- Mastering Linux Security and Hardening
- Donald A. Tevault
- 308字
- 2025-02-24 18:55:04
Hands-on lab for basic ufw usage
You'll need to complete this lab on a clean snapshot of your Ubuntu virtual machine. Let's get started:
- Shut down your Ubuntu virtual machine and restore the snapshot to get rid of all of the iptables stuff that you just did. (Or, if you prefer, just start with a fresh virtual machine.)
- When you've restarted the virtual machine, verify that the iptables rules are now gone:
sudo iptables -L
- View the status of ufw. Open port 22/TCP and then enable ufw. Then, view the results:
sudo ufw status
sudo ufw allow 22/tcp
sudo ufw enable
sudo ufw status
sudo iptables -L
sudo ip6tables -L
- This time, open port 53 for both TCP and UDP:
sudo ufw allow 53
sudo iptables -L
sudo ip6tables -L
sudo ufw status
- cd into the /etc/ufw directory. Familiarize yourself with the contents of the files that are there.
- Open the /etc/ufw/before.rules file in your favorite text editor. At the bottom of the file, below the COMMIT line, add the following code snippet:
# Mangle table added by Donnie
*mangle
:PREROUTING ACCEPT [0:0]
-A PREROUTING -m conntrack --ctstate INVALID -j DROP
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate
NEW -j DROP
COMMIT
- Repeat step 6 for the /etc/ufw/before6.rules file.
- Reload the firewall by using the following command:
sudo ufw reload
- Observe the rules by using the following command:
sudo iptables -L
sudo iptables -t mangle -L
sudo ip6tables -L
sudo ip6tables -t mangle -L
- Take a quick look at the ufw status:
sudo ufw status
That's the end of the lab – congratulations!
As cool as ufw is, it still uses the old-school iptables technology as its core engine. Is there something more modern that we can use instead? You bet, and we'll look at that in the next chapter.