Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-28-2013, 05:13 AM
|
#1
|
|
Member
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37
Rep: 
|
How to block all port except specified on specific NIC in Ubuntu Server
I've been searching and reading on a solution to my problem. I would like to block all traffic except on specified port range (55556-55560) on specified NIC (eth0). And then block all traffic on the same port range on another NIC (eth1).
My setup.
I'm running a Ubuntu Server 12.04 system with two physical network interfaces (eth0 and eth1). eth0 is tunneled through a VPN tunnel on the tun0 interface and i've only got one application bound to that interface.
What i've now encountered is that other internet services like swsh and apache2 web server is also avaliable on the external ip of the tun0 interface and i don't want i to be.
The application running over the VPN tunnel runs on port range 55556-55560 and now i only want to allow these ports on the eth0 interface. The other interface (eth1) is behind a router so i don't want any port rules to be applied there.
The question
How do i accomplish this in the best manner. Is ufw the best solution and how do i config i correctly
Code:
sudo ufw allow 55556-55560 on eth0
returns a error. (Wrong number of arguments.)
And
Code:
sudo ufw allow all on eth1
returns the same thing |
|
|
|
|
01-28-2013, 06:22 AM
|
#2
|
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
an example in the manpage is:
Code:
ufw allow in on eth0 to any port 80 proto tcp
I'm not at all familiar with ufw, but you generally can't specfiicy a port range without a ptorocol, so try:
Code:
ufw allow in on eth0 to any port 55556-55560 proto tcp
|
|
|
|
|
01-28-2013, 06:49 AM
|
#3
|
|
Member
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
an example in the manpage is:
Code:
ufw allow in on eth0 to any port 80 proto tcp
I'm not at all familiar with ufw, but you generally can't specfiicy a port range without a ptorocol, so try:
Code:
ufw allow in on eth0 to any port 55556-55560 proto tcp
|
That semms to be working.
Do you think it'll work if i set it like this:
Code:
ufw deny in on eth0 from any
ufw deny out on eth0 to any
ufw allow in on eth0 to any port 55556:55560 proto tcp
ufw allow out on eth0 from any port 55556:55560 proto tcp
Or will it conflict?
Last edited by junkyhlm; 01-28-2013 at 06:51 AM.
|
|
|
|
|
01-28-2013, 07:00 AM
|
#4
|
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
firstly the order probably matters, it certainly does in iptables, so by denying fierst nothign will ever get through. But you shouldn't really need a default there, as there will be an overarching default policy, which you can see from "ufw status verbose" and if the policy is denying by default there, explicit rules are not required.
|
|
|
|
|
01-28-2013, 07:03 AM
|
#5
|
|
Member
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
firstly the order probably matters, it certainly does in iptables, so by denying fierst nothign will ever get through. But you shouldn't really need a default there, as there will be an overarching default policy, which you can see from "ufw status verbose" and if the policy is denying by default there, explicit rules are not required.
|
Yeah but what I can conclude is that i cant set default on a single interface. Default is for the entire firewall. Or am I wrong? |
|
|
|
|
01-28-2013, 07:04 AM
|
#6
|
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
default would,. in iptables land, by on INPUT or OUTPUT, not nic specific, no.
|
|
|
|
|
01-28-2013, 07:05 AM
|
#7
|
|
Member
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
default would,. in iptables land, by on INPUT or OUTPUT, not nic specific, no.
|
Yeah and i only want the default to be DENY on one of the two interfaces. So thats not an option for me |
|
|
|
|
01-28-2013, 07:36 AM
|
#8
|
|
Member
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37
Original Poster
Rep:
|
I've got it working!
With theese commands.
Code:
sudo ufw allow in on tun0 to any port 55556:55560 proto tcp
sudo ufw allow in on tun0 to any port 55556:55560 proto udp
sudo ufw allow out on tun0 to any port 55556:55560 proto udp
sudo ufw allow in out tun0 to any port 55556:55560 proto tcp
sudo ufw allow out on tun0 to any port 55556:55560 proto tcp
sudo ufw deny in on tun0 from any
sudo ufw deny out on tun0 to any
sudo ufw allow in on eth1 from any
sudo ufw allow out on eth1 to any
Firewall status:
Code:
holmen@filserver:~$ sudo ufw status
Status: aktiv
To Action From
---- ------ ----
55556:55560/tcp on tun0 ALLOW Anywhere
55556:55560/udp on tun0 ALLOW Anywhere
Anywhere on tun0 DENY Anywhere
Anywhere on eth1 ALLOW Anywhere
55556:55560/tcp on tun0 ALLOW Anywhere (v6)
55556:55560/udp on tun0 ALLOW Anywhere (v6)
Anywhere (v6) on tun0 DENY Anywhere (v6)
Anywhere (v6) on eth1 ALLOW Anywhere (v6)
55556:55560/udp ALLOW OUT Anywhere on tun0
55556:55560/tcp ALLOW OUT Anywhere on tun0
Anywhere DENY OUT Anywhere on tun0
Anywhere ALLOW OUT Anywhere on eth1
55556:55560/udp ALLOW OUT Anywhere (v6) on tun0
55556:55560/tcp ALLOW OUT Anywhere (v6) on tun0
Anywhere (v6) DENY OUT Anywhere (v6) on tun0
Anywhere (v6) ALLOW OUT Anywhere (v6) on eth1
|
|
|
|
|
01-28-2013, 07:42 AM
|
#9
|
|
Member
Registered: Jan 2013
Location: Stockholm, Sweden
Distribution: Debian 6
Posts: 37
Original Poster
Rep:
|
Quote:
Originally Posted by junkyhlm
I've got it working!
With theese commands.
Code:
sudo ufw allow in on tun0 to any port 55556:55560 proto tcp
sudo ufw allow in on tun0 to any port 55556:55560 proto udp
sudo ufw allow out on tun0 to any port 55556:55560 proto udp
sudo ufw allow in out tun0 to any port 55556:55560 proto tcp
sudo ufw allow out on tun0 to any port 55556:55560 proto tcp
sudo ufw deny in on tun0 from any
sudo ufw deny out on tun0 to any
sudo ufw allow in on eth1 from any
sudo ufw allow out on eth1 to any
Firewall status:
Code:
holmen@filserver:~$ sudo ufw status
Status: aktiv
To Action From
---- ------ ----
55556:55560/tcp on tun0 ALLOW Anywhere
55556:55560/udp on tun0 ALLOW Anywhere
Anywhere on tun0 DENY Anywhere
Anywhere on eth1 ALLOW Anywhere
55556:55560/tcp on tun0 ALLOW Anywhere (v6)
55556:55560/udp on tun0 ALLOW Anywhere (v6)
Anywhere (v6) on tun0 DENY Anywhere (v6)
Anywhere (v6) on eth1 ALLOW Anywhere (v6)
55556:55560/udp ALLOW OUT Anywhere on tun0
55556:55560/tcp ALLOW OUT Anywhere on tun0
Anywhere DENY OUT Anywhere on tun0
Anywhere ALLOW OUT Anywhere on eth1
55556:55560/udp ALLOW OUT Anywhere (v6) on tun0
55556:55560/tcp ALLOW OUT Anywhere (v6) on tun0
Anywhere (v6) DENY OUT Anywhere (v6) on tun0
Anywhere (v6) ALLOW OUT Anywhere (v6) on eth1
|
Just kidding.. it blocks all traffic :/ |
|
|
|
All times are GMT -5. The time now is 07:06 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
