Two Ways to Set Up a Firewall in Linux
Firewall Configuration
On Ubuntu Linux, you can use ufw or iptables for firewall configuration. Here are the commands and some pitfalls I encountered along the way. 🤣
UFW
- View firewall settings
sudo ufw status
- Add firewall rules
# allow ssh
sudo ufw allow ssh
# allow specific ip to specific port
sudo ufw allow from 123.123.123.123 to any port 22/tcp - List firewall rules with numbers Example
sudo ufw status numbered
root@localhost:~# sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 80/tcp ALLOW IN Anywhere
[ 2] 443/tcp ALLOW IN Anywhere
[ 3] 22/tcp ALLOW IN 123.123.123.123
[ 4] 22/tcp ALLOW IN 123.123.123.124
[ 5] 443/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 80/tcp (v6) ALLOW IN Anywhere (v6) - Delete a specific rule
sudo ufw delete [number]
- Reload rules
sudo ufw reload
- Enable/disable rules
sudo ufw enable
sudo ufw disable
IPTABLES
If you add a rule for port 22 using ufw, you can verify it with the following commands. However, you should ultimately check sudo iptables -L INPUT -n --line-number to ensure the rule is present.
- View rules for port 22
If you added a rule for port 22 using ufw, you can verify it withsudo iptables -L -n | grep :22
ACCEPT tcp -- 123.123.123.123 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 123.123.123.124 0.0.0.0/0 tcp dpt:22 - View input rules
sudo iptables -L INPUT -n --line-number
- Machine 1
root@localhost:~# sudo iptables -L INPUT -n --line-number
Chain INPUT (policy DROP)
num target prot opt source destination
1 ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
2 ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
3 ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
4 ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
5 ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
6 ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
7 ACCEPT tcp -- 123.123.123.123 0.0.0.0/0 tcp dpt:22
8 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 - Machine 2
root@localhost:~# sudo iptables -L INPUT -n --line-number
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 123.123.123.123 0.0.0.0/0 tcp dpt:22
2 ACCEPT tcp -- 123.123.123.124 0.0.0.0/0 tcp dpt:22
3 f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
...
- Machine 1
- Add input rule
sudo iptables -A INPUT -p tcp -s 123.123.123.123 --dport 22 -j ACCEPT
- Delete input rule
sudo iptables -D INPUT <line-number>
Practical Insights
This post originated because another team at our company experienced a hack due to lack of firewall settings and weak password complexity. To enhance information security, I decided to restrict access to port 22 to a whitelist of IPs. However, I encountered some pitfalls due to unfamiliarity with the commands.
Generally, adding a firewall whitelist should suffice. If you’re not an internal staff member, you shouldn’t be able to access the specific IPs (feel free to share better methods 😆).
On Machine 1, after setting up ufw using:
sudo ufw allow from [IP] to any port 22/tcp
I verified with
sudo iptables -L -n | grep :22
that my IP address was displayed. Therefore, on Machine 1, I could log in using the specific IP, enhancing machine security. However, applying the same method on Machine 2 resulted in issues where I couldn’t log in with my IP (hacker didn’t log in, but I couldn’t either XD).
The main reason was that Machine 2 didn’t apply the ufw rules to iptables. Therefore, no matter how I set up ufw, it didn’t work (or you might need to reinstall ufw).
My final solution was to directly add the whitelist using iptables, ensuring it was written to iptablessudo iptables -A INPUT -p tcp -s 123.123.123.123 --dport 22 -j ACCEPT
If you find my article helpful, please consider giving it a thumbs up or expressing your appreciation with a like or comment below. Thank you for your support!