LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-22-2013, 02:46 AM   #1
madox-nola
LQ Newbie
 
Registered: Apr 2013
Location: Metairie LA
Distribution: ubuntu
Posts: 5

Rep: Reputation: Disabled
ubuntu server firewall help


I am new to ubuntu server and linux and I want to setup a firewall, I tried to setup ufw and it locked me out from remote login.

I am new to linux.

I sudo ufw allow 80,443, my ssh xxxx port.

I also sudo ufw allow proto tcp from (my ip address)

and I locked myself out.

What did I do wrong?
 
Old 04-22-2013, 08:21 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Honestly, the absolute best thing you can do is to use IPTables directly instead of UFW, Firestarter, or another front end. The syntax, though slightly cryptic at first, is rather simple. Here is a link to an introductory iptables tutorial, though there are plenty more to choose from.

In your case, I would recommend setting the default policy to accept, so that when the firewall rules get cleared, it defaults to allowing you access. Remember that, unlike Windows, Linux does not keep ports open by default, meaning a firewall is a secondary layer of security rather than a must have to prevent intrusion.

Iptables rules are pretty straightforward. For example, in your case something like the following would work:
Code:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport (ssh) -j ACCEPT
-A INPUT -j DROP
This will allow only those three services you mention, and drop all others. Note that the order of the rules is important. If a rule match is made, checking will stop. Consequently, if you do something like place the drop rule first, no traffic will be allowed.
 
Old 04-22-2013, 12:21 PM   #3
Lexus45
Member
 
Registered: Jan 2010
Location: Kurgan, Russia
Distribution: Slackware, Ubuntu
Posts: 339
Blog Entries: 3

Rep: Reputation: 47
A good starting tutorial about iptables rules:
http://slackbook.org/html/security-host.html

But it's about pure iptables, not ufw. I recommend you using iptables.
 
Old 04-23-2013, 06:56 PM   #4
madox-nola
LQ Newbie
 
Registered: Apr 2013
Location: Metairie LA
Distribution: ubuntu
Posts: 5

Original Poster
Rep: Reputation: Disabled
locked myself out again

Quote:
Originally Posted by Noway2 View Post
Honestly, the absolute best thing you can do is to use IPTables directly instead of UFW, Firestarter, or another front end. The syntax, though slightly cryptic at first, is rather simple. Here is a link to an introductory iptables tutorial, though there are plenty more to choose from.

In your case, I would recommend setting the default policy to accept, so that when the firewall rules get cleared, it defaults to allowing you access. Remember that, unlike Windows, Linux does not keep ports open by default, meaning a firewall is a secondary layer of security rather than a must have to prevent intrusion.

Iptables rules are pretty straightforward. For example, in your case something like the following would work:
Code:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport (ssh) -j ACCEPT
-A INPUT -j DROP
This will allow only those three services you mention, and drop all others. Note that the order of the rules is important. If a rule match is made, checking will stop. Consequently, if you do something like place the drop rule first, no traffic will be allowed.
I tried the above iptables and thank you for the fast reply, but this locked myself out again.
???
 
Old 04-24-2013, 07:32 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
The above commands should not have locked you out by themselves, unless your not listening for SSH on the port you think you are. Use netstat to double check what port(s) ssh is listening on.

Then, there are three things I would suggest.
  1. One make sure that you put the ssh port number in the above commands, not (ssh) literally.
  2. Two, make sure your policy is set to accept:
    Code:
    iptables -P INPUT ACCEPT
  3. Three, be sure to flush the iptables filters at the onset of your activity as you may have conflicting garbage left over. This is done with:
    Code:
    iptales -F
 
Old 04-25-2013, 08:05 AM   #6
madox-nola
LQ Newbie
 
Registered: Apr 2013
Location: Metairie LA
Distribution: ubuntu
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Noway2 View Post
The above commands should not have locked you out by themselves, unless your not listening for SSH on the port you think you are. Use netstat to double check what port(s) ssh is listening on.

Then, there are three things I would suggest.
  1. One make sure that you put the ssh port number in the above commands, not (ssh) literally.
  2. Two, make sure your policy is set to accept:
    Code:
    iptables -P INPUT ACCEPT
  3. Three, be sure to flush the iptables filters at the onset of your activity as you may have conflicting garbage left over. This is done with:
    Code:
    iptales -F
Looks like I am closer... I keyed in everything you have, I get the login prompt, but once I key in the login name it doesn't make it to the password.

Strange...
 
Old 04-25-2013, 08:07 AM   #7
madox-nola
LQ Newbie
 
Registered: Apr 2013
Location: Metairie LA
Distribution: ubuntu
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by madox-nola View Post
Looks like I am closer... I keyed in everything you have, I get the login prompt, but once I key in the login name it doesn't make it to the password.

Strange...
I just reboot the server and now I am locked out.
 
Old 04-25-2013, 08:30 AM   #8
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by madox-nola View Post
I just reboot the server and now I am locked out.
Did you properly save the changes to your IPTables before you rebooted? When you make changes, unless you specifically take steps to save and restore them, e.g. use the iptables-ave and iptables-restore commands, they won't be permanent. Consequently, if you have some rule in place that is causing your lockout, a reboot will restore this rule.

Normally, the restore script is called as part of the process of bringing up the network interface and some distributions, such as RH and Centos, incorporate the firewall into the system control.
 
Old 04-27-2013, 01:12 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by madox-nola View Post
I get the login prompt, but once I key in the login name it doesn't make it to the password.
Then you may conclude it's not a firewall issue. Problem is you need system access to check the system and daemon logs for errors...
 
1 members found this post helpful.
Old 04-27-2013, 07:09 AM   #10
madox-nola
LQ Newbie
 
Registered: Apr 2013
Location: Metairie LA
Distribution: ubuntu
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Noway2 View Post
Did you properly save the changes to your IPTables before you rebooted? When you make changes, unless you specifically take steps to save and restore them, e.g. use the iptables-ave and iptables-restore commands, they won't be permanent. Consequently, if you have some rule in place that is causing your lockout, a reboot will restore this rule.

Normally, the restore script is called as part of the process of bringing up the network interface and some distributions, such as RH and Centos, incorporate the firewall into the system control.
I am still having the same problems... I did do a iptables-save and iptables-restore command...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up an Ubuntu router/firewall/server with Webmin and EHCP cilbuper Linux - Networking 1 03-28-2012 03:11 AM
problem with ubuntu server firewall ganfun Linux - Software 9 05-27-2010 11:24 PM
Updating Ubuntu 9.04 server fom behind a ISA firewall Mark_667 Ubuntu 0 08-20-2009 10:13 AM
ubuntu desktop firewall squid clamav server, need to add havp robcormack Ubuntu 1 09-04-2008 10:13 PM
LXer: Set Up Ubuntu-Server 6.10 As A Firewall/Gateway For Your Small Business Environment LXer Syndicated Linux News 0 11-26-2006 09:54 AM


All times are GMT -5. The time now is 04:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration