In order to offer more than one service from a single IP address, Linux uses the notion of PORTS. For example, 80 is the common name of port for HTTP, 21 - FTP, 443 - ssh. Users can connect to services by typing the service IP address and its specific port number. Firewalls help us to open and close ports for specific IP addresses or whole network subnets. This is suitable when we want certain IP addresses to have access to our server while its default access to stay restricted.
For video information on firewalls, you can check this course.
In ubuntu, the firewall wrapper is named uncomplicated firewall or in short "ufw". It is installed in Ubuntu by default but is not active. We can check the status of ufw with: "status". If we want to completely isolate access to our machine we could use: "default deny incoming", while: "default allow outgoing" will allow packets to exit our machine. Keep in mind that in order for them to work, we have to activate those rules by typing: "enable". Next, we can explicitly: "reject out ssh" and then "delete reject out ssh".
Hint: If we are unsure of our actions we can always type: "reset" to empty the firewall rules. To deactivate the firewall please use "disable".
Since we are already connected with SSH, if we enable the firewall we will lose our connection so let's allow the forwarded port 22/tcp by typing: sudo ufw allow 22/tcp and run: sudo ufw enable.
We can actually show rules with numbers: status numbered, and to delete a rule we use: "delete rule_number". In order to insert a rule at a particular place, we use: "insert 1 your_rule".
Here are some commonly used service names: secure shell: ssh, mail: smtp, web server: http, https, SAMBA/File sharing: 139/tcp, 445/tcp. Not common service names are hard to remember, so here is a trick: ufw reads from /etc/services. When certain service is installed in order to communicate with the outside word it could modify the firewall rules by adding its own rules. In such cases with "app list" we can see all the installed service /application profiles and "app info 'SSH'" will dig us deeper into what ports certain application profile allows.
Lets' see the following examples on practical usage of the firewall:
//deny all incoming connections from 10.0.0.1 to interface eth0
deny in on eth0 from 10.0.0.1
// limit ssh access of specific IP address
deny proto tcp from 10.0.0.1 to any port 22
// limit a whole subnet
allow from 10.0.0.0/24 to any port 22
// allow ssh access only to IP: 10.0.0.1
allow proto tcp from any to 10.0.0.1 port 22
// deny outgoing SMTP traffic
deny out 25
// allow connections on eth1 interface to MySQL
allow in on eth1 to any port 3306
If we want to use filtering my mac address we can add: -A ufw-before-input -m mac –mac-source 00:00:00:00:00:AA -j DROP in /etc/ufw/before.rules
(these are rules who are read and act before the firewall rules)
To monitor the usage of the firewall we can use: sudo tail -f /var/log/ufw.log, but just if the "ufw logging" is enabled.
While experimenting with the firewall you can use an external network scanner such as Nmap (sudo apt install nmap) to check which ports are open on the machine.
More useful examples you can find with: man ufw
as well as on the ubuntu firewall page: https://help.ubuntu.com/lts/serverguide/firewall.html More information, you can find in this course.