Koot
自我完善中~
回主页
如何使用UFW--Linux系统的简单防火墙

#简介

UFW(Uncomplicated Firewall)是一款在Linux系统下更方便管理默认iptables的防火墙,相比系统默认防火墙,UFW的命令行操作更简洁,方便,就算是刚接触Linux的新手也能比较简单的记住

#安装

$ apt-get install ufw //debian、Ubuntu
$ yum install ufw //Centos

#卸载

$ apt-get remove ufw //debian、Ubuntu
$ yum remove ufw //Centos

#基本配置

UFW安装后默认为禁用状态,需要手动打开

$ ufw enable //打开防火墙
$ ufw disable //关闭防火墙
$ ufw reload //重启防火墙
$ ufw reset //重设防火墙,该命令会清除当前所有规则
$ ufw status //查看防火墙当前状态及规则
$ ufw version //查看防火墙当前版本
$ ufw logging <on|off> //打开|关闭UFW日志
$ cat /var/log/ufw.log //查看UFW日志

#进阶配置

#添加特定规则

$ ufw default <allow|deny> outgoing //默认允许禁止传出连接,建议选择[allow]允许
$ ufw default <allow|deny> incoming //默认允许禁止传入连接,如果为远程服务器,将该条规则设置为[deny]禁止时强烈建议一并放行远程连接端口
$ ufw <allow/deny> <端口名称|服务名称> //例:ufw allow <22|ssh>,常用端口有22(ssh)、80(http)、443(https)等,端口后可加参数tcp/udp表示只允许tcp/udp协议,例:ufw allow 22/tcp
$ ufw deny from <IP地址> to any

#删除特定规则

$ ufw delete 规则名 //例:ufw delete allow 443/tcp

UFW的规则文件位于/etc/ufw/before.rules,开始编辑该文件,允许及禁止分别以[ACCEPT][DROP]表示

$ nano /etc/ufw/before.rules

以下为部分参数含义

允许回环网络上的传入、传出连接,默认[ACCEPT]

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT #传入
-A ufw-before-output -o lo -j ACCEPT #传出
当已经存在连接时快速处理数据包,默认[ACCEPT]
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT #传入
-A ufw-before-output -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT #传出
-A ufw-before-forward -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT #转发

丢弃不正确数据包,默认[DROP]

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack –ctstate INVALID -j ufw-logging-deny #不记录日志
-A ufw-before-input -m conntrack –ctstate INVALID -j DROP

是否允许ping入,默认[ACCEPT]

# ok icmp codes for INPUT
-A ufw-before-input -p icmp –icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp –icmp-type source-quench -j DROP
-A ufw-before-input -p icmp –icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp –icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp –icmp-type echo-request -j DROP

是否允许icmp转发,默认[ACCEPT]

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp –icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp –icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp –icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp –icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp –icmp-type echo-request -j ACCEPT

允许dhcp(局域网自动分配IP等参数),默认[ACCEPT]

# allow dhcp client to work
-A ufw-before-input -p udp –sport 67 –dport 68 -j ACCEPT

以下几项建议不要改动

# ufw-not-local
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype –dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype –dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype –dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit –limit 3/min –limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 –dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 –dport 1900 -j ACCEPT
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT

修改完毕后保存并重启防火墙

$ ctrl + X
$ ufw reload

<完>

Leave a Reply

textsms
account_circle
email

回主页

如何使用UFW--Linux系统的简单防火墙
UFW(Uncomplicated Firewall)是一款在Linux系统下更方便管理默认iptables的防火墙,相比系统默认防火墙,UFW的命令行操作更简洁,方便,就算是刚接触Linux的新手也能比较简单的记住...
Scan QR code to continue reading
2019-03-03