LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-28-2013, 05:13 AM   #1
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Rep: Reputation: Disabled
How to block all port except specified on specific NIC in Ubuntu Server


I've been searching and reading on a solution to my problem. I would like to block all traffic except on specified port range (55556-55560) on specified NIC (eth0). And then block all traffic on the same port range on another NIC (eth1).

My setup.

I'm running a Ubuntu Server 12.04 system with two physical network interfaces (eth0 and eth1). eth0 is tunneled through a VPN tunnel on the tun0 interface and i've only got one application bound to that interface.

What i've now encountered is that other internet services like swsh and apache2 web server is also avaliable on the external ip of the tun0 interface and i don't want i to be.

The application running over the VPN tunnel runs on port range 55556-55560 and now i only want to allow these ports on the eth0 interface. The other interface (eth1) is behind a router so i don't want any port rules to be applied there.

The question

How do i accomplish this in the best manner. Is ufw the best solution and how do i config i correctly

Code:
sudo ufw allow 55556-55560 on eth0
returns a error. (Wrong number of arguments.)

And
Code:
sudo ufw allow all on eth1
returns the same thing
 
Old 01-28-2013, 06:22 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966
an example in the manpage is:

Code:
ufw allow in on eth0 to any port 80 proto tcp
I'm not at all familiar with ufw, but you generally can't specfiicy a port range without a ptorocol, so try:

Code:
ufw allow in on eth0 to any port 55556-55560 proto tcp
 
Old 01-28-2013, 06:49 AM   #3
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
an example in the manpage is:

Code:
ufw allow in on eth0 to any port 80 proto tcp
I'm not at all familiar with ufw, but you generally can't specfiicy a port range without a ptorocol, so try:

Code:
ufw allow in on eth0 to any port 55556-55560 proto tcp
That semms to be working.
Do you think it'll work if i set it like this:
Code:
ufw deny in on eth0 from any
ufw deny out on eth0 to any
ufw allow in on eth0 to any port 55556:55560 proto tcp
ufw allow out on eth0 from any port 55556:55560 proto tcp
Or will it conflict?

Last edited by junkyhlm; 01-28-2013 at 06:51 AM.
 
Old 01-28-2013, 07:00 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966
firstly the order probably matters, it certainly does in iptables, so by denying fierst nothign will ever get through. But you shouldn't really need a default there, as there will be an overarching default policy, which you can see from "ufw status verbose" and if the policy is denying by default there, explicit rules are not required.
 
Old 01-28-2013, 07:03 AM   #5
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
firstly the order probably matters, it certainly does in iptables, so by denying fierst nothign will ever get through. But you shouldn't really need a default there, as there will be an overarching default policy, which you can see from "ufw status verbose" and if the policy is denying by default there, explicit rules are not required.
Yeah but what I can conclude is that i cant set default on a single interface. Default is for the entire firewall. Or am I wrong?
 
Old 01-28-2013, 07:04 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966
default would,. in iptables land, by on INPUT or OUTPUT, not nic specific, no.
 
Old 01-28-2013, 07:05 AM   #7
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
default would,. in iptables land, by on INPUT or OUTPUT, not nic specific, no.
Yeah and i only want the default to be DENY on one of the two interfaces. So thats not an option for me
 
Old 01-28-2013, 07:36 AM   #8
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
I've got it working!

With theese commands.
Code:
sudo ufw allow in on tun0 to any port 55556:55560 proto tcp
sudo ufw allow in on tun0 to any port 55556:55560 proto udp
sudo ufw allow out on tun0 to any port 55556:55560 proto udp
sudo ufw allow in out tun0 to any port 55556:55560 proto tcp
sudo ufw allow out on tun0 to any port 55556:55560 proto tcp
sudo ufw deny in on tun0 from any
sudo ufw deny out on tun0 to any
sudo ufw allow in on eth1 from any
sudo ufw allow out on eth1 to any
Firewall status:
Code:
holmen@filserver:~$ sudo ufw status
Status: aktiv

To                         Action      From
----                       ------      ----
55556:55560/tcp on tun0    ALLOW       Anywhere
55556:55560/udp on tun0    ALLOW       Anywhere
Anywhere on tun0           DENY        Anywhere
Anywhere on eth1           ALLOW       Anywhere
55556:55560/tcp on tun0    ALLOW       Anywhere (v6)
55556:55560/udp on tun0    ALLOW       Anywhere (v6)
Anywhere (v6) on tun0      DENY        Anywhere (v6)
Anywhere (v6) on eth1      ALLOW       Anywhere (v6)

55556:55560/udp            ALLOW OUT   Anywhere on tun0
55556:55560/tcp            ALLOW OUT   Anywhere on tun0
Anywhere                   DENY OUT    Anywhere on tun0
Anywhere                   ALLOW OUT   Anywhere on eth1
55556:55560/udp            ALLOW OUT   Anywhere (v6) on tun0
55556:55560/tcp            ALLOW OUT   Anywhere (v6) on tun0
Anywhere (v6)              DENY OUT    Anywhere (v6) on tun0
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on eth1
 
Old 01-28-2013, 07:42 AM   #9
junkyhlm
Member
 
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by junkyhlm View Post
I've got it working!

With theese commands.
Code:
sudo ufw allow in on tun0 to any port 55556:55560 proto tcp
sudo ufw allow in on tun0 to any port 55556:55560 proto udp
sudo ufw allow out on tun0 to any port 55556:55560 proto udp
sudo ufw allow in out tun0 to any port 55556:55560 proto tcp
sudo ufw allow out on tun0 to any port 55556:55560 proto tcp
sudo ufw deny in on tun0 from any
sudo ufw deny out on tun0 to any
sudo ufw allow in on eth1 from any
sudo ufw allow out on eth1 to any
Firewall status:
Code:
holmen@filserver:~$ sudo ufw status
Status: aktiv

To                         Action      From
----                       ------      ----
55556:55560/tcp on tun0    ALLOW       Anywhere
55556:55560/udp on tun0    ALLOW       Anywhere
Anywhere on tun0           DENY        Anywhere
Anywhere on eth1           ALLOW       Anywhere
55556:55560/tcp on tun0    ALLOW       Anywhere (v6)
55556:55560/udp on tun0    ALLOW       Anywhere (v6)
Anywhere (v6) on tun0      DENY        Anywhere (v6)
Anywhere (v6) on eth1      ALLOW       Anywhere (v6)

55556:55560/udp            ALLOW OUT   Anywhere on tun0
55556:55560/tcp            ALLOW OUT   Anywhere on tun0
Anywhere                   DENY OUT    Anywhere on tun0
Anywhere                   ALLOW OUT   Anywhere on eth1
55556:55560/udp            ALLOW OUT   Anywhere (v6) on tun0
55556:55560/tcp            ALLOW OUT   Anywhere (v6) on tun0
Anywhere (v6)              DENY OUT    Anywhere (v6) on tun0
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on eth1
Just kidding.. it blocks all traffic :/
 
  


Reply

Tags
firewall, ubuntu 12.04


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Try many way but not yet start squid server to block some specific website tanin007 Linux - Server 11 12-29-2011 01:54 AM
Can You Bind Virtualized Server to a Specific NIC? Jim Bengtson Linux - Virtualization and Cloud 9 11-10-2009 02:15 PM
Block port 22 for specific IP's lmcilwain Linux - Security 4 10-28-2007 06:41 AM
how do i bind a port to a specific nic? rsmccain Linux - Networking 2 04-24-2006 01:36 PM
Port 80 -- How to block from one specific domain? (RedHat 7.0) jcroft Linux - Security 1 02-17-2002 03:50 PM


All times are GMT -5. The time now is 07:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration