03Firewall - amagerard/TemplateVM GitHub Wiki
| 1- Installation | 2- Network | 3- Firewall | 4- Selinux |
|---|---|---|---|
| 5- Logs | 6- Certificates | 7- Mail | 8- PassphraseSSH |
| 9- Sudo | 10- GnomeShell | 11- CloneVM | 12- Volume |
| 13- Troubleshoot |
dnf remove firewalld
dnf remove firewall-config
dnf install ufw
ufw enable -> launches on startup.
ufw status verbose -> visualization of the rules.
ufw reload -> reload the rules.
ufw disable --> ufw stop.
Disable ipv6 rules.
vi /etc/default/ufw
Change IPV6=yes by IPV6=no.
Restart ufw service.
systemctl restart ufw
vi /etc/ufw/before.rules
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# Add these lines.
#ok icmp code for OUTPUT
-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT
Be careful, there is no rule in IN to block the ping.
vi /etc/ufw/before.rules
Locate the "ok icmp codes for INPUT".
"-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT"
and add after this line.
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
We have 2 lines.
# Stop ping requests to reach your virtual machine.
#-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
# To activate the ping.
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
vi /etc/ufw/applications.d/ufw-custom
[DHCP]
title=dhcp
description=Dynamic Host Configuration Protocol (DHCP) via IPv4
ports=67,68/udp
[IMAP TLS]
title=Mail server (IMAP) TLS
description=Mail server (IMAP) TLS
ports=143/tcp
[IMAP SSL]
title=Secure mail server (IMAPS) SSL
description=Secure mail server (IMAPS) SSL
ports=993/tcp
[SMTP SSL]
title=Mail server (SMTP) SSL
description=Mail server (SMTP) SSL
ports=465/tcp
[SMTP TLS]
title=Mail server (SMTP) TLS
description=Mail server (SMTP) TLS
ports=587/tcp
[NTP2]
title=NTP2
description=Network Time Protocol
ports=123/udp
To help you create other services.
https://github.com/ageis/ufw-application-profiles/tree/master/applications.d
Flush All Iptables Chains.
iptables -F
Delete all Iptables Chains.
iptables -X
Flush all counters.
iptables -Z
Flush delete all nat and mangle.
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables rules to open all ports.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
See the rules with "iptables".
iptables -L -n -v
ufw is enable.
Delete all existing ufw rules.
ufw status numbered
ufw delete [n]
If all deletions of the rules have been done.
ufw status numbered
ufw status verbose
We prohibit everything by default (deny) and then we open what is authorized.
Deny by default for all IN and OUT rules.
ufw default deny outgoing
ufw default deny incoming
ufw disable && ufw enable && ufw status verbose
Default: deny (incoming), deny (outgoing), disabled (routed)
Set up our default rules.
Allow ssh from your server only to an IP pool.
ufw allow from IN <your IP> to any app ssh
Authorized output from your server HTTP, HTTPs, DNS, NTP, SMPT(SSL TLS),IMAP(SSL TLS).
ufw allow OUT 'WWW Full'
ufw allow OUT DNS
ufw allow OUT ntp
ufw allow OUT SMTP
ufw allow OUT 'SMTP SSL'
ufw allow OUT 'SMTP TLS'
ufw allow OUT 'IMAP TLS'
ufw allow OUT 'IMAP SSL'
Reload the rules.
ufw reload
See the rules.
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN 192.168.1.2
53 (DNS) ALLOW OUT Anywhere
123 ALLOW OUT Anywhere
25/tcp (SMTP) ALLOW OUT Anywhere
80,443/tcp (WWW Full) ALLOW OUT Anywhere
465/tcp (SMTP SSL) ALLOW OUT Anywhere
587/tcp (SMTP TLS) ALLOW OUT Anywhere
143/tcp (IMAP TLS) ALLOW OUT Anywhere
993/tcp (IMAP SSL) ALLOW OUT Anywhere
information:
- Restricting an IP range or an IP for a service.
Example:
Range IP : 192.168.40.0/24
Service: SMTP TLS
Restricting IN.
ufw allow IN from 192.168.40.0/24 to any app 'SMTP TLS' - A bi-direction rule.
Example for 'SMTP TLS'
ufw allow IN 'SMTP TLS'
ufw allow OUT 'SMTP TLS'
Be careful that the rules in OUT exist.
587/tcp (SMTP TLS) ALLOW IN Anywhere
587/tcp (SMTP TLS) ALLOW OUT Anywhere
Information:
For the IN and OUT rule the ufw status numbered command only displays one rule for 'SMTP TLS'.
if you delete the 'SMTP TLS' rule, it will remove the IN and OUT.
(see /etc/ufw/ufw.conf).
ufw enable (this is not always true at startup).
To force ufw to "active" status each time the machine is started.
vi /etc/crontab
Add the line at the end.
# Program for each boot
@reboot root ufw enable
ufw logging [on,medium, low]
See the status of the logs.
ufw status verbose
Status: active
Logging: on (medium)
Rules files created by ufw are located in /var/lib/ufw.
user.rules
user6.rules
These files can be exported to another Red Hat machine provided that
the /etc/ufw folders are identical.