh , but you can call it whatever you want. Below you will find the sample iptables script.

#!/bin/bash
#Simple Firewall Script.

#Setting up default kernel tunings here (don't worry too much about these right now, they are acceptable defaults) #DROP ICMP echo-requests sent to broadcast/multi-cast addresses.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#DROP source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Enable TCP SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Do not ACCEPT ICMP redirect
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Don't send ICMP redirect
echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects
#Enable source spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#Log impossible (martian) packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Flush all existing chains
iptables --flush

#Allow traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Creating default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP #If we're not a router

#Allow previously established connections to continue uninterupted
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Allow outbound connections on the ports we previously decided.
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT #SMTP
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT #DNS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #HTTP
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT #POP
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #HTTPS
iptables -A OUTPUT -p tcp --dport 51413 -j ACCEPT #BT
iptables -A OUTPUT -p tcp --dport 6969 -j ACCEPT #BT tracker
iptables -A OUTPUT -p UDP --dport 67:68 -j ACCEPT #DHCP
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #DNS
iptables -A OUTPUT -p udp --dport 51413 -j ACCEPT #BT

#Set up logging for incoming traffic.
iptables -N LOGNDROP
iptables -A INPUT -j LOGNDROP
iptables -A LOGNDROP -j LOG
iptables -A LOGNDROP -j DROP

#Save our firewall rules
iptables-save > /etc/iptables.rules

Now that we have our script created we may save it and execute it

sudo chmod 755 iptables.sh
sudo ./iptables.sh

Making your rules persistent :

If you want these rules to be restored on every reboot you can do the following.

sudo nano /etc/network/interfaces

Assuming wlan0 is the interface you use to connect to the network add the following at the end of the block. Alternatively you can add it to any interface you want and the rules will be loaded when that interface is brought up. Keep in mind this does not change the nature of the rules, or how they are applied.

pre-up iptables-restore < /etc/iptables.rules

Then save the file.

This bit of information as well as other ways for making your iptables rules persistent can be found here : IptablesHowTo

We're done.

Common Ports and Services

FTP - 21 TCP
SSH - 22 TCP
TELNET - 23 TCP
SMTP - 25 TCP
DNS - 53 TCP/UDP
DHCP - 67 , 68 DHCP
HTTP - 80 TCP
POP3 - 110 TCP
IMAP - 143 TCP
HTTPS - 443 TCP
VNC - 5900-6000
IRC - 6667-7000
Gmail SMTP TLS: 587
Gmail SMTP SSL: 465
Gmail POP SSL: 995
Gmail IMAP SSL: 993

More here : List of TCP and UDP port numbers

note : this page copied from Creating a Firewall for Your Ubuntu Desktop (ubuntuforums.org),

but failed to include:
http://dangertux.no-ip.org/downloads/1.png
http://dangertux.no-ip.org/downloads/2.png
http://dangertux.no-ip.org/downloads/3.png
http://dangertux.no-ip.org/downloads/4.png

BasicSecurity/Firewall (last edited 2013-06-04 20:58:03 by adsl-67-121-112-178)

Ubuntu Wiki

Firewall

Method 1 : GUFW

(OPTIONAL)

Method 2 : UFW

Method 3 : iptables

Common Ports and Services