Ubuntu上默认安装了一个防火墙服务 ufw, 全称为 Uncomplicated Firewall。默认是禁用的。
想用GUI可以看下Gufw。
基本用法
启用ufw: sudo ufw enable
To check the status of UFW:
查看 ufw状态: sudo ufw status verbose
也可以用 sudo ufw show raw
查看详情
也可以在 ** /etc/ufw**目录下查看 .rules的规则文件
禁用ufw:sudo ufw disable
放通特定规则 :sudo ufw allow <port>/<optional: protocol>
如允许 tcp 和udp 端口为53 的数据包流入 sudo ufw allow 53
如允许 tcp 端口为53的数据包流入 sudo ufw allow 53/tcp
如允许 udp 端口为53的数据包流入 sudo ufw allow 53/udp
阻断特定规则 sudo ufw deny <port>/<optional: protocol>
如不允许访问 tcp和udp 53端口:sudo ufw deny 53
如不允许 访问 tcp 53端口:sudo ufw deny 53/tcp
如不允许 访问 udp 53端口:sudo ufw deny 53/udp
删除已存在的规则:
如:若存在 ufw deny 80/tcp
删除:sudo ufw delete deny 80/tcp
也可以以服务名 允许 和阻止,服务名来自**/etc/services**
允许访问服务 sudo ufw allow <service name>
如: 允许 访问ssh sudo ufw allow ssh
阻止访问服务 sudo ufw deny <service name>
如:阻止访问ssh sudo ufw deny ssh
查看状态 sudo ufw status
如:
To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
22:tcp ALLOW 192.168.0.0/24
22:udp ALLOW 192.168.0.0/24
开启日志 sudo ufw logging on
关闭日志 sudo ufw logging off
高级语法
允许特定IP访问 sudo ufw allow from <ip address>
如允许 访问来自207.46.232.182 数据包:sudo ufw allow from 207.46.232.182
允许子网访问:sudo ufw allow from 192.168.1.0/24
允许特定的端口和IP访问 sudo ufw allow from <target> to <destination> port <port number>
如允许 IP地址为 192.168.0.4 访问 22端口 sudo ufw allow from 192.168.0.4 to any port 22
允许特定端口,IP,和协议访问:sudo ufw allow from <target> to <destination> port <port number> proto <protocol name>
如允许IP为 192.168.0.4 访问 tcp:22:sudo ufw allow from 192.168.0.4 to any port 22 proto tcp
开启 PING:默认ufw允许 ping请求。若要禁止ping, 可以修改 /etc/ufw/before.rules,删除以下行:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
或者修改"ACCEPT" 为 "DROP"
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
阻止特定IP访问 sudo ufw deny from <ip address>
如阻止 207.46.232.182访问:sudo ufw deny from 207.46.232.182
阻止特定端口和IP:sudo ufw deny from <ip address> to <protocol> port <port number>
如阻止IP为 192.168.0.1 访问 22端口 sudo ufw deny from 192.168.0.1 to any port 22
查看ufw状态(带上序号) sudo ufw status numbered
删除序号行规则 sudo ufw delete 1
在某行插入规则 sudo ufw insert 1 allow from <ip address>
高级示例
场景如:你想阻止来自 192.168.0.7 和 192.168.0.1访问22 端口,但是允许 其它192.168.0.x IP访问 tcp:22
sudo ufw deny from 192.168.0.1 to any port 22
sudo ufw deny from 192.168.0.7 to any port 22
sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp
上面重要的是,先阻止,再允许。
To check your rules orders you can check the status; for the scenario the output below is the desired output for the rules to work properly
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
22:tcp ALLOW 192.168.0.0/24
换一下场景: 你想阻止192.168.0.3 访问 22端口, 类似上面的 192.168.0.1 and 192.168.0.7.
sudo ufw delete allow from 192.168.0.0/24 to any port 22
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
sudo ufw deny 192.168.0.3 to any port 22
sudo ufw allow 192.168.0.0/24 to any port 22 proto tcp
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp DENY 192.168.0.1
22:udp DENY 192.168.0.1
22:tcp DENY 192.168.0.7
22:udp DENY 192.168.0.7
22:tcp DENY 192.168.0.3
22:udp DENY 192.168.0.3
22:tcp ALLOW 192.168.0.0/24
日志实体
Feb 4 23:33:37 hostname kernel: [ 3529.289825] [UFW BLOCK] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=444.333.222.111 DST=111.222.333.444 LEN=103 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=53 DPT=36427 LEN=83
Date
Hostname: 服务端 hostname
Uptime:系统启动后时间
Logged Event:事件如 [UFW BLOCK]
IN:流入事件
OUT 流出事件
MAC 目标的mac地址
SRC 源IP
DST 目的IP
LEN 数据包长度
TOS
I believe this refers to the TOS field of the IPv4 header. See TCP Processing of the IPv4 Precedence Field for more information.
PREC
I believe this refers to the Precedence field of the IPv4 header.
TTL 数据包存活时长
ID
Not sure what this one is, but it's not really important for reading logs. It might be ufw’s internal ID system, it might be the operating system’s ID.
PROTO 协议类型 如TCP、UDP
SPT 源端口
DPT 目的端口
WINDOW 数据包大小
RES
This bit is reserved for future use & is always set to 0. Basically it’s irrelevant for log reading purposes.
SYN URGP 三次握手...
SYN indicates that this connection requires a three-way handshake, which is typical of TCP connections. URGP indicates whether the urgent pointer field is relevant. 0 means it's not. Doesn’t really matter for firewall log reading.
更多可以看 man ufw