LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   ubuntu server firewall help (https://www.linuxquestions.org/questions/linux-security-4/ubuntu-server-firewall-help-4175459087/)

madox-nola 04-22-2013 02:46 AM
ubuntu server firewall help
 
I am new to ubuntu server and linux and I want to setup a firewall, I tried to setup ufw and it locked me out from remote login.

I am new to linux.

I sudo ufw allow 80,443, my ssh xxxx port.

I also sudo ufw allow proto tcp from (my ip address)

and I locked myself out.

What did I do wrong?

Noway2 04-22-2013 08:21 AM
Honestly, the absolute best thing you can do is to use IPTables directly instead of UFW, Firestarter, or another front end. The syntax, though slightly cryptic at first, is rather simple. Here is a link to an introductory iptables tutorial, though there are plenty more to choose from.

In your case, I would recommend setting the default policy to accept, so that when the firewall rules get cleared, it defaults to allowing you access. Remember that, unlike Windows, Linux does not keep ports open by default, meaning a firewall is a secondary layer of security rather than a must have to prevent intrusion.

Iptables rules are pretty straightforward. For example, in your case something like the following would work:
Code:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport (ssh) -j ACCEPT
-A INPUT -j DROP
This will allow only those three services you mention, and drop all others. Note that the order of the rules is important. If a rule match is made, checking will stop. Consequently, if you do something like place the drop rule first, no traffic will be allowed.

Lexus45 04-22-2013 12:21 PM
A good starting tutorial about iptables rules:
http://slackbook.org/html/security-host.html

But it's about pure iptables, not ufw. I recommend you using iptables.

madox-nola 04-23-2013 06:56 PM
locked myself out again
 
Quote:
Originally Posted by Noway2 (Post 4936469)
Honestly, the absolute best thing you can do is to use IPTables directly instead of UFW, Firestarter, or another front end. The syntax, though slightly cryptic at first, is rather simple. Here is a link to an introductory iptables tutorial, though there are plenty more to choose from.

In your case, I would recommend setting the default policy to accept, so that when the firewall rules get cleared, it defaults to allowing you access. Remember that, unlike Windows, Linux does not keep ports open by default, meaning a firewall is a secondary layer of security rather than a must have to prevent intrusion.

Iptables rules are pretty straightforward. For example, in your case something like the following would work:
Code:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport (ssh) -j ACCEPT
-A INPUT -j DROP
This will allow only those three services you mention, and drop all others. Note that the order of the rules is important. If a rule match is made, checking will stop. Consequently, if you do something like place the drop rule first, no traffic will be allowed.
I tried the above iptables and thank you for the fast reply, but this locked myself out again.
???

Noway2 04-24-2013 07:32 AM
The above commands should not have locked you out by themselves, unless your not listening for SSH on the port you think you are. Use netstat to double check what port(s) ssh is listening on.

Then, there are three things I would suggest.
  1. One make sure that you put the ssh port number in the above commands, not (ssh) literally.
  2. Two, make sure your policy is set to accept:
    Code:
    iptables -P INPUT ACCEPT
  3. Three, be sure to flush the iptables filters at the onset of your activity as you may have conflicting garbage left over. This is done with:
    Code:
    iptales -F

madox-nola 04-25-2013 08:05 AM
Quote:
Originally Posted by Noway2 (Post 4937937)
The above commands should not have locked you out by themselves, unless your not listening for SSH on the port you think you are. Use netstat to double check what port(s) ssh is listening on.

Then, there are three things I would suggest.
  1. One make sure that you put the ssh port number in the above commands, not (ssh) literally.
  2. Two, make sure your policy is set to accept:
    Code:
    iptables -P INPUT ACCEPT
  3. Three, be sure to flush the iptables filters at the onset of your activity as you may have conflicting garbage left over. This is done with:
    Code:
    iptales -F
Looks like I am closer... I keyed in everything you have, I get the login prompt, but once I key in the login name it doesn't make it to the password.

Strange...

madox-nola 04-25-2013 08:07 AM
Quote:
Originally Posted by madox-nola (Post 4938615)
Looks like I am closer... I keyed in everything you have, I get the login prompt, but once I key in the login name it doesn't make it to the password.

Strange...
I just reboot the server and now I am locked out.

Noway2 04-25-2013 08:30 AM
Quote:
Originally Posted by madox-nola (Post 4938617)
I just reboot the server and now I am locked out.
Did you properly save the changes to your IPTables before you rebooted? When you make changes, unless you specifically take steps to save and restore them, e.g. use the iptables-ave and iptables-restore commands, they won't be permanent. Consequently, if you have some rule in place that is causing your lockout, a reboot will restore this rule.

Normally, the restore script is called as part of the process of bringing up the network interface and some distributions, such as RH and Centos, incorporate the firewall into the system control.

unSpawn 04-27-2013 01:12 AM
Quote:
Originally Posted by madox-nola (Post 4938615)
I get the login prompt, but once I key in the login name it doesn't make it to the password.
Then you may conclude it's not a firewall issue. Problem is you need system access to check the system and daemon logs for errors...

madox-nola 04-27-2013 07:09 AM
Quote:
Originally Posted by Noway2 (Post 4938641)
Did you properly save the changes to your IPTables before you rebooted? When you make changes, unless you specifically take steps to save and restore them, e.g. use the iptables-ave and iptables-restore commands, they won't be permanent. Consequently, if you have some rule in place that is causing your lockout, a reboot will restore this rule.

Normally, the restore script is called as part of the process of bringing up the network interface and some distributions, such as RH and Centos, incorporate the firewall into the system control.
I am still having the same problems... I did do a iptables-save and iptables-restore command...


All times are GMT -5. The time now is 11:00 PM.