0%

ubuntu防火墙配置工具ufw

ufw

ufw(Uncomplicated Firewall)是ubuntu默认的防火墙配置工具,其屏蔽了iptables的复杂操作方式,提供了非常友好的方式去配置规则。 一般情况下都会是默认安装的,若没有安装则可以输入如下命令进行安装:

1
apt install ufw

ufw的配置在/etc/ufw/路径下,自己配置的规则基本都是在user的两个文件中(有数字6的待变ipv6的相关规则),其他的都是系统默认的一下规则。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@cc-server:/etc/ufw# ll
total 56
drwxr-xr-x 3 root root 4096 Aug 22 17:16 ./
drwxr-xr-x 91 root root 4096 Oct 12 11:04 ../
-rw-r----- 1 root root 915 Apr 15 2016 after6.rules
-rw-r----- 1 root root 1126 Aug 17 2017 after.init
-rw-r----- 1 root root 1004 Apr 15 2016 after.rules
drwxr-xr-x 2 root root 4096 Aug 22 17:17 applications.d/
-rw-r----- 1 root root 6451 Aug 18 2017 before6.rules
-rw-r----- 1 root root 1130 Aug 17 2017 before.init
-rw-r----- 1 root root 2667 Apr 15 2016 before.rules
-rw-r--r-- 1 root root 1391 Aug 16 2017 sysctl.conf
-rw-r--r-- 1 root root 312 Oct 12 10:32 ufw.conf
-rw-r----- 1 root root 2009 Sep 18 12:47 user6.rules
-rw-r----- 1 root root 2025 Sep 18 12:47 user.rules
root@cc-server:/etc/ufw#

常用命令

下面的命令使用前提是用户拥有root权限。如果是普通用户,则需要切换root用户或者获取root权限(在命令前加sudo)。

开启防火墙

1
ufw enable

关闭防火墙

1
ufw disable

开放端口(以22端口为例)

1
2
3
4
//默认开放tcp和udp协议
ufw allow 22
//只开放单个协议
ufw allow 22/tcp

关闭已开放的端口(以22端口为例)

1
ufw deny 22

删除安全规则(以22端口为例)

1
2
ufw delete deny 22
ufw delete allow 22

查看防火墙状态

1
ufw status

查看防火墙详细信息

1
ufw status verbose

运行一个特殊的ip或一个网段有权限访问一个端口

1
2
3
4
//允许192.168.0.2主机进行ssh访问,以访问此主机上的任何IP地址
ufw allow proto tcp from 192.168.0.2 to any port 22
//允许一个网段
ufw allow proto tcp from 192.168.0.0/24 to any port 22

在命令行中输入命令 ufw –help 即可查看ufw的基本命令,如下所示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
root@cc-server:/etc/ufw# ufw --help

Usage: ufw COMMAND

Commands:
enable enables the firewall
disable disables the firewall
default ARG set default policy
logging LEVEL set logging to LEVEL
allow ARGS add allow rule
deny ARGS add deny rule
reject ARGS add reject rule
limit ARGS add limit rule
delete RULE|NUM delete RULE
insert NUM RULE insert RULE at NUM
route RULE add route RULE
route delete RULE|NUM delete route RULE
route insert NUM RULE insert route RULE at NUM
reload reload firewall
reset reset firewall
status show firewall status
status numbered show firewall status as numbered list of RULES
status verbose show verbose firewall status
show ARG show firewall report
version display version information

Application profile commands:
app list list application profiles
app info PROFILE show information on PROFILE
app update PROFILE update PROFILE
app default ARG set default application policy

root@cc-server:/etc/ufw#

ufw详细使用规则

在命令行输入 man ufw 即可查看到如下的详细ufw的使用方式:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
NAME
ufw - program for managing a netfilter firewall

DESCRIPTION
This program is for managing a Linux firewall and aims to provide an easy to use interface for the user.

USAGE
ufw [--dry-run] enable|disable|reload

ufw [--dry-run] default allow|deny|reject [incoming|outgoing|routed]

ufw [--dry-run] logging on|off|LEVEL

ufw [--dry-run] reset

ufw [--dry-run] status [verbose|numbered]

ufw [--dry-run] show REPORT

ufw [--dry-run] [delete] [insert NUM] allow|deny|reject|limit [in|out] [log|log-all] [ PORT[/PROTOCOL] | APPNAME ] [comment COMMENT]

ufw [--dry-run] [rule] [delete] [insert NUM] allow|deny|reject|limit [in|out [on INTERFACE]] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME ]] [to ADDRESS [port PORT | app APPNAME ]] [comment COMMENT]

ufw [--dry-run] route [delete] [insert NUM] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME]] [to ADDRESS [port PORT | app APPNAME]] [comment COMMENT]

ufw [--dry-run] delete NUM

ufw [--dry-run] app list|info|default|update

OPTIONS
--version
show program's version number and exit

-h, --help
show help message and exit

--dry-run
don't modify anything, just show the changes

enable reloads firewall and enables firewall on boot.

disable
unloads firewall and disables firewall on boot

reload reloads firewall

default allow|deny|reject DIRECTION
change the default policy for traffic going DIRECTION, where DIRECTION is one of incoming, outgoing or routed. Note that existing rules will have to be migrated manually when changing the default policy. See RULE SYN‐
TAX for more on deny and reject.

logging on|off|LEVEL
toggle logging. Logged packets use the LOG_KERN syslog facility. Systems configured for rsyslog support may also log to /var/log/ufw.log. Specifying a LEVEL turns logging on for the specified LEVEL. The default log
level is 'low'. See LOGGING for details.

参考资料

ubantu官方文档:
https://help.ubuntu.com/lts/serverguide/firewall.html#ip-masquerading