Firewalls provide a basic level of security for your server. These applications are responsible for denying traffic to every port on your server with exceptions for ports or services you have approved.
In this post I note basic commands for work with firewalls in Ubuntu and CentOS.
UFW on Ubuntu
UFW, or Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult for beginners to learn how to use it to properly configure a firewall.
If you’re looking to get started securing your network, and you’re not sure which tool to use, UFW may be the right choice for you. This tutorial will show you how to set up a firewall with UFW on Ubuntu.
Note: If you are running Docker, by default Docker directly manipulates iptables. Any UFW rules that you specify do not apply to Docker containers.
Installation
UFW is installed by default on Ubuntu. If it has been uninstalled for some reason, you can install it with:
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install ufwCheck UFW Status and Rules
You can check the status of UFW at any time with the command: sudo ufw status. This will show a list of all rules, and whether or not UFW is active:
sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
80/tcp ALLOW Anywhere
443 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)Add, Deny and Delete Rules
Rules can be added in two ways: By denoting the port number or by using the service name.
sudo ufw allow ssh
sudo ufw allow 22Similarly, to deny traffic on a certain port, you would only have to run:
sudo ufw deny {port}To remove a rule, add delete before the rule implementation. If you no longer wished to allow HTTP traffic, you could run:
sudo ufw delete allow {port}With your chosen rules in place, your initial run of ufw status will probably output Status: inactive. To enable UFW and enforce your firewall rules:
sudo ufw enableIf you decide you don’t want to use UFW for whatever reason, you can disable it with this command:
sudo ufw disableFirewalld on CentOS
CentOS ships with a firewall called firewalld. A tool called firewall-cmd can be used to configure your firewall policies. Our basic strategy will be to lock down everything that we do not have a good reason to keep open. First install firewalld:
sudo yum install firewalld
sudo systemctl start firewalldAdd and Remove Service or Port
The firewalld application uses the concept of “zones” to label the trustworthiness of the other hosts on a network. This labelling gives us the ability to assign different rules depending on how much we trust a network.
We should start by adding exceptions to our firewall for approved ports.
firewall-cmd --add-port={port}/tcpWe can continue this by adding exceptions to our firewall for approved services. One of these services is SSH that we need to retain remote administrative access to the server.
If you have not modified the port that the SSH daemon is running on, you can enable the service by name by typing:
sudo firewall-cmd --permanent --add-service=sshIf you plan on running a conventional HTTP or HTTPS web server, you will need to enable the http or https service:
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=httpsTo see any additional services that you can enable by name, type:
sudo firewall-cmd --get-servicesWhen you are finished, you can see the list of the exceptions that will be implemented by typing:
sudo firewall-cmd --permanent --list-all
sudo firewall-cmd --list-portsWhen you are ready to implement the changes, reload the firewall:
sudo firewall-cmd --reloadIf, after testing, everything works as expected, you should make sure the firewall will be started at boot:
sudo systemctl enable firewalld
