Could somebody give some simple steps with configuration example how to setup simple firewall on Ubuntu (using console only)? Only ssh, http and https access should be allowed.
Just decide if you want to allow incoming ICMP (ping) or not.
# Clear any existing firewall stuff before we start
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# As the default policies, drop all incoming traffic but allow all
# outgoing traffic. This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
# Allow all incoming traffic if it is coming from the local loopback device
iptables -A INPUT -i lo -j ACCEPT
# Accept all incoming traffic associated with an established
# connection, or a "related" connection
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming connections
# SSH
iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
# HTTP
iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
iptables -A INPUT -p tcp -i eth0 --dport 443 -m state --state NEW -j ACCEPT
# Allow icmp input so that people can ping us
iptables -A INPUT -p icmp -j ACCEPT
# Reject all other incoming packets
iptables -A INPUT -j REJECT
As noted in comments to another answer, you don't want to lose your connection before you allow the ssh port. From the man page:
"REMOTE MANAGEMENT
When running ufw enable or starting ufw via its initscript, ufw will flush its chains. This is required so ufw can maintain a consistent state, but it may drop existing connections (eg ssh). ufw does support adding rules before enabling the firewall, so administrators can do:
ufw allow proto tcp from any to any port 22
before running ’ufw enable’. The rules will still be flushed, but the ssh port will be open after enabling the firewall. Please note that once ufw is ’enabled’, ufw will not flush the chains when adding or removing rules (but will when modifying a rule or changing the default policy)."
So here is an approach that uses a script to set it. You will get logged out when you run this script, but having run it you can then log in again over ssh.
Put the following in a script and call it start-firewall.sh
If you familiarize yourself with scripting iptables, you will have full control over all firewall capabilities. It's nowhere near as friendly as Firestarter, but it can be done at the console with nano/vi editors. Check out this tutorial geared towards Ubuntu.
Quicktables helped me to learn iptables rules. Just run the script and it will generate an iptables script for you... then you can open it and view the associated commands generated by the questions it asked of you. It's a great learning resource.
To create setup rules you like you would need to edit the file /etc/default/firehol and change START_FIREHOL=YES
And you would want to make your /etc/firehol/firehol.conf look like this.
version 5
interface any IfAll
client any AnyClient accept
server "ssh http https" accept
# Accept everything from trusted networks
server anystateless AllInside accept src "10.3.27.0/24"
One of the great things about firehol is the 'try' command. You can adjust your configuration file and do a 'firehol try', if you where connected via ssh, and something about what you changed killed your network access then firehol will revert the changes. To have the changes actually go into effect, you must say commit.
sudo ufw default deny
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ssh
sudo ufw enable
Use this script.
Just decide if you want to allow incoming ICMP (ping) or not.
As noted in comments to another answer, you don't want to lose your connection before you allow the ssh port. From the man page:
"REMOTE MANAGEMENT
When running ufw enable or starting ufw via its initscript, ufw will flush its chains. This is required so ufw can maintain a consistent state, but it may drop existing connections (eg ssh). ufw does support adding rules before enabling the firewall, so administrators can do:
before running ’ufw enable’. The rules will still be flushed, but the ssh port will be open after enabling the firewall. Please note that once ufw is ’enabled’, ufw will not flush the chains when adding or removing rules (but will when modifying a rule or changing the default policy)."
So here is an approach that uses a script to set it. You will get logged out when you run this script, but having run it you can then log in again over ssh.
Put the following in a script and call it start-firewall.sh
And then make it executable and run it by doing
To learn more, read the man page.
If you familiarize yourself with scripting
iptables, you will have full control over all firewall capabilities. It's nowhere near as friendly as Firestarter, but it can be done at the console withnano/vieditors. Check out this tutorial geared towards Ubuntu.Quicktables helped me to learn iptables rules. Just run the script and it will generate an iptables script for you... then you can open it and view the associated commands generated by the questions it asked of you. It's a great learning resource.
Unfortunately, it is no longer maintained.
http://qtables.radom.org/
I really like using firehol (package).
To create setup rules you like you would need to edit the file /etc/default/firehol and change START_FIREHOL=YES
And you would want to make your /etc/firehol/firehol.conf look like this.
One of the great things about firehol is the 'try' command. You can adjust your configuration file and do a 'firehol try', if you where connected via ssh, and something about what you changed killed your network access then firehol will revert the changes. To have the changes actually go into effect, you must say commit.
I would prefer Shorewall. It is easy to setup but flexible at the same time.
Maybe you should take a look at http://iptables-tutorial.frozentux.net/iptables-tutorial.html. Also you can find more information on lartc.org
sudo apt-get install firestarterThen, look in the System->Administration menu.