Results 1 to 10 of 114

Thread: Creating a Firewall for Your Ubuntu Desktop

Threaded View

  1. #1
    Dangertux is offline Chocolate Ubuntu Mocha Blend
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Creating a Firewall for Your Ubuntu Desktop

    The following will discuss three different methods by which you may implement a decent host based firewall for your Ubuntu Desktop Installation. This guide is provided in light of the following thread : http://ubuntuforums.org/showthread.php?t=1871177

    Several users have expressed concern about being able to create the type of firewall that was mentioned in that discussion. So here we will elaborate on three different methods in which you may do so under Ubuntu. This demonstration was completed using Ubuntu 11.10 Oneiric Ocelot 32 bit, however it should hold true for Most versions of Ubuntu post 8.04 (pre 8.04 needs to use the iptables section as the UFW syntax was different) on both 64 bit and 32 bit systems.

    The three methods we will be using will be the following

    - GUFW : This is the graphical user interface for Uncomplicated Firewall, the front end for iptables provided by default in Ubuntu
    - UFW : The CLI front end application for controlling iptables/netfilter, which is included by default in Ubuntu.
    - iptables : We will create an iptables script to create our firewall

    It is important to understand that each of these three methods accomplish the same goal, and only one needs to be used. Since they are all methods for interfacing with iptables/netfilter, and kernel level packet filtering. Each method will do exactly the same and preference is needed only in what you feel more comfortable with. Personally, I find iptables more intuitive than the other two methods, so it is what I would use. However you may find GUFW or UFW more convenient that is why I am discussing all three methods. I will not be covering Firestarter, it is similar to GUFW, and it is outdated and not supported by default. Therefor if you choose to use that it is entirely on you. It does not offer any functionality that the following methods do not.

    Without further ado, here we go.

    Method 1 : GUFW


    GUFW is not installed by default so if you wish to use it you must first install it from the repositories. You can do so by giving the following command in a terminal, or by downloading it from the Ubuntu Software Center.

    Code:
    sudo apt-get update && sudo apt-get install gufw
    Once it has finished installing you may open it up, either by entering the following in a terminal

    Code:
    gufw
    Or by running the Firewall Configuration application from the Dash. (note for Non-Unity Users this is located in Administration)



    Once you have executed GUFW you will be presented with a Window that looks like this, assuming that you do not have any firewall rules currently, and UFW is disabled your window should look identical to this one.



    Note : Before you can make any changes you must click on the lock in the lower right hand corner of the Window and enter your sudo password.


    The first order of business is to enable UFW if it is not already enabled. To do this click the slider tab next to Firewall Status, it should change to "On"

    Once we have done this we can begin configuring our firewall policies. We will notice under the slider we just adjusted there is both an Incoming and and Outgoing policy, we want to make sure that both are set to Deny. This will block all traffic going in and out of our machine, don't worry we're going to allow some outbound traffic next.

    The next thing we need to do is click on the little plus in the lower left hand corner of the Window. This will allow us to add new rules to our Firewall.

    For this guide we will be creating restrictive policies, in order for us to do that we must know exactly what ports we need access to. This is going to be a fairly basic system and as such we are going to add rules to allow the following outbound traffic

    DHCP Access - Port 67 and 68 UDP

    Web Access - Ports 80 and 443 Protocol TCP

    Email Access - Ports 25 and 110 , 143 Protocol TCP

    DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)

    Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections. So we will use some of the added functionality of GUFW to give us this ability.

    note : you may need additional services, look up the ports your service use. At the end of this post there will be a list of commonly used services and their default ports.

    Now that we've clicked the plus to create our new rule, we will be presented with a window that looks like this.



    The first thing we will do is allow traffic from our Transmission Application.

    We choose the action Allow, the direction Out, the type Application and the application is Transmission. Once those settings are correct we click "Add"

    Next we will click on the "Simple" tab in the Firewall : Add Rule window.

    We will then choose the rule Allow, Direction Out, Protocol TCP, and in the line following TCP we will add the TCP ports we want access to outbound. Which will look like this 25,53,80,110,443. Note when we add an additional port we seperate it from the last with a comma. Port ranges are indicated in this manner.

    Code:
    6667:7000
    This would indicate ports 6667 through 7000.

    Once we have added our TCP outbound ports we must also remember to add any UDP outbound ports we need, in this case we will add port 53 for DNS.

    We will choose the action Allow, direction is Out, Protocol is UDP and in the line beside UDP enter 53. Click on add and you are done.

    (OPTIONAL)

    If you wish to add more fine grained control you may do so in the advanced tab. For instance if you want to allow outbound SSH traffic only from your IP address to a specific IP address it would look like this.



    Once you have finished editing your rules as you want them, you are done and may close the Firewall: Add Rule window as well as GUFW


    Method 2 : UFW

    In this section we will create the exact same rules we did above however we will do so by utilizing UFW instead of the Graphical front end for it.

    This section is done entirely from the command line. We will be creating the same policies as before, default drop inbound, default drop outbound, with rules allowing the services listed below.

    DHCP Access - Ports 67 and 68 UDP

    Web Access - Ports 80 and 443 Protocol TCP

    Email Access - Ports 25 and 110 , 143 Protocol TCP

    DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)

    Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections.

    So now that we know where we're going we are going to fire up a terminal window and create the same rules using UFW at the CLI.

    First we want to enable UFW by doing the following

    Code:
    sudo ufw enable
    Then we want to enable our default inbound and outbound policies by doing the following

    Code:
    sudo ufw default deny incoming && sudo ufw default deny outgoing
    Now we will add our outbound TCP rules

    Code:
    sudo ufw allow out 25,53,80,110,443/tcp
    Then our outbound UDP rules

    Code:
    sudo ufw allow out 53,67,68/udp
    And now our Transmission rule

    Code:
    sudo ufw allow out 51413/tcp
    sudo ufw allow out 51413/udp
    sudo ufw allow out 6969/tcp
    Restart your firewall for good measure.

    Code:
    sudo ufw disable && sudo ufw enable
    Then you're done.

    Method 3 : iptables


    This method in my opinion is the best, because it gives you the most control over your firewall. However iptables may not be for the new user. For completeness sake I will cover it here.


    Please note: iptables works best without UFW installed. So we will remove it now.
    Code:
    sudo apt-get remove ufw gufw
    Again in this section we will be enabling the same services as before.

    DHCP Access - Ports 67 and 68 UDP

    Web Access - Ports 80 and 443 Protocol TCP

    Email Access - Ports 25 and 110 , 143 Protocol TCP

    DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)

    Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections.

    However, here I am going to walk you through the iptables script with the comments in the script, as opposed to step by step like the previous sections. You will want to create a file for your script, for this we will call it iptables.sh , but you can call it whatever you want. Below you will find the sample iptables script.

    Code:
    #!/bin/bash
    #Simple Firewall Script.
    
    
    #Setting up default kernel tunings here (don't worry too much about these right now, they are acceptable defaults)
    #DROP ICMP echo-requests sent to broadcast/multi-cast addresses.
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    #DROP source routed packets
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
    #Enable TCP SYN cookies
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    #Do not ACCEPT ICMP redirect
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
    #Don't send ICMP redirect 
    echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects
    #Enable source spoofing protection
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    #Log impossible (martian) packets
    echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
    
    #Flush all existing chains
    iptables --flush
    
    #Allow traffic on loopback
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    
    #Creating default policies
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP #If we're not a router
    
    #Allow previously established connections to continue uninterupted
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    
    #Allow outbound connections on the ports we previously decided.
    iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT #SMTP
    iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT #DNS
    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #HTTP
    iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT #POP
    iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #HTTPS
    iptables -A OUTPUT -p tcp --dport 51413 -j ACCEPT #BT
    iptables -A OUTPUT -p tcp --dport 6969 -j ACCEPT #BT tracker
    iptables -A OUTPUT -p UDP --dport 67:68 -j ACCEPT #DHCP
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #DNS
    iptables -A OUTPUT -p udp --dport 51413 -j ACCEPT #BT
    
    #Set up logging for incoming traffic.
    iptables -N LOGNDROP
    iptables -A INPUT -j LOGNDROP
    iptables -A LOGNDROP -j LOG
    iptables -A LOGNDROP -j DROP
    
    #Save our firewall rules
    iptables-save > /etc/iptables.rules
    Now that we have our script created we may save it and execute it

    Code:
    sudo chmod 755 iptables.sh
    sudo ./iptables.sh
    Making your rules persistent :

    If you want these rules to be restored on every reboot you can do the following.

    Code:
    sudo nano /etc/network/interfaces
    Assuming wlan0 is the interface you use to connect to the network add the following at the end of the block. Alternatively you can add it to any interface you want and the rules will be loaded when that interface is brought up. Keep in mind this does not change the nature of the rules, or how they are applied.

    Code:
    pre-up iptables-restore < /etc/iptables.rules
    Then save the file.

    This bit of information as well as other ways for making your iptables rules persistent can be found here : https://help.ubuntu.com/community/IptablesHowTo

    We're done.


    Common Ports and Services


    FTP - 21 TCP
    SSH - 22 TCP
    TELNET - 23 TCP
    SMTP - 25 TCP
    DNS - 53 TCP/UDP
    DHCP - 67 , 68 DHCP
    HTTP - 80 TCP
    POP3 - 110 TCP
    IMAP - 143 TCP
    HTTPS - 443 TCP
    VNC - 5900-6000
    IRC - 6667-7000
    Gmail SMTP TLS: 587
    Gmail SMTP SSL: 465
    Gmail POP SSL: 995
    Gmail IMAP SSL: 993

    More here : http://en.wikipedia.org/wiki/List_of...P_port_numbers

    Hopefully this was helpful to someone. This was done as a contribution to the Security for Newbies Wiki thingy which can be found here : http://ubuntuforums.org/showthread.php?t=1873643


    P.S : Sorry if the images load slowly my server has horrid bandwidth

    P.P.S : If this is in the wrong place feel free to move it, stick it delete it, throw it in a river, feed it to your dog, whatever's clever
    Last edited by Dangertux; November 16th, 2011 at 04:31 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •