Ubuntu 防火墙 UFW 操作指北

Ubuntu上默认安装了一个防火墙服务 ufw，全称为 Uncomplicated Firewall。默认是禁用的。

想用GUI可以看下Gufw。

基本用法

启用ufw： sudo ufw enable

To check the status of UFW:

查看 ufw状态： sudo ufw status verbose
也可以用 sudo ufw show raw 查看详情
也可以在 ** /etc/ufw**目录下查看 .rules的规则文件

禁用ufw：sudo ufw disable

放通特定规则：sudo ufw allow <port>/<optional: protocol>
如允许 tcp 和udp 端口为53 的数据包流入 sudo ufw allow 53
如允许 tcp 端口为53的数据包流入 sudo ufw allow 53/tcp
如允许 udp 端口为53的数据包流入 sudo ufw allow 53/udp

阻断特定规则 sudo ufw deny <port>/<optional: protocol>
如不允许访问 tcp和udp 53端口：sudo ufw deny 53
如不允许访问 tcp 53端口：sudo ufw deny 53/tcp
如不允许访问 udp 53端口：sudo ufw deny 53/udp

删除已存在的规则：

如：若存在 ufw deny 80/tcp
删除：sudo ufw delete deny 80/tcp
也可以以服务名允许和阻止，服务名来自**/etc/services**

允许访问服务 sudo ufw allow <service name>

如: 允许访问ssh sudo ufw allow ssh

阻止访问服务 sudo ufw deny <service name>

如:阻止访问ssh sudo ufw deny ssh

查看状态 sudo ufw status

如：

To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.1
22:udp                     DENY    192.168.0.1
22:tcp                     DENY    192.168.0.7
22:udp                     DENY    192.168.0.7
22:tcp                     ALLOW   192.168.0.0/24
22:udp                     ALLOW   192.168.0.0/24

开启日志 sudo ufw logging on
关闭日志 sudo ufw logging off

高级语法

允许特定IP访问 sudo ufw allow from <ip address>
如允许访问来自207.46.232.182 数据包：sudo ufw allow from 207.46.232.182
允许子网访问：sudo ufw allow from 192.168.1.0/24

允许特定的端口和IP访问 sudo ufw allow from <target> to <destination> port <port number>

如允许 IP地址为 192.168.0.4 访问 22端口 sudo ufw allow from 192.168.0.4 to any port 22

允许特定端口，IP，和协议访问：sudo ufw allow from <target> to <destination> port <port number> proto <protocol name>

如允许IP为 192.168.0.4 访问 tcp:22：sudo ufw allow from 192.168.0.4 to any port 22 proto tcp

开启 PING：默认ufw允许 ping请求。若要禁止ping，可以修改 /etc/ufw/before.rules，删除以下行：

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

或者修改"ACCEPT" 为 "DROP"

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

阻止特定IP访问 sudo ufw deny from <ip address>

如阻止 207.46.232.182访问：sudo ufw deny from 207.46.232.182

阻止特定端口和IP：sudo ufw deny from <ip address> to <protocol> port <port number>

如阻止IP为 192.168.0.1 访问 22端口 sudo ufw deny from 192.168.0.1 to any port 22

查看ufw状态（带上序号） sudo ufw status numbered
删除序号行规则 sudo ufw delete 1
在某行插入规则 sudo ufw insert 1 allow from <ip address>

高级示例
场景如：你想阻止来自 192.168.0.7 和 192.168.0.1访问22 端口，但是允许其它192.168.0.x IP访问 tcp:22

sudo ufw deny from 192.168.0.1 to any port 22
sudo ufw deny from 192.168.0.7 to any port 22
sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp

上面重要的是，先阻止，再允许。

To check your rules orders you can check the status; for the scenario the output below is the desired output for the rules to work properly

sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.1
22:udp                     DENY    192.168.0.1
22:tcp                     DENY    192.168.0.7
22:udp                     DENY    192.168.0.7
22:tcp                     ALLOW   192.168.0.0/24

换一下场景: 你想阻止192.168.0.3 访问 22端口，类似上面的 192.168.0.1 and 192.168.0.7.

sudo ufw delete allow from 192.168.0.0/24 to any port 22

sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.1
22:udp                     DENY    192.168.0.1
22:tcp                     DENY    192.168.0.7
22:udp                     DENY    192.168.0.7

sudo ufw deny 192.168.0.3 to any port 22
sudo ufw allow 192.168.0.0/24 to any port 22 proto tcp
sudo ufw status


Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     DENY    192.168.0.1
22:udp                     DENY    192.168.0.1
22:tcp                     DENY    192.168.0.7
22:udp                     DENY    192.168.0.7
22:tcp                     DENY    192.168.0.3
22:udp                     DENY    192.168.0.3
22:tcp                     ALLOW   192.168.0.0/24

日志实体

Feb  4 23:33:37 hostname kernel: [ 3529.289825] [UFW BLOCK] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=444.333.222.111 DST=111.222.333.444 LEN=103 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=53 DPT=36427 LEN=83
Date

Hostname: 服务端 hostname

Uptime：系统启动后时间

Logged Event：事件如 [UFW BLOCK]

IN：流入事件

OUT 流出事件

MAC 目标的mac地址

SRC 源IP

DST 目的IP

LEN 数据包长度

TOS
I believe this refers to the TOS field of the IPv4 header. See TCP Processing of the IPv4 Precedence Field for more information.

PREC
I believe this refers to the Precedence field of the IPv4 header.

TTL 数据包存活时长

ID
Not sure what this one is, but it's not really important for reading logs. It might be ufw’s internal ID system, it might be the operating system’s ID.

PROTO 协议类型如TCP、UDP

SPT 源端口

DPT 目的端口

WINDOW 数据包大小

RES
This bit is reserved for future use & is always set to 0. Basically it’s irrelevant for log reading purposes.

SYN URGP 三次握手...
SYN indicates that this connection requires a three-way handshake, which is typical of TCP connections. URGP indicates whether the urgent pointer field is relevant. 0 means it's not. Doesn’t really matter for firewall log reading.

更多可以看 man ufw