What is a firewall?
A firewall is software that prevents unwanted access to a network. It inspects incoming and outgoing traffic using a set of rules to find and block problems.
Firewalls are used in both private and enterprise database settings, and many devices come with one built-in, including Mac, Windows, and Linux computers. They are widely considered a component of network security.
In addition to immediate cyber threat defense, firewalls perform important logging functions. They keep a record of events, which can be used by administrators to identify patterns and maintain rule sets. This is the important purpose of a firewall.
The Linux contains the Netfilter system, which is used to decide the way of network traffic headed into or through the server. All new firewall solutions use this system for packet filtering.
The packet filtering system would be of small use to administrators without a userspace interface to manage it. This is the job of iptables:
- When a packet reaches your server
- It will be given to the Netfilter subsystem for acceptance
- Rejection based on the instructions supplied to it from userspace via iptables.
iptables is all you need to manage the firewall if you’re common with it, but many frontends are available to make the task easy.
UFW - Uncomplicated Firewall
The automated firewall tool for Ubuntu is UFW. Build to simplify iptables firewall configuration, UFW provides a user-friendly way to create an IPv4 or IPv6 host-based firewall.
UFW by default is initially disabled. From the UFW man page:
“UFW is not intended to provide full firewall functionality through its command interface, but instead provides an easy way to add or delete easy rules. It is currently mainly used for server-based firewalls.”
Below are some examples of how to use UFW:
The first point is, ufw needs to be enabled. From a terminal prompt enter:
sudo ufw enable
To open a port :
sudo ufw allow 22
Rules can also be added using a numbered format:
sudo ufw insert 1 allow 80
As the same, to close an opened port:
sudo ufw deny 22
To remove a rule, use delete followed by the rule:
sudo ufw delete deny 22
It is also right to allow access from a specific server. The below example allows SSH access from host 192.168.0.2 to any IP address on this host:
sudo ufw allow proto TCP from 192.168.0.2 to any port 22
- Replace 192.168.0.2 with 192.168.0.0/24 to allow SSH access from the entire subnet.
Adding the –dry-run option to a ufw command will extract the resulting rules, but not possible to apply them. For example, look at the below code command:
sudo ufw --dry-run allow HTTP
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
### END RULES ###
-A ufw-user-input -j RETURN
-A ufw-user-output -j RETURN
-A ufw-user-forward -j RETURN
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT]: "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
Rules that are updated.
UFW can be disabled by:
sudo ufw disable
To see the firewall status, enter:
sudo ufw status
And for more verbose status information use:
sudo ufw status verbose
Want to see the numbered format:
sudo ufw status numbered
If the port you want to open or close is explained in /etc/services, you can use the port name instead of the given number. In the above examples, replace 22 with ssh. This is a quick referral to using ufw. ufw Application Integration.
Applications that open ports can include an ufw biodata, which details the ports needed for the application to function properly. The profiles are stored in /etc/ufw/applications.d and can be edited if the default ports have been replaced by anything else.
To view which applications have kept data, enter the following in a terminal:
sudo ufw app list
Similar to allowing traffic to a port, using an application profile is accomplished by giving:
sudo ufw allow Samba
An extended syntax is needed as well:
ufw allow from 192.168.0.0/24 to any app Samba
Replace Samba and 192.168.0.0/24 with the application profile you are using and the IP range for your network. To view details about which ports, protocols, etc., are defined for an application, enter:
sudo ufw app info Samba
Not all applications that needed opening a network port come with ufw profiles, but if you have profiled an application and want the file to be added with the package, please file a bug against the package in Launchpad.
`ubuntu-bug name of the package`
What is IP Masquerading?
The purpose of IP Masquerading is to use machines with private, non-routable IP addresses on your network to allow the Internet to use the machine doing the masquerading. Traffic from your private network aimed at the Internet must be redirected for replies to be routable back to the machine that made the request. To do this, the kernel must rebuild the IP address of each host so that replies will be routed back to it, rather than to the private address that made the request, which is even not possible over the Internet. Linux uses Tracking to view the track which communication belongs to which machines and reroute each packet constantly. Traffic leaving your private network is thus “masqueraded” as having been born from your Ubuntu gateway. This process is referred to in Microsoft documentation as Internet Connection Sharing.
What is ufw Masquerading?
IP Masquerading can be reached using custom ufw instructions. This is possible because the back-end for ufw is iptables-reassure with the instructions files located in /etc/ufw/*.rules.
These files are a perfect place to include legacy iptables rules used without ufw, and rules that are more network gateway.
The rules are classified into two different folders, rules that should be run before ufw command line rules, and rules that are run after ufw command line rules.
First, the packet directing needs to be allowed in ufw. Two configuration files will need to be balanced, in
/etc/default/ufw change the
DEFAULT_FORWARD_POLICY to “ACCEPT”:
Similarly, for IPv6 directing uncomment:
Now add instructions to the /etc/ufw/before.rules file. The automated rules only configure the filter table and access masquerading the nat table will need to be configured. Add the below to the top of the file just after the header comments:
#nat Table rules
:POSTROUTING ACCEPT [0:0]
# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j
# don't delete the 'COMMIT' line or these nat table rules won't be processed
The comments are not really necessary, but it is considered a good exercise to document your configuration. Also, when modifying any of the rules files in /etc/ufw, make sure these lines are the last line for each table modified: # don't delete the 'COMMIT' line or these rules won't be processed COMMIT.
For each Table, a corresponding COMMIT command is needed. In these examples, only the nat and filter tables are viewed, but you can also add instructions for the raw and mangle tables.
Finally, remove and re-enable ufw to apply the changes:
sudo ufw disable && sudo ufw enable
IP Masquerading should now be enabled. You can also add any additional FORWARD rules to the /etc/ufw/before.rules. It is recommended that these additional rules be added to the ufw-before-forward chain.
How are the iptables Masquerading? iptables can also be used to allow Masquerading. Similar to ufw, the first step is to enable IPv4 packet forwarding by resubmitting /etc/sysctl.conf and disabling the following line: net.ipv4.ip_forward=1
If you dream to enable IPv6 forwarding also comment:
Next, run the sysctl command to enable the new features in the configuration file:
sudo sysctl -p
IP Masquerading can now be completed with a single iptables instruction, which may differ slightly based on your network configuration:
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
The above command assumes that your personal address space is 192.168.0.0/16 and that your Internet-facing machine is ppp0. The syntax is broken down as follows:
- -t nat – the rule is to go into the nat table
- -A POSTROUTING – the instruction is to be appended (-A) to the POSTROUTING chain
- -s 192.168.0.0/16 – the instruction applies to traffic originating from the specified address space
- -o ppp0 – the instruction applies to traffic scheduled to be routed through the network device
- -j MASQUERADE – traffic matching this instruction is to “jump” (-j) to the MASQUERADE target to be changed as described above
Also, each chain in the filter table has an automated policy of ACCEPT, but if you are building a firewall in addition to a gateway machine, you may have set the policies to DROP, in which case your masqueraded traffic needs to be accessed through the FORWARD chain for the above rule to work:
`sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT`
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state \ --state ESTABLISHED, RELATED -I ppp0 -j ACCEPT
The above commands will enable all connections from your network to the Internet and all traffic related to those connections to return to the machine that initiated them.
If you want to masquerade to be enabled on restart, which you probably do, edit /etc/rc.local and add commands used above. For example, add the first command with no filtering:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
What are firewall Logs?
Firewall logs are very essential for recognizing attacks, troubleshooting your firewall rules, and noticing unwanted activity on your network. You must include logging instructions in your firewall for them to be made, though, and logging instructions must come before any applicable terminating rule.
If you are using ufw, you can turn on logging by adding the following in a terminal:
sudo ufw logging on
To turn logging off in ufw, simply replace on with off in the above command. If u are accessing iptables instead of ufw, enter:
sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 \ -j LOG --log-prefix "NEW_HTTP_CONN:"
A request on port 80 from the machine, then, would generate a log in dmesg that looks like this :
[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0
The above log will also be viewed in /var/log/messages, /var/log/syslog and /var/log/kern.log. This attitude can be modified by editing /etc/syslog.conf
appropriately or by installing and configuring ulogd and using the ULOG aims instead of LOG. The ulogd daemon is a userspace server that listens for logging rules from the kernel specifically for firewalls and can log to any folder you like, or even to a PostgreSQL or MySQL database. Making sense of your firewall logs can be made little by using log analyzing tools such as logwatch, fwanalog, fwlogwatch, or lire.
If you have any questions about this topic or have to get services and server administration services. Feel free to contact us. Always AIRZERO CLOUD will be your strong firewall.
Email id: [email protected]
Author - Johnson Augustine
Cloud Architect, Ethical hacker
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/