LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   How to block all port except specified on specific NIC in Ubuntu Server (http://www.linuxquestions.org/questions/linux-networking-3/how-to-block-all-port-except-specified-on-specific-nic-in-ubuntu-server-4175447520/)

junkyhlm 01-28-2013 05:13 AM

How to block all port except specified on specific NIC in Ubuntu Server
 
I've been searching and reading on a solution to my problem. I would like to block all traffic except on specified port range (55556-55560) on specified NIC (eth0). And then block all traffic on the same port range on another NIC (eth1).

My setup.

I'm running a Ubuntu Server 12.04 system with two physical network interfaces (eth0 and eth1). eth0 is tunneled through a VPN tunnel on the tun0 interface and i've only got one application bound to that interface.

What i've now encountered is that other internet services like swsh and apache2 web server is also avaliable on the external ip of the tun0 interface and i don't want i to be.

The application running over the VPN tunnel runs on port range 55556-55560 and now i only want to allow these ports on the eth0 interface. The other interface (eth1) is behind a router so i don't want any port rules to be applied there.

The question

How do i accomplish this in the best manner. Is ufw the best solution and how do i config i correctly

Code:

sudo ufw allow 55556-55560 on eth0
returns a error. (Wrong number of arguments.)

And
Code:

sudo ufw allow all on eth1
returns the same thing

acid_kewpie 01-28-2013 06:22 AM

an example in the manpage is:

Code:

ufw allow in on eth0 to any port 80 proto tcp
I'm not at all familiar with ufw, but you generally can't specfiicy a port range without a ptorocol, so try:

Code:

ufw allow in on eth0 to any port 55556-55560 proto tcp

junkyhlm 01-28-2013 06:49 AM

Quote:

Originally Posted by acid_kewpie (Post 4878963)
an example in the manpage is:

Code:

ufw allow in on eth0 to any port 80 proto tcp
I'm not at all familiar with ufw, but you generally can't specfiicy a port range without a ptorocol, so try:

Code:

ufw allow in on eth0 to any port 55556-55560 proto tcp

That semms to be working.
Do you think it'll work if i set it like this:
Code:

ufw deny in on eth0 from any
ufw deny out on eth0 to any
ufw allow in on eth0 to any port 55556:55560 proto tcp
ufw allow out on eth0 from any port 55556:55560 proto tcp

Or will it conflict?

acid_kewpie 01-28-2013 07:00 AM

firstly the order probably matters, it certainly does in iptables, so by denying fierst nothign will ever get through. But you shouldn't really need a default there, as there will be an overarching default policy, which you can see from "ufw status verbose" and if the policy is denying by default there, explicit rules are not required.

junkyhlm 01-28-2013 07:03 AM

Quote:

Originally Posted by acid_kewpie (Post 4878981)
firstly the order probably matters, it certainly does in iptables, so by denying fierst nothign will ever get through. But you shouldn't really need a default there, as there will be an overarching default policy, which you can see from "ufw status verbose" and if the policy is denying by default there, explicit rules are not required.

Yeah but what I can conclude is that i cant set default on a single interface. Default is for the entire firewall. Or am I wrong?

acid_kewpie 01-28-2013 07:04 AM

default would,. in iptables land, by on INPUT or OUTPUT, not nic specific, no.

junkyhlm 01-28-2013 07:05 AM

Quote:

Originally Posted by acid_kewpie (Post 4878984)
default would,. in iptables land, by on INPUT or OUTPUT, not nic specific, no.

Yeah and i only want the default to be DENY on one of the two interfaces. So thats not an option for me

junkyhlm 01-28-2013 07:36 AM

I've got it working!

With theese commands.
Code:

sudo ufw allow in on tun0 to any port 55556:55560 proto tcp
sudo ufw allow in on tun0 to any port 55556:55560 proto udp
sudo ufw allow out on tun0 to any port 55556:55560 proto udp
sudo ufw allow in out tun0 to any port 55556:55560 proto tcp
sudo ufw allow out on tun0 to any port 55556:55560 proto tcp
sudo ufw deny in on tun0 from any
sudo ufw deny out on tun0 to any
sudo ufw allow in on eth1 from any
sudo ufw allow out on eth1 to any

Firewall status:
Code:

holmen@filserver:~$ sudo ufw status
Status: aktiv

To                        Action      From
----                      ------      ----
55556:55560/tcp on tun0    ALLOW      Anywhere
55556:55560/udp on tun0    ALLOW      Anywhere
Anywhere on tun0          DENY        Anywhere
Anywhere on eth1          ALLOW      Anywhere
55556:55560/tcp on tun0    ALLOW      Anywhere (v6)
55556:55560/udp on tun0    ALLOW      Anywhere (v6)
Anywhere (v6) on tun0      DENY        Anywhere (v6)
Anywhere (v6) on eth1      ALLOW      Anywhere (v6)

55556:55560/udp            ALLOW OUT  Anywhere on tun0
55556:55560/tcp            ALLOW OUT  Anywhere on tun0
Anywhere                  DENY OUT    Anywhere on tun0
Anywhere                  ALLOW OUT  Anywhere on eth1
55556:55560/udp            ALLOW OUT  Anywhere (v6) on tun0
55556:55560/tcp            ALLOW OUT  Anywhere (v6) on tun0
Anywhere (v6)              DENY OUT    Anywhere (v6) on tun0
Anywhere (v6)              ALLOW OUT  Anywhere (v6) on eth1


junkyhlm 01-28-2013 07:42 AM

Quote:

Originally Posted by junkyhlm (Post 4879002)
I've got it working!

With theese commands.
Code:

sudo ufw allow in on tun0 to any port 55556:55560 proto tcp
sudo ufw allow in on tun0 to any port 55556:55560 proto udp
sudo ufw allow out on tun0 to any port 55556:55560 proto udp
sudo ufw allow in out tun0 to any port 55556:55560 proto tcp
sudo ufw allow out on tun0 to any port 55556:55560 proto tcp
sudo ufw deny in on tun0 from any
sudo ufw deny out on tun0 to any
sudo ufw allow in on eth1 from any
sudo ufw allow out on eth1 to any

Firewall status:
Code:

holmen@filserver:~$ sudo ufw status
Status: aktiv

To                        Action      From
----                      ------      ----
55556:55560/tcp on tun0    ALLOW      Anywhere
55556:55560/udp on tun0    ALLOW      Anywhere
Anywhere on tun0          DENY        Anywhere
Anywhere on eth1          ALLOW      Anywhere
55556:55560/tcp on tun0    ALLOW      Anywhere (v6)
55556:55560/udp on tun0    ALLOW      Anywhere (v6)
Anywhere (v6) on tun0      DENY        Anywhere (v6)
Anywhere (v6) on eth1      ALLOW      Anywhere (v6)

55556:55560/udp            ALLOW OUT  Anywhere on tun0
55556:55560/tcp            ALLOW OUT  Anywhere on tun0
Anywhere                  DENY OUT    Anywhere on tun0
Anywhere                  ALLOW OUT  Anywhere on eth1
55556:55560/udp            ALLOW OUT  Anywhere (v6) on tun0
55556:55560/tcp            ALLOW OUT  Anywhere (v6) on tun0
Anywhere (v6)              DENY OUT    Anywhere (v6) on tun0
Anywhere (v6)              ALLOW OUT  Anywhere (v6) on eth1


Just kidding.. it blocks all traffic :/


All times are GMT -5. The time now is 09:56 PM.