The following will discuss three different methods by which you may implement a decent host based firewall for your Ubuntu Desktop Installation. This demonstration was completed using Ubuntu 11.10 Oneiric Ocelot 32 bit, however it should hold true for most versions of Ubuntu post 8.04 (pre 8.04 needs to use the iptables section as the UFW syntax was different) on both 64 bit and 32 bit systems. The three methods we will be using will be the following * '''GUFW''' : This is the graphical user interface for Uncomplicated Firewall, the front end for iptables provided by default in Ubuntu * '''UFW''' : The CLI front end application for controlling iptables/netfilter, which is included by default in Ubuntu. * '''iptables''' : We will create an iptables script to create our firewall It is important to understand that each of these three methods accomplish the same goal, and only one needs to be used because they are all methods for interfacing with iptables/netfilter, and kernel level packet filtering. Each method will do exactly the same and preference is needed only in what you feel more comfortable with. Personally, I find iptables more intuitive than the other two methods, so it is what I would use. However you may find GUFW or UFW more convenient: that is why I am discussing all three methods. I will not be covering Firestarter, it is similar to GUFW, and it is outdated and not supported by default. Therefore, if you choose to use Firestarter it is entirely on you. It does not offer any functionality that the following methods do not. Without further ado, here we go. = Method 1 : GUFW = GUFW is not installed by default so if you wish to use it you must first install it from the repositories. You can do so by giving the following command in a terminal, or by downloading it from the Ubuntu Software Center. {{{sudo apt-get update && sudo apt-get install gufw}}} Once it has finished installing you may open it up, either by entering the following in a terminal {{{gufw}}} Or by running the Firewall Configuration application from the Dash. (Note for Non-Unity Users: this is located in Administration) '''''photo gufw''''' Once you have executed GUFW you will be presented with a Window that looks like this, assuming that you do not have any firewall rules currently, and UFW is disabled your window should look identical to this one. '''''photo new gufw''''' Note : Before you can make any changes you must click on the lock in the lower right hand corner of the Window and enter your sudo password. '''''photo lock gufw''''' The first order of business is to enable UFW if it is not already enabled. To do this click the slider tab next to Firewall Status, it should change to "On". Once we have done this we can begin configuring our firewall policies. We will notice under the slider we just adjusted there is both an Incoming and and Outgoing policy, we want to make sure that both are set to Deny. This will block all traffic going in and out of our machine, don't worry we're going to allow some outbound traffic next. The next thing we need to do is click on the little plus in the lower left hand corner of the Window. This will allow us to add new rules to our Firewall. '''''photo plus gufw''''' For this guide we will be creating restrictive policies. In order for us to do that we must know exactly what ports we need access to. This is going to be a fairly basic system and as such we are going to add rules to allow the following outbound traffic: '''DHCP Access''' - Port 67 and 68 UDP '''Web Access''' - Ports 80 and 443 Protocol TCP '''Email Access''' - Ports 25 and 110 , 143 Protocol TCP '''DNS Access''' - Port 53 Protocol TCP and UDP (This is absolutely required) '''Bittorrent Access Through Transmission''' - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections. So we will use some of the added functionality of GUFW to give us this ability. note : you may need additional services, look up the ports your services use. At the end of this post there will be a list of commonly used services and their default ports for reference. Now that we've clicked the plus to create our new rule, we will be presented with a window that looks like this. '''''photo new rule gufw''''' The first thing we will do is allow traffic from our '''Transmission Application'''. We choose the action '''Allow''', the direction '''Out''', the type '''Application''' and the application is '''Transmission'''. Once those settings are correct we click "Add". Next we will click on the "Simple" tab in the Firewall : Add Rule window. We will then choose the rule '''Allow''', '''Direction Out''', '''Protocol TCP''', and in the line following TCP we will add the TCP ports we want access to outbound, which will look like this: '''25,53,80,110,443'''. Note when we add an additional port we seperate it from the last with a comma. Port ranges are indicated in this manner. {{{6667:7000}}} This would indicate ports 6667 through 7000. Once we have added our TCP outbound ports we must also remember to add any UDP outbound ports we need, in this case we will add port 53 for DNS. We will choose the action Allow, direction is Out, Protocol is UDP and in the line beside UDP enter 53. Click on add and you are done. === (OPTIONAL) === If you wish to add more fine grained control you may do so in the advanced tab. For instance if you want to allow outbound SSH traffic only from your IP address to a specific IP address it would look like this. '''''photo gufw ssh''''' Once you have finished editing your rules as you want them, you are done and may close the Firewall: Add Rule window as well as GUFW. = Method 2 : UFW = In this section we will create the exact same rules we did above however we will do so by utilizing UFW instead of the Graphical front end for it. This section is done entirely from the command line. We will be creating the same policies as before, default drop inbound, default drop outbound, with rules allowing the services listed below. '''DHCP Access''' - Ports 67 and 68 UDP '''Web Access''' - Ports 80 and 443 Protocol TCP '''Email Access''' - Ports 25 and 110 , 143 Protocol TCP '''DNS Access''' - Port 53 Protocol TCP and UDP (This is absolutely required) '''Bittorrent Access Through Transmission''' - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections. So now that we know where we're going we are going to fire up a terminal window and create the same rules using UFW at the CLI. First we want to enable UFW by doing the following {{{sudo ufw enable}}} Then we want to enable our default inbound and outbound policies by doing the following {{{sudo ufw default deny incoming && sudo ufw default deny outgoing}}} Now we will add our outbound TCP rules {{{sudo ufw allow out 25,53,80,110,443/tcp}}} Then our outbound UDP rules {{{sudo ufw allow out 53,67,68/udp}}} And now our Transmission rules {{{sudo ufw allow out 51413/tcp}}} {{{sudo ufw allow out 51413/udp}}} {{{sudo ufw allow out 6969/tcp}}} Restart your firewall for good measure. {{{sudo ufw disable && sudo ufw enable}}} Then you're done. = Method 3 : iptables = This method in my opinion is the best because it gives you the most control over your firewall. However iptables may not be for the new user. For completeness sake I will cover it here. Please note: iptables works best without UFW installed. So we will remove it now. {{{sudo apt-get remove ufw gufw}}} Again in this section we will be enabling the same services as before. '''DHCP Access''' - Ports 67 and 68 UDP '''Web Access''' - Ports 80 and 443 Protocol TCP '''Email Access''' - Ports 25 and 110 , 143 Protocol TCP '''DNS Access''' - Port 53 Protocol TCP and UDP (This is absolutely required) '''Bittorrent Access Through Transmission''' - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections. However, here I am going to walk you through the iptables script with the comments in the script, as opposed to step by step like the previous sections. You will want to create a file for your script, for this we will call it iptables.sh , but you can call it whatever you want. Below you will find the sample iptables script. {{{#!/bin/bash}}}<
> {{{#Simple Firewall Script.}}}<
><
> {{{#Setting up default kernel tunings here (don't worry too much about these right now, they are acceptable defaults)}}} {{{#DROP ICMP echo-requests sent to broadcast/multi-cast addresses.}}}<
> {{{echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts}}}<
> {{{#DROP source routed packets}}}<
> {{{echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route}}}<
> {{{#Enable TCP SYN cookies}}}<
> {{{echo 1 > /proc/sys/net/ipv4/tcp_syncookies}}}<
> {{{#Do not ACCEPT ICMP redirect}}}<
> {{{echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects}}}<
> {{{#Don't send ICMP redirect }}}<
> {{{echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects}}}<
> {{{#Enable source spoofing protection}}}<
> {{{echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter}}}<
> {{{#Log impossible (martian) packets}}}<
> {{{echo 1 > /proc/sys/net/ipv4/conf/all/log_martians}}}<
><
> {{{#Flush all existing chains}}}<
> {{{iptables --flush}}}<
><
> {{{#Allow traffic on loopback}}}<
> {{{iptables -A INPUT -i lo -j ACCEPT}}}<
> {{{iptables -A OUTPUT -o lo -j ACCEPT}}}<
><
> {{{#Creating default policies}}}<
> {{{iptables -P INPUT DROP}}}<
> {{{iptables -P OUTPUT DROP}}}<
> {{{iptables -P FORWARD DROP #If we're not a router}}}<
><
> {{{#Allow previously established connections to continue uninterupted}}}<
> {{{iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT}}}<
> {{{iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT}}}<
><
> {{{#Allow outbound connections on the ports we previously decided.}}}<
> {{{iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT #SMTP}}}<
> {{{iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT #DNS}}}<
> {{{iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #HTTP}}}<
> {{{iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT #POP}}}<
> {{{iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #HTTPS}}}<
> {{{iptables -A OUTPUT -p tcp --dport 51413 -j ACCEPT #BT}}}<
> {{{iptables -A OUTPUT -p tcp --dport 6969 -j ACCEPT #BT tracker}}}<
> {{{iptables -A OUTPUT -p UDP --dport 67:68 -j ACCEPT #DHCP}}}<
> {{{iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #DNS}}}<
> {{{iptables -A OUTPUT -p udp --dport 51413 -j ACCEPT #BT}}}<
><
> {{{#Set up logging for incoming traffic.}}}<
> {{{iptables -N LOGNDROP}}}<
> {{{iptables -A INPUT -j LOGNDROP}}}<
> {{{iptables -A LOGNDROP -j LOG}}}<
> {{{iptables -A LOGNDROP -j DROP}}}<
><
> {{{#Save our firewall rules}}}<
> {{{iptables-save > /etc/iptables.rules}}}<
><
> Now that we have our script created we may save it and execute it {{{sudo chmod 755 iptables.sh}}}<
> {{{sudo ./iptables.sh}}} Making your rules persistent : If you want these rules to be restored on every reboot you can do the following. {{{sudo nano /etc/network/interfaces}}} Assuming wlan0 is the interface you use to connect to the network add the following at the end of the block. Alternatively you can add it to any interface you want and the rules will be loaded when that interface is brought up. Keep in mind this does not change the nature of the rules, or how they are applied. {{{pre-up iptables-restore < /etc/iptables.rules}}} Then save the file. This bit of information as well as other ways for making your iptables rules persistent can be found here : [[https://help.ubuntu.com/community/IptablesHowTo|IptablesHowTo]] We're done. = Common Ports and Services = FTP - 21 TCP<
> SSH - 22 TCP<
> TELNET - 23 TCP<
> SMTP - 25 TCP<
> DNS - 53 TCP/UDP<
> DHCP - 67 , 68 DHCP<
> HTTP - 80 TCP<
> POP3 - 110 TCP<
> IMAP - 143 TCP<
> HTTPS - 443 TCP<
> VNC - 5900-6000<
> IRC - 6667-7000<
> Gmail SMTP TLS: 587<
> Gmail SMTP SSL: 465<
> Gmail POP SSL: 995<
> Gmail IMAP SSL: 993<
><
> More here : [[http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers|List of TCP and UDP port numbers]] note : this page copied from [[http://ubuntuforums.org/showthread.php?t=1876124| Creating a Firewall for Your Ubuntu Desktop (ubuntuforums.org)]], but failed to include: [[http://dangertux.no-ip.org/downloads/1.png|http://dangertux.no-ip.org/downloads/1.png]]<
> [[http://dangertux.no-ip.org/downloads/2.png|http://dangertux.no-ip.org/downloads/2.png]]<
> [[http://dangertux.no-ip.org/downloads/3.png|http://dangertux.no-ip.org/downloads/3.png]]<
> [[http://dangertux.no-ip.org/downloads/4.png|http://dangertux.no-ip.org/downloads/4.png]]