Page 1 of 12 12311 ... LastLast
Results 1 to 10 of 114

Thread: Creating a Firewall for Your Ubuntu Desktop

  1. #1
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,769
    Distro
    Ubuntu 10.04 Lucid Lynx

    Creating a Firewall for Your Ubuntu Desktop

    The following will discuss three different methods by which you may implement a decent host based firewall for your Ubuntu Desktop Installation. This guide is provided in light of the following thread : http://ubuntuforums.org/showthread.php?t=1871177

    Several users have expressed concern about being able to create the type of firewall that was mentioned in that discussion. So here we will elaborate on three different methods in which you may do so under Ubuntu. This demonstration was completed using Ubuntu 11.10 Oneiric Ocelot 32 bit, however it should hold true for Most versions of Ubuntu post 8.04 (pre 8.04 needs to use the iptables section as the UFW syntax was different) on both 64 bit and 32 bit systems.

    The three methods we will be using will be the following

    - GUFW : This is the graphical user interface for Uncomplicated Firewall, the front end for iptables provided by default in Ubuntu
    - UFW : The CLI front end application for controlling iptables/netfilter, which is included by default in Ubuntu.
    - iptables : We will create an iptables script to create our firewall

    It is important to understand that each of these three methods accomplish the same goal, and only one needs to be used. Since they are all methods for interfacing with iptables/netfilter, and kernel level packet filtering. Each method will do exactly the same and preference is needed only in what you feel more comfortable with. Personally, I find iptables more intuitive than the other two methods, so it is what I would use. However you may find GUFW or UFW more convenient that is why I am discussing all three methods. I will not be covering Firestarter, it is similar to GUFW, and it is outdated and not supported by default. Therefor if you choose to use that it is entirely on you. It does not offer any functionality that the following methods do not.

    Without further ado, here we go.

    Method 1 : GUFW


    GUFW is not installed by default so if you wish to use it you must first install it from the repositories. You can do so by giving the following command in a terminal, or by downloading it from the Ubuntu Software Center.

    Code:
    sudo apt-get update && sudo apt-get install gufw
    Once it has finished installing you may open it up, either by entering the following in a terminal

    Code:
    gufw
    Or by running the Firewall Configuration application from the Dash. (note for Non-Unity Users this is located in Administration)



    Once you have executed GUFW you will be presented with a Window that looks like this, assuming that you do not have any firewall rules currently, and UFW is disabled your window should look identical to this one.



    Note : Before you can make any changes you must click on the lock in the lower right hand corner of the Window and enter your sudo password.


    The first order of business is to enable UFW if it is not already enabled. To do this click the slider tab next to Firewall Status, it should change to "On"

    Once we have done this we can begin configuring our firewall policies. We will notice under the slider we just adjusted there is both an Incoming and and Outgoing policy, we want to make sure that both are set to Deny. This will block all traffic going in and out of our machine, don't worry we're going to allow some outbound traffic next.

    The next thing we need to do is click on the little plus in the lower left hand corner of the Window. This will allow us to add new rules to our Firewall.

    For this guide we will be creating restrictive policies, in order for us to do that we must know exactly what ports we need access to. This is going to be a fairly basic system and as such we are going to add rules to allow the following outbound traffic

    DHCP Access - Port 67 and 68 UDP

    Web Access - Ports 80 and 443 Protocol TCP

    Email Access - Ports 25 and 110 , 143 Protocol TCP

    DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)

    Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections. So we will use some of the added functionality of GUFW to give us this ability.

    note : you may need additional services, look up the ports your service use. At the end of this post there will be a list of commonly used services and their default ports.

    Now that we've clicked the plus to create our new rule, we will be presented with a window that looks like this.



    The first thing we will do is allow traffic from our Transmission Application.

    We choose the action Allow, the direction Out, the type Application and the application is Transmission. Once those settings are correct we click "Add"

    Next we will click on the "Simple" tab in the Firewall : Add Rule window.

    We will then choose the rule Allow, Direction Out, Protocol TCP, and in the line following TCP we will add the TCP ports we want access to outbound. Which will look like this 25,53,80,110,443. Note when we add an additional port we seperate it from the last with a comma. Port ranges are indicated in this manner.

    Code:
    6667:7000
    This would indicate ports 6667 through 7000.

    Once we have added our TCP outbound ports we must also remember to add any UDP outbound ports we need, in this case we will add port 53 for DNS.

    We will choose the action Allow, direction is Out, Protocol is UDP and in the line beside UDP enter 53. Click on add and you are done.

    (OPTIONAL)

    If you wish to add more fine grained control you may do so in the advanced tab. For instance if you want to allow outbound SSH traffic only from your IP address to a specific IP address it would look like this.



    Once you have finished editing your rules as you want them, you are done and may close the Firewall: Add Rule window as well as GUFW


    Method 2 : UFW

    In this section we will create the exact same rules we did above however we will do so by utilizing UFW instead of the Graphical front end for it.

    This section is done entirely from the command line. We will be creating the same policies as before, default drop inbound, default drop outbound, with rules allowing the services listed below.

    DHCP Access - Ports 67 and 68 UDP

    Web Access - Ports 80 and 443 Protocol TCP

    Email Access - Ports 25 and 110 , 143 Protocol TCP

    DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)

    Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections.

    So now that we know where we're going we are going to fire up a terminal window and create the same rules using UFW at the CLI.

    First we want to enable UFW by doing the following

    Code:
    sudo ufw enable
    Then we want to enable our default inbound and outbound policies by doing the following

    Code:
    sudo ufw default deny incoming && sudo ufw default deny outgoing
    Now we will add our outbound TCP rules

    Code:
    sudo ufw allow out 25,53,80,110,443/tcp
    Then our outbound UDP rules

    Code:
    sudo ufw allow out 53,67,68/udp
    And now our Transmission rule

    Code:
    sudo ufw allow out 51413/tcp
    sudo ufw allow out 51413/udp
    sudo ufw allow out 6969/tcp
    Restart your firewall for good measure.

    Code:
    sudo ufw disable && sudo ufw enable
    Then you're done.

    Method 3 : iptables


    This method in my opinion is the best, because it gives you the most control over your firewall. However iptables may not be for the new user. For completeness sake I will cover it here.


    Please note: iptables works best without UFW installed. So we will remove it now.
    Code:
    sudo apt-get remove ufw gufw
    Again in this section we will be enabling the same services as before.

    DHCP Access - Ports 67 and 68 UDP

    Web Access - Ports 80 and 443 Protocol TCP

    Email Access - Ports 25 and 110 , 143 Protocol TCP

    DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)

    Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of unregistered ports to make connections.

    However, here I am going to walk you through the iptables script with the comments in the script, as opposed to step by step like the previous sections. You will want to create a file for your script, for this we will call it iptables.sh , but you can call it whatever you want. Below you will find the sample iptables script.

    Code:
    #!/bin/bash
    #Simple Firewall Script.
    
    
    #Setting up default kernel tunings here (don't worry too much about these right now, they are acceptable defaults)
    #DROP ICMP echo-requests sent to broadcast/multi-cast addresses.
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    #DROP source routed packets
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
    #Enable TCP SYN cookies
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    #Do not ACCEPT ICMP redirect
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
    #Don't send ICMP redirect 
    echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects
    #Enable source spoofing protection
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    #Log impossible (martian) packets
    echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
    
    #Flush all existing chains
    iptables --flush
    
    #Allow traffic on loopback
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    
    #Creating default policies
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP #If we're not a router
    
    #Allow previously established connections to continue uninterupted
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    
    #Allow outbound connections on the ports we previously decided.
    iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT #SMTP
    iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT #DNS
    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #HTTP
    iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT #POP
    iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #HTTPS
    iptables -A OUTPUT -p tcp --dport 51413 -j ACCEPT #BT
    iptables -A OUTPUT -p tcp --dport 6969 -j ACCEPT #BT tracker
    iptables -A OUTPUT -p UDP --dport 67:68 -j ACCEPT #DHCP
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #DNS
    iptables -A OUTPUT -p udp --dport 51413 -j ACCEPT #BT
    
    #Set up logging for incoming traffic.
    iptables -N LOGNDROP
    iptables -A INPUT -j LOGNDROP
    iptables -A LOGNDROP -j LOG
    iptables -A LOGNDROP -j DROP
    
    #Save our firewall rules
    iptables-save > /etc/iptables.rules
    Now that we have our script created we may save it and execute it

    Code:
    sudo chmod 755 iptables.sh
    sudo ./iptables.sh
    Making your rules persistent :

    If you want these rules to be restored on every reboot you can do the following.

    Code:
    sudo nano /etc/network/interfaces
    Assuming wlan0 is the interface you use to connect to the network add the following at the end of the block. Alternatively you can add it to any interface you want and the rules will be loaded when that interface is brought up. Keep in mind this does not change the nature of the rules, or how they are applied.

    Code:
    pre-up iptables-restore < /etc/iptables.rules
    Then save the file.

    This bit of information as well as other ways for making your iptables rules persistent can be found here : https://help.ubuntu.com/community/IptablesHowTo

    We're done.


    Common Ports and Services


    FTP - 21 TCP
    SSH - 22 TCP
    TELNET - 23 TCP
    SMTP - 25 TCP
    DNS - 53 TCP/UDP
    DHCP - 67 , 68 DHCP
    HTTP - 80 TCP
    POP3 - 110 TCP
    IMAP - 143 TCP
    HTTPS - 443 TCP
    VNC - 5900-6000
    IRC - 6667-7000
    Gmail SMTP TLS: 587
    Gmail SMTP SSL: 465
    Gmail POP SSL: 995
    Gmail IMAP SSL: 993

    More here : http://en.wikipedia.org/wiki/List_of...P_port_numbers

    Hopefully this was helpful to someone. This was done as a contribution to the Security for Newbies Wiki thingy which can be found here : http://ubuntuforums.org/showthread.php?t=1873643


    P.S : Sorry if the images load slowly my server has horrid bandwidth

    P.P.S : If this is in the wrong place feel free to move it, stick it delete it, throw it in a river, feed it to your dog, whatever's clever
    Last edited by Dangertux; November 16th, 2011 at 04:31 PM.

  2. #2
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Creating a Firewall for Your Ubuntu Desktop

    So one or two things I wonder about:

    A number of email clients and services use POP or IMAP, and those will have different server-side ports than SMTP uses. I'm not sure off the top of my head if that's relevant, but it might be worth letting folks know that it might come up. The same steps will apply, just with the relevant port number(s) being added.

    The other thing is DHCP, which a lot of home routers are going to use. That I think uses 67 and 68, but I can't remember the protocol off the top of my head. I recall some of my own logs being full of DHCP denials in cases where I didn't allow it, and while I knew what it was I can see some cases where users might get nervous after seeing a log full of such denials.

    This is an excellent post.

  3. #3
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,769
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Creating a Firewall for Your Ubuntu Desktop

    Yeah if you're having issues with any of the above check the services list at the end. I wasn't using DHCP for the VM I did this in, so that's a good point. It's edited to reflect DHCP as well.

  4. #4
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Creating a Firewall for Your Ubuntu Desktop

    Quote Originally Posted by Dangertux View Post
    Yeah if you're having issues with any of the above check the services list at the end. I wasn't using DHCP for the VM I did this in, so that's a good point. It's edited to reflect DHCP as well.
    This is awesome! You rock.

    I tried method #1 and subsequently blocked absolutely all internet traffic. Whoops, I forgot to add port 53 UDP. Now it's working. If I can get it to work, then I'm going to call your guide idiot-proof.

  5. #5
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,769
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Creating a Firewall for Your Ubuntu Desktop

    Yeah dns is hugely important remember if you are using a dynamic ip you need to enable dhcp port 67 and 68 UDP or you will be very confused the next time you reset your network interface.

  6. #6
    Join Date
    Nov 2011
    Beans
    3

    Re: Creating a Firewall for Your Ubuntu Desktop

    Quote Originally Posted by Dangertux View Post
    Yeah dns is hugely important remember if you are using a dynamic ip you need to enable dhcp port 67 and 68 UDP or you will be very confused the next time you reset your network interface.

    Thank you for your help. Two quick questions though.

    1) Where did you get this information from? I have read the information found on https://help.ubuntu.com/community/UFW as well as the man pages. Is there any other place I can look in order to learn more?

    2) My knowledge of ports is somewhat lacking but what if someone attempts to hack into my computer using a common port, say port 80? This is not a port I can block, obviously, but is there any other way to protect myself other than blocking that IP address?

  7. #7
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,769
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Creating a Firewall for Your Ubuntu Desktop

    Quote Originally Posted by Bukie View Post
    Thank you for your help. Two quick questions though.

    1) Where did you get this information from? I have read the information found on https://help.ubuntu.com/community/UFW as well as the man pages. Is there any other place I can look in order to learn more?

    2) My knowledge of ports is somewhat lacking but what if someone attempts to hack into my computer using a common port, say port 80? This is not a port I can block, obviously, but is there any other way to protect myself other than blocking that IP address?
    Knowledge of the commands and the applications used can be obtained by reading the man(ual) pages for the application in question. For instance man iptables

    In terms of ports that need to be open. You can do your best to keep the service up to date with the latest security patches. Harden the configuration of the service (different for every service). In the case of a web server like Apache you could use something like Mod-Security which is a web application firewall. Also you could further confine a service through mandatory access controls such as apparmor or security enhanced linux.

    Hope this helps.

  8. #8
    Join Date
    Oct 2011
    Beans
    92

    Re: Creating a Firewall for Your Ubuntu Desktop

    Does your transmission work with just these 51413/tcp 51413/tcp allow out rules added? I've added these as rules #1 and #2 before the deny all out/in final rules and transmission just wont start downloading a torrent unless I turn the ufw off.

  9. #9
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,769
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Creating a Firewall for Your Ubuntu Desktop

    The inbound rules should be the only ones effecting downloading the file themselves. And the connection should be considered established or related. As for 51413 being the default port for seeding, that is also correct. Yes, mine works fine.

  10. #10
    Join Date
    Oct 2011
    Beans
    92

    Re: Creating a Firewall for Your Ubuntu Desktop

    Quote Originally Posted by Dangertux View Post
    The inbound rules should be the only ones effecting downloading the file themselves. And the connection should be considered established or related. As for 51413 being the default port for seeding, that is also correct. Yes, mine works fine.
    That is strange then, since I have added

    Code:
    [ 1] 51413/tcp                  ALLOW IN    Anywhere
    [ 2] 51413/udp                  ALLOW IN    Anywhere
    [ 3] 51413/udp                  ALLOW OUT   Anywhere (out)
    [ 4] 51413/tcp                  ALLOW OUT   Anywhere (out)
    and yet transmission just does not start a torrent until the firewall is switched off and netstat shows:

    Code:
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      1435/sendmail: MTA:
    tcp        0      0 0.0.0.0:51413           0.0.0.0:*               LISTEN      2408/transmission-g
    tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      932/cupsd       
    tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1435/sendmail: MTA:
    tcp        0      1 192.168.0.2:42033       109.235.55.11:6969      SYN_SENT    2408/transmission-g
    tcp        0      1 192.168.0.2:55947       91.199.108.232:3310     SYN_SENT    2408/transmission-g
    tcp        0      1 192.168.0.2:32817       62.149.5.203:80         SYN_SENT    2408/transmission-g
    tcp        0      1 192.168.0.2:53229       122.224.5.45:2710       SYN_SENT    2408/transmission-g
    tcp        0      1 192.168.0.2:46606       82.94.217.189:6970      SYN_SENT    2408/transmission-g
    tcp        1      0 192.168.0.2:50260       216.137.57.143:80       CLOSE_WAIT  2156/gvfsd-http 
    tcp        1      0 192.168.0.2:43195       216.137.57.225:80       CLOSE_WAIT  2156/gvfsd-http 
    tcp        0      1 192.168.0.2:35167       194.54.80.150:6969      SYN_SENT    2408/transmission-g
    tcp        1      0 192.168.0.2:46195       216.137.57.102:80       CLOSE_WAIT  2156/gvfsd-http 
    tcp        0      1 192.168.0.2:55944       91.199.108.232:3310     SYN_SENT    2408/transmission-g
    tcp        0      1 192.168.0.2:42197       193.107.16.156:2710     SYN_SENT    2408/transmission-g
    tcp6       0      0 :::51413                :::*                    LISTEN      2408/transmission-g
    tcp6       0      0 ::1:631                 :::*                    LISTEN      932/cupsd
    Any idea why it wouldn't work for me to allow downloads? It seems to be listening on 51413 but maybe trying to do something else sending SYN on these other high ports?
    Last edited by Azrael84; November 8th, 2011 at 10:11 AM.

Page 1 of 12 12311 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •