Firewall

The following will discuss three different methods by which you may implement a decent host
based firewall for your Ubuntu Desktop Installation. This demonstration was completed using
Ubuntu 11.10 Oneiric Ocelot 32 bit, however it should hold true for most versions of Ubuntu
post 8.04 (pre 8.04 needs to use the iptables section as the UFW syntax was different) on both 64
bit and 32 bit systems.
The three methods we will be using will be the following
GUFW : This is the graphical user interface for Uncomplicated Firewall, the front end
for iptables provided by default in Ubuntu
UFW : The CLI front end application for controlling iptables/netfilter, which is included
by default in Ubuntu.
iptables : We will create an iptables script to create our firewall
It is important to understand that each of these three methods accomplish the same goal, and only
one needs to be used because they are all methods for interfacing with iptables/netfilter, and
kernel level packet filtering. Each method will do exactly the same and preference is needed only
in what you feel more comfortable with. Personally, I find iptables more intuitive than the other
two methods, so it is what I would use. However you may find GUFW or UFW more
convenient: that is why I am discussing all three methods. I will not be covering Firestarter, it is
similar to GUFW, and it is outdated and not supported by default. Therefore, if you choose to use
Firestarter it is entirely on you. It does not offer any functionality that the following methods do
not.
Without further ado, here we go.
Method 1 : GUFW
GUFW is not installed by default so if you wish to use it you must first install it from the
repositories. You can do so by giving the following command in a terminal, or by downloading it
from the Ubuntu Software Center.
sudo apt-get update && sudo apt-get install gufw
Once it has finished installing you may open it up, either by entering the following in a terminal
gufw
Or by running the Firewall Configuration application from the Dash. (Note for Non-Unity Users:
this is located in Administration)
photo gufw
Once you have executed GUFW you will be presented with a Window that looks like this,
assuming that you do not have any firewall rules currently, and UFW is disabled your window
should look identical to this one.
photo new gufw
Note : Before you can make any changes you must click on the lock in the lower right hand
corner of the Window and enter your sudo password.
photo lock gufw
The first order of business is to enable UFW if it is not already enabled. To do this click the
slider tab next to Firewall Status, it should change to "On".
Once we have done this we can begin configuring our firewall policies. We will notice under the
slider we just adjusted there is both an Incoming and and Outgoing policy, we want to make sure
that both are set to Deny. This will block all traffic going in and out of our machine, don't worry
we're going to allow some outbound traffic next.
The next thing we need to do is click on the little plus in the lower left hand corner of the
Window. This will allow us to add new rules to our Firewall.
photo plus gufw
For this guide we will be creating restrictive policies. In order for us to do that we must know
exactly what ports we need access to. This is going to be a fairly basic system and as such we are
going to add rules to allow the following outbound traffic:
DHCP Access - Port 67 and 68 UDP
Web Access - Ports 80 and 443 Protocol TCP
Email Access - Ports 25 and 110 , 143 Protocol TCP
DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)
Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of
unregistered ports to make connections. So we will use some of the added functionality of
GUFW to give us this ability.
note : you may need additional services, look up the ports your services use. At the end of this
post there will be a list of commonly used services and their default ports for reference.
Now that we've clicked the plus to create our new rule, we will be presented with a window that
looks like this.
photo new rule gufw
The first thing we will do is allow traffic from our Transmission Application.
We choose the action Allow, the direction Out, the type Application and the application is
Transmission. Once those settings are correct we click "Add".
Next we will click on the "Simple" tab in the Firewall : Add Rule window.
We will then choose the rule Allow, Direction Out, Protocol TCP, and in the line following
TCP we will add the TCP ports we want access to outbound, which will look like this:
25,53,80,110,443. Note when we add an additional port we seperate it from the last with a
comma. Port ranges are indicated in this manner.
6667:7000
This would indicate ports 6667 through 7000.
Once we have added our TCP outbound ports we must also remember to add any UDP outbound
ports we need, in this case we will add port 53 for DNS.
We will choose the action Allow, direction is Out, Protocol is UDP and in the line beside UDP
enter 53. Click on add and you are done.
(OPTIONAL)
If you wish to add more fine grained control you may do so in the advanced tab. For instance if
you want to allow outbound SSH traffic only from your IP address to a specific IP address it
would look like this.
photo gufw ssh
Once you have finished editing your rules as you want them, you are done and may close the
Firewall: Add Rule window as well as GUFW.
Method 2 : UFW
In this section we will create the exact same rules we did above however we will do so by
utilizing UFW instead of the Graphical front end for it.
This section is done entirely from the command line. We will be creating the same policies as
before, default drop inbound, default drop outbound, with rules allowing the services listed
below.
DHCP Access - Ports 67 and 68 UDP
Web Access - Ports 80 and 443 Protocol TCP
Email Access - Ports 25 and 110 , 143 Protocol TCP
DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)
Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of
unregistered ports to make connections.
So now that we know where we're going we are going to fire up a terminal window and create
the same rules using UFW at the CLI.
First we want to enable UFW by doing the following
sudo ufw enable
Then we want to enable our default inbound and outbound policies by doing the following
sudo ufw default deny incoming && sudo ufw default deny outgoing
Now we will add our outbound TCP rules
sudo ufw allow out 25,53,80,110,443/tcp
Then our outbound UDP rules
sudo ufw allow out 53,67,68/udp
And now our Transmission rules
sudo ufw allow out 51413/tcp
sudo ufw allow out 51413/udp
sudo ufw allow out 6969/tcp
Restart your firewall for good measure.
sudo ufw disable && sudo ufw enable
Then you're done.
Method 3 : iptables
This method in my opinion is the best because it gives you the most control over your firewall.
However iptables may not be for the new user. For completeness sake I will cover it here.
Please note: iptables works best without UFW installed. So we will remove it now.
sudo apt-get remove ufw gufw
Again in this section we will be enabling the same services as before.
DHCP Access - Ports 67 and 68 UDP
Web Access - Ports 80 and 443 Protocol TCP
Email Access - Ports 25 and 110 , 143 Protocol TCP
DNS Access - Port 53 Protocol TCP and UDP (This is absolutely required)
Bittorrent Access Through Transmission - Bittorrent is different in that it uses a mulitude of
unregistered ports to make connections.
However, here I am going to walk you through the iptables script with the comments in the
script, as opposed to step by step like the previous sections. You will want to create a file for
your script, for this we will call it iptables.sh , but you can call it whatever you want. Below you
will find the sample iptables script.
#!/bin/bash
#Simple Firewall Script.


#Setting up default kernel tunings here (don't worry too much about the
se right now, they are acceptable defaults) #DROP ICMP echo-
requests sent to broadcast/multi-cast addresses.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#DROP source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Enable TCP SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Do not ACCEPT ICMP redirect
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Don't send ICMP redirect
echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects
#Enable source spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#Log impossible (martian) packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians


#Flush all existing chains
iptables flush
The most basic set of rules
If you're a simple desktop user who only uses his computer for the most ordinary things, then
this is the basic rule set:
1. immediately install security updates when you're notified;
2. do not install antivirus, as you *really* don't need it in Linux;unless you share files with
Windows
3. enable the firewall (sudo ufw enable) without further tweaks;
4. stick to the official repo's as much as possible, and only deviate from them when strictly
necessary and with much caution;
5. keep Java (both openJDK and Oracle Java) disabled by default in your browser, and only
enable it when needed;
6. use Wine with caution;
7. and most important of all: use your common sense. The biggest security threat is generally
found between keyboard and chair.

If you have higher security needs, then read on.



#Allow traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


#Creating default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP #If we're not a router


#Allow previously established connections to continue uninterupted
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


#Allow outbound connections on the ports we previously decided.
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT #SMTP
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT #DNS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #HTTP
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT #POP
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #HTTPS
iptables -A OUTPUT -p tcp --dport 51413 -j ACCEPT #BT
iptables -A OUTPUT -p tcp --dport 6969 -j ACCEPT #BT tracker
iptables -A OUTPUT -p UDP --dport 67:68 -j ACCEPT #DHCP
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #DNS
iptables -A OUTPUT -p udp --dport 51413 -j ACCEPT #BT


#Set up logging for incoming traffic.
iptables -N LOGNDROP
iptables -A INPUT -j LOGNDROP
iptables -A LOGNDROP -j LOG
iptables -A LOGNDROP -j DROP


#Save our firewall rules
iptables-save > /etc/iptables.rules


Now that we have our script created we may save it and execute it
sudo chmod 755 iptables.sh
sudo ./iptables.sh
Making your rules persistent :
If you want these rules to be restored on every reboot you can do the following.
sudo nano /etc/network/interfaces
Assuming wlan0 is the interface you use to connect to the network add the following at the end
of the block. Alternatively you can add it to any interface you want and the rules will be loaded
when that interface is brought up. Keep in mind this does not change the nature of the rules, or
how they are applied.
pre-up iptables-restore < /etc/iptables.rules
Then save the file.
This bit of information as well as other ways for making your iptables rules persistent can be
found here : IptablesHowTo
We're done.
Common Ports and Services
FTP - 21 TCP
SSH - 22 TCP
TELNET - 23 TCP
SMTP - 25 TCP
DNS - 53 TCP/UDP
DHCP - 67 , 68 DHCP
HTTP - 80 TCP
POP3 - 110 TCP
IMAP - 143 TCP
HTTPS - 443 TCP
VNC - 5900-6000
IRC - 6667-7000
Gmail SMTP TLS: 587
Gmail SMTP SSL: 465
Gmail POP SSL: 995
Gmail IMAP SSL: 993