UFW configuration in Ubuntu Server 16.04 using the example of BigBlueButton
UFW (Uncomplicated Firewall) is an iptables interface designed to simplify the process of configuring a firewall. The iptables tool is reliable and flexible, but it will not be easy for a beginner to configure it himself. I'm just new to this business.
By default, the ACCEPT policy is enabled in iptables and it looks like this:
In our example, there are no restrictions. The default policy is ACCEPT.
')
INPUT - INCOMING CONNECTIONS.
OUTPUT - OUTGOING CONNECTIONS.
FORWARD - ROUTING (FOR EXAMPLE, IT IS NECESSARY TO PASS A ROUTE to the computer behind the gateway).
You can enable ufw with
And immediately after this command, the iptables policy will change.
Here is how it looks on BigBlueButton after turning on ufw:
The selected area is a place for user rules, they are written with commands:
For the port:
For a range of ports:
Deleting rules:
I post the procedure for setting up ufw using bbb as an example.
First, we look at which services which ports are listening:
We are interested in lines with xxx.xxx.xxx.x (xxx.xxx.xxx.x is the ip-address of your server), as this indicates that the service listens to the network card for incoming requests from all networks (0.0.0.0:*) . We are not interested in lines from 127.0.0.1 as it is an internal interface, as we are interested in lines from 0.0.0.0 in column 4 (bold), for example
as it says that port 80 is open for all server interfaces and accepts requests from all networks.
So, according to this we make the rules:
A whole series of rules for freeswitch:
for node service:
Next you need to see all the same documentation, in which we will see that you need to open the following ports:
This completes the basic ufw setting for the BigBlueButton 2.0 server.
I will add only what is desirable to either disable ssh or change the port, or allow this port only for a specific network, for example, for the network of your enterprise.
For example, your gateway has two network interfaces, one virtual (to users) 192.168.3.2, and another real 105.xxx.xxx.xxx (to the provider), but for the ufw rule, we take the real ip, or rather we specify the network that owns ip.
First, we change the port in the SSH server configuration file, you can use any text editor:
Then we delete the rule allowing port 22:
Create a rule allowing the connection to the new port only from the enterprise network:
Then reboot the ssh service:
And see the result
and in the ufw rules, see who has access to the port:
Dear readers, I ask you to write additions in the comments: Do you think everything is correctly described here, or is it necessary to add or remove something?
By default, the ACCEPT policy is enabled in iptables and it looks like this:
In our example, there are no restrictions. The default policy is ACCEPT.
')
INPUT - INCOMING CONNECTIONS.
OUTPUT - OUTGOING CONNECTIONS.
FORWARD - ROUTING (FOR EXAMPLE, IT IS NECESSARY TO PASS A ROUTE to the computer behind the gateway).
You can enable ufw with
sudo ufw enableAnd immediately after this command, the iptables policy will change.
Here is how it looks on BigBlueButton after turning on ufw:
Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ufw-user-forward all -- anywhere anywhere Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere ctstate INVALID DROP all -- anywhere anywhere ctstate INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900 ufw-user-input all -- anywhere anywhere Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10 DROP all -- anywhere anywhere Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere ctstate NEW ACCEPT udp -- anywhere anywhere ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination <b>ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:1935 ACCEPT udp -- anywhere anywhere udp dpt:1935 ACCEPT udp -- anywhere anywhere multiport dports 16384:32768 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT udp -- anywhere anywhere udp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:5090 ACCEPT udp -- anywhere anywhere udp dpt:5090 ACCEPT tcp -- anywhere anywhere tcp dpt:sip ACCEPT udp -- anywhere anywhere udp dpt:sip ACCEPT tcp -- anywhere anywhere tcp dpt:5066 ACCEPT udp -- anywhere anywhere udp dpt:5066 ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy ACCEPT udp -- anywhere anywhere udp dpt:8081 ACCEPT tcp -- anywhere anywhere tcp dpt:8082 ACCEPT udp -- anywhere anywhere udp dpt:8082 ACCEPT tcp -- anywhere anywhere tcp dpt:3000 ACCEPT udp -- anywhere anywhere udp dpt:3000 ACCEPT tcp -- anywhere anywhere tcp dpt:2855 ACCEPT udp -- anywhere anywhere udp dpt:2855 ACCEPT tcp -- anywhere anywhere tcp dpt:2856 ACCEPT udp -- anywhere anywhere udp dpt:2856</b> Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination The selected area is a place for user rules, they are written with commands:
For the port:
sudo ufw allow ssh (by port name)sudo ufw allow 22 (specify port number)sudo ufw allow 80/udp (specifically indicating the port number and tcp or udp protocol)For a range of ports:
sudo ufw allow 16384:32768/udp Deleting rules:
sudo ufw delete allow 80 I post the procedure for setting up ufw using bbb as an example.
First, we look at which services which ports are listening:
netstat -ntlp | grep LISTEN tcp 0 0 xxx.xxx.xxx.x:5090 0.0.0.0:* LISTEN 1258/freeswitch
tcp 0 0 127.0.0.1:8100 0.0.0.0:* LISTEN 1720/soffice.bin
tcp 0 0 xxx.xxx.xxx.x:5060 0.0.0.0:* LISTEN 1258/freeswitch
tcp 0 0 127.0.0.1:8101 0.0.0.0:* LISTEN 1766/soffice.bin
tcp 0 0 127.0.0.1:8102 0.0.0.0:* LISTEN 1811/soffice.bin
tcp 0 0 127.0.0.1:8103 0.0.0.0:* LISTEN 1856/soffice.bin
tcp 0 0 xxx.xxx.xxx.x:2855 0.0.0.0:* LISTEN 1258/freeswitch
tcp 0 0 127.0.0.1:8104 0.0.0.0:* LISTEN 1902/soffice.bin
tcp 0 0 xxx.xxx.xxx.x:2856 0.0.0.0:* LISTEN 1258/freeswitch
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 1186/mongod
tcp 0 0 xxx.xxx.xxx.x:5066 0.0.0.0:* LISTEN 1258/freeswitch
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1227/redis-server 1
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1359/nginx -g daemo
tcp 0 0 xxx.xxx.xxx.x:8081 0.0.0.0:* LISTEN 1258/freeswitch
tcp 0 0 xxx.xxx.xxx.x:8082 0.0.0.0:* LISTEN 1258/freeswitch
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1176/sshd
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 1195/node
tcp6 0 0 ::1:5090 :::* LISTEN 1258/freeswitch
tcp6 0 0 ::1:5060 :::* LISTEN 1258/freeswitch
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 1341/java
tcp6 0 0 :::5070 :::* LISTEN 1461/java
tcp6 0 0 :::9999 :::* LISTEN 1461/java
tcp6 0 0 :::1935 :::* LISTEN 1461/java
tcp6 0 0 :::8080 :::* LISTEN 1341/java
tcp6 0 0 :::80 :::* LISTEN 1359/nginx -g daemo
tcp6 0 0 ::1:8081 :::* LISTEN 1258/freeswitch
tcp6 0 0 ::1:8082 :::* LISTEN 1258/freeswitch
tcp6 0 0 :::8021 :::* LISTEN 1258/freeswitch
tcp6 0 0 :::22 :::* LISTEN 1176/sshd
tcp6 0 0 :::5080 :::* LISTEN 1461/javaWe are interested in lines with xxx.xxx.xxx.x (xxx.xxx.xxx.x is the ip-address of your server), as this indicates that the service listens to the network card for incoming requests from all networks (0.0.0.0:*) . We are not interested in lines from 127.0.0.1 as it is an internal interface, as we are interested in lines from 0.0.0.0 in column 4 (bold), for example
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1359/nginx -g daemoas it says that port 80 is open for all server interfaces and accepts requests from all networks.
So, according to this we make the rules:
sudo ufw allow 22 for sshsudo ufw allow 80 for nginx or apache webserverA whole series of rules for freeswitch:
sudo ufw allow 5060 sudo ufw allow 5090 sudo ufw allow 2855 sudo ufw allow 2856 sudo ufw allow 5066 sudo ufw allow 8081 sudo ufw allow 8082 for node service:
sudo ufw allow 3000Next you need to see all the same documentation, in which we will see that you need to open the following ports:
sudo ufw allow 16384:32768/udp - for WebRTC to worksudo ufw allow 443sudo ufw allow 1935This completes the basic ufw setting for the BigBlueButton 2.0 server.
I will add only what is desirable to either disable ssh or change the port, or allow this port only for a specific network, for example, for the network of your enterprise.
For example, your gateway has two network interfaces, one virtual (to users) 192.168.3.2, and another real 105.xxx.xxx.xxx (to the provider), but for the ufw rule, we take the real ip, or rather we specify the network that owns ip.
First, we change the port in the SSH server configuration file, you can use any text editor:
vim /etc/ssh/sshd_config Then we delete the rule allowing port 22:
Sudo ufw delete allow 22 - sometimes called openssh.Create a rule allowing the connection to the new port only from the enterprise network:
sudo ufw allow from 105.../26 to any port 4321 Then reboot the ssh service:
/etc/init.d/ssh restart And see the result
netstat -ntlp | grep LISTEN tcp 0 0.0.0.0:4321 0.0.0.0:* listen 5676/sshd and in the ufw rules, see who has access to the port:
ufw status 4321 ALLOW 105.xxx.xxx.xxx/26 Dear readers, I ask you to write additions in the comments: Do you think everything is correctly described here, or is it necessary to add or remove something?
Source: https://habr.com/ru/post/420973/
All Articles