0%

ubuntu防火墙配置工具ufw

Posted on Edited on In

ufw

ufw(Uncomplicated Firewall)是ubuntu默认的防火墙配置工具,其屏蔽了iptables的复杂操作方式,提供了非常友好的方式去配置规则。 一般情况下都会是默认安装的,若没有安装则可以输入如下命令进行安装:

1
apt install ufw

ufw的配置在/etc/ufw/路径下,自己配置的规则基本都是在user的两个文件中(有数字6的待变ipv6的相关规则),其他的都是系统默认的一下规则。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@cc-server:/etc/ufw# ll
total 56
drwxr-xr-x  3 root root 4096 Aug 22 17:16 ./
drwxr-xr-x 91 root root 4096 Oct 12 11:04 ../
-rw-r-----  1 root root  915 Apr 15  2016 after6.rules
-rw-r-----  1 root root 1126 Aug 17  2017 after.init
-rw-r-----  1 root root 1004 Apr 15  2016 after.rules
drwxr-xr-x  2 root root 4096 Aug 22 17:17 applications.d/
-rw-r-----  1 root root 6451 Aug 18  2017 before6.rules
-rw-r-----  1 root root 1130 Aug 17  2017 before.init
-rw-r-----  1 root root 2667 Apr 15  2016 before.rules
-rw-r--r--  1 root root 1391 Aug 16  2017 sysctl.conf
-rw-r--r--  1 root root  312 Oct 12 10:32 ufw.conf
-rw-r-----  1 root root 2009 Sep 18 12:47 user6.rules
-rw-r-----  1 root root 2025 Sep 18 12:47 user.rules
root@cc-server:/etc/ufw#

常用命令

下面的命令使用前提是用户拥有root权限。如果是普通用户,则需要切换root用户或者获取root权限(在命令前加sudo)。

开启防火墙

1
ufw enable

关闭防火墙

1
ufw disable

开放端口(以22端口为例)

1
2
3
4
//默认开放tcp和udp协议
ufw allow 22
//只开放单个协议
ufw allow 22/tcp

关闭已开放的端口(以22端口为例)

1
ufw deny 22

删除安全规则(以22端口为例)

1
2
ufw delete deny 22
ufw delete allow 22

查看防火墙状态

1
ufw status

查看防火墙详细信息

1
ufw status verbose

运行一个特殊的ip或一个网段有权限访问一个端口

1
2
3
4
//允许192.168.0.2主机进行ssh访问,以访问此主机上的任何IP地址
ufw allow proto tcp from 192.168.0.2 to any port 22
//允许一个网段
ufw allow proto tcp from 192.168.0.0/24 to any port 22

在命令行中输入命令 ufw –help 即可查看ufw的基本命令,如下所示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
root@cc-server:/etc/ufw# ufw --help

Usage: ufw COMMAND

Commands:
 enable                          enables the firewall
 disable                         disables the firewall
 default ARG                     set default policy
 logging LEVEL                   set logging to LEVEL
 allow ARGS                      add allow rule
 deny ARGS                       add deny rule
 reject ARGS                     add reject rule
 limit ARGS                      add limit rule
 delete RULE|NUM                 delete RULE
 insert NUM RULE                 insert RULE at NUM
 route RULE                      add route RULE
 route delete RULE|NUM           delete route RULE
 route insert NUM RULE           insert route RULE at NUM
 reload                          reload firewall
 reset                           reset firewall
 status                          show firewall status
 status numbered                 show firewall status as numbered list of RULES
 status verbose                  show verbose firewall status
 show ARG                        show firewall report
 version                         display version information

Application profile commands:
 app list                        list application profiles
 app info PROFILE                show information on PROFILE
 app update PROFILE              update PROFILE
 app default ARG                 set default application policy

root@cc-server:/etc/ufw#

ufw详细使用规则

在命令行输入 man ufw 即可查看到如下的详细ufw的使用方式:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
NAME
       ufw - program for managing a netfilter firewall

DESCRIPTION
       This program is for managing a Linux firewall and aims to provide an easy to use interface for the user.

USAGE
       ufw [--dry-run] enable|disable|reload

       ufw [--dry-run] default allow|deny|reject [incoming|outgoing|routed]

       ufw [--dry-run] logging on|off|LEVEL

       ufw [--dry-run] reset

       ufw [--dry-run] status [verbose|numbered]

       ufw [--dry-run] show REPORT

       ufw [--dry-run] [delete] [insert NUM] allow|deny|reject|limit [in|out] [log|log-all] [ PORT[/PROTOCOL] | APPNAME ] [comment COMMENT]

       ufw [--dry-run] [rule] [delete] [insert NUM] allow|deny|reject|limit [in|out [on INTERFACE]] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME ]] [to ADDRESS [port PORT | app APPNAME ]] [comment COMMENT]

       ufw [--dry-run] route [delete] [insert NUM] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME]] [to ADDRESS [port PORT | app APPNAME]] [comment COMMENT]

       ufw [--dry-run] delete NUM

       ufw [--dry-run] app list|info|default|update

OPTIONS
       --version
              show program's version number and exit

       -h, --help
              show help message and exit

       --dry-run
              don't modify anything, just show the changes

       enable reloads firewall and enables firewall on boot.

       disable
              unloads firewall and disables firewall on boot

       reload reloads firewall

       default allow|deny|reject DIRECTION
              change the default policy for traffic going DIRECTION, where DIRECTION is one of incoming, outgoing or routed. Note that existing rules will have to be migrated manually when changing the default policy. See RULE SYN‐
              TAX for more on deny and reject.

       logging on|off|LEVEL
              toggle logging. Logged packets use the LOG_KERN syslog facility. Systems configured for rsyslog support may also log to /var/log/ufw.log. Specifying a LEVEL turns logging on for the specified LEVEL.  The  default  log
              level is 'low'.  See LOGGING for details.

参考资料

ubantu官方文档:
https://help.ubuntu.com/lts/serverguide/firewall.html#ip-masquerading