Linux Archive - firewall: iptables vs ufw/gufw

Linux Archive

Linux Archive (http://www.linux-archive.org/)

- Debian User (http://www.linux-archive.org/debian-user/)

- - firewall: iptables vs ufw/gufw (http://www.linux-archive.org/debian-user/500199-firewall-iptables-vs-ufw-gufw.html)

Michael Friendly

03-11-2011 06:56 PM

firewall: iptables vs ufw/gufw

Hi
I have a new machine running kubuntu 10.04 which was setup by an IT
person with firewalls in /etc/iptables that largely lock-down my box,
e.g. some specified services (sftp/ssh) from a designated IP address
work, but I can't even ping my box from an scp-enabled IP address PC,

far less, use sftp/ssh from home.

I find iptables rules daunting and can't depend on further support from
our IT, so I'm looking for an alternative that would be easier for me
to manage on my own. I've read descriptions of ufw and the GUI gufw,
which seem simpler to understand and use. ufw is presently installed
but not enabled.

I don't know how to transition from iptables to ufw:
- Do I have to disable iptables first
- Do I have to install/enable the rules from iptables for ssh, samba,
etc within ufw?

Any help/guidance would be appreciated. If there is a better forum for
this query, please let me know also.

--
Michael Friendly Email: friendly AT yorku DOT ca
Professor, Psychology Dept.
York University Voice: 416 736-5115 x66249 Fax: 416 736-5814
4700 Keele Street Web: http://www.datavis.ca
Toronto, ONT M3J 1P3 CANADA

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: ildupp$gp3$1@dough.gmane.org">http://lists.debian.org/ildupp$gp3$1@dough.gmane.org

Andrei Popescu

03-12-2011 09:06 AM

firewall: iptables vs ufw/gufw

On Vi, 11 mar 11, 14:56:42, Michael Friendly wrote:
> Hi
> I have a new machine running kubuntu 10.04 which was setup by an IT
> person with firewalls in /etc/iptables that largely lock-down my
> box,
> e.g. some specified services (sftp/ssh) from a designated IP address
> work, but I can't even ping my box from an scp-enabled IP address
> PC,
> far less, use sftp/ssh from home.
>
> I find iptables rules daunting and can't depend on further support from
> our IT, so I'm looking for an alternative that would be easier for me
> to manage on my own. I've read descriptions of ufw and the GUI gufw,
> which seem simpler to understand and use. ufw is presently installed
> but not enabled.
>
> I don't know how to transition from iptables to ufw:
> - Do I have to disable iptables first

ufw is a frontend to iptables, so "disabling" iptables (whatever you
mean by that) will make ufw useless.

> - Do I have to install/enable the rules from iptables for ssh,
> samba, etc within ufw?
>
> Any help/guidance would be appreciated. If there is a better forum for
> this query, please let me know also.

First you need to find out exactly how the iptables rules are loaded.
Could be via /etc/rc.local a dedicated script in /etc/init.d/ or
something else (is package iptables-persistent also in Ubuntu?). Do not
try to use ufw until you know exactly how the current iptables rules are
loaded and you know for sure you can disable them!

Next would be to try to understand what the rules do and reimplement the
functionality in ufw. By the time you are done you might not need ufw
anymore ;)

Now you can start changing the rules, but beware, you are likely to go
against your organisations policy...

Have fun,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

Tom H

03-12-2011 09:55 AM

firewall: iptables vs ufw/gufw

On Sat, Mar 12, 2011 at 5:06 AM, Andrei Popescu
<andreimpopescu@gmail.com> wrote:
> On Vi, 11 mar 11, 14:56:42, Michael Friendly wrote:
>>
>> - Do I have to install/enable the rules from iptables for ssh,
>> samba, etc within ufw?
>
> First you need to find out exactly how the iptables rules are loaded.
> Could be via /etc/rc.local a dedicated script in /etc/init.d/ or
> something else (is package iptables-persistent also in Ubuntu?). Do not
> try to use ufw until you know exactly how the current iptables rules are
> loaded and you know for sure you can disable them!

Check "/etc/network/if-pre-up.d/" and "/etc/network/if-up.d/" too.

And, if you're using Network Manager, there *may* be other directories
to look into.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTi=RxKAnDsaazw3Mz-c-N8TkpeTCcDNNCAZcas_R@mail.gmail.com">http://lists.debian.org/AANLkTi=RxKAnDsaazw3Mz-c-N8TkpeTCcDNNCAZcas_R@mail.gmail.com

Michael Friendly

03-13-2011 02:15 PM

firewall: iptables vs ufw/gufw

On 3/12/2011 5:55 AM, Tom H wrote:

On Sat, Mar 12, 2011 at 5:06 AM, Andrei Popescu
<andreimpopescu@gmail.com> wrote:

On Vi, 11 mar 11, 14:56:42, Michael Friendly wrote:

- Do I have to install/enable the rules from iptables for ssh,
samba, etc within ufw?

First you need to find out exactly how the iptables rules are loaded.
Could be via /etc/rc.local a dedicated script in /etc/init.d/ or
something else (is package iptables-persistent also in Ubuntu?). Do not
try to use ufw until you know exactly how the current iptables rules are
loaded and you know for sure you can disable them!

Check "/etc/network/if-pre-up.d/" and "/etc/network/if-up.d/" too.

And, if you're using Network Manager, there *may* be other directories
to look into.

OK, I found /etc/network/interfaces contains the line

pre-up /etc/iptables

and /etc/iptables contains the rules. But I'm not sure what to do now,
either with iptables or ufw. If ufw works via iptables, can I just
enable ufw now without danger? How can I enable me to use use ssh from

home?

For example, there is currently one rule allowing me to ssh from a PC in
my office

iptables -A INPUT -s 130.xxx.xxx.xx/32 -p tcp --destination-port 22 -j
ACCEPT

I can mimic this for another PC (e.g., in my lab), but I'd like to be
able to use ssh from home, where I don't think I have a fixed IP address
from my service provider.

--
Michael Friendly Email: friendly AT yorku DOT ca
Professor, Psychology Dept.
York University Voice: 416 736-5115 x66249 Fax: 416 736-5814
4700 Keele Street Web: http://www.datavis.ca
Toronto, ONT M3J 1P3 CANADA

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D7CDF90.10006@yorku.ca">http://lists.debian.org/4D7CDF90.10006@yorku.ca

Andrei Popescu

03-13-2011 05:04 PM

firewall: iptables vs ufw/gufw

On Du, 13 mar 11, 11:15:28, Michael Friendly wrote:
>
> For example, there is currently one rule allowing me to ssh from a
> PC in my office
>
> iptables -A INPUT -s 130.xxx.xxx.xx/32 -p tcp --destination-port 22
> -j ACCEPT
>
> I can mimic this for another PC (e.g., in my lab), but I'd like to
> be able to use ssh from home, where I don't think I have a fixed IP
> address from my service provider.

Is this the only reason you want to "tweak" the firewall? It might be
easier to setup a dynamic DNS address for home (there are several free
providers) and use a reverse SSH tunnel. Such a tunnel can be used for
more than just SSH ;)

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

Joe	03-13-2011 09:06 PM

firewall: iptables vs ufw/gufw

On 13/03/11 15:15, Michael Friendly wrote:

On 3/12/2011 5:55 AM, Tom H wrote:

On Sat, Mar 12, 2011 at 5:06 AM, Andrei Popescu
<andreimpopescu@gmail.com> wrote:

On Vi, 11 mar 11, 14:56:42, Michael Friendly wrote:

- Do I have to install/enable the rules from iptables for ssh,
samba, etc within ufw?

First you need to find out exactly how the iptables rules are loaded.
Could be via /etc/rc.local a dedicated script in /etc/init.d/ or
something else (is package iptables-persistent also in Ubuntu?). Do not
try to use ufw until you know exactly how the current iptables rules are
loaded and you know for sure you can disable them!

Check "/etc/network/if-pre-up.d/" and "/etc/network/if-up.d/" too.

And, if you're using Network Manager, there *may* be other directories
to look into.

Please forgive me if you know this, but to me it appears that you may
not. Iptables effectively works by adding individual rules to the kernel
filtering tables using the 'iptables' command. This can be done at any
time, and there is no infrastructure to add a set of rules routinely at
start-up in Linux, so a number of ad-hoc methods exist to achieve that.

A list of 'iptables ...' commands contained in a shell script is a
common method, which seems to be how you are set up at the moment. The
commands 'iptables-save' and 'iptables-restore' can also be used to save
the existing kernel rule set to a file and restore it to active use.
Many firewall applications use this method. I use a pseudo-daemon, with
the usual start/stop/reload commands plus 'clear' to open the firewall,
and there are no doubt several other techniques in common use.

OK, I found /etc/network/interfaces contains the line

pre-up /etc/iptables

So if you comment this out, you have removed the current method of
adding iptables rules, and it should now be safe to use any other
technique. At any time, you can issue the command iptables -L which will
list the current state of the firewall. The listing is not in the same
format as the iptables rule commands, but it will show clearly when
rules have been added and when they haven't.

and /etc/iptables contains the rules. But I'm not sure what to do now,
either with iptables or ufw. If ufw works via iptables, can I just
enable ufw now without danger? How can I enable me to use use ssh from
home?

For example, there is currently one rule allowing me to ssh from a PC in
my office

iptables -A INPUT -s 130.xxx.xxx.xx/32 -p tcp --destination-port 22 -j
ACCEPT

I can mimic this for another PC (e.g., in my lab), but I'd like to be
able to use ssh from home, where I don't think I have a fixed IP address
from my service provider.

Only you can judge your security needs, but I would not have thought
that restricting ssh to individual IP addresses was necessary. You
should be using keys to access ssh rather than passwords (look up how to
do this if you aren't). If as recommended you are using different keys
from different client machines, then each private key should never leave
its client machine (where it is stored encrypted with restrictive
permissions), with at least the same resulting security as restricting
the IP address. The private key is never sent across the Net, even
encrypted, it is only used in the client machine.

If you must use IP addresses, you can do as Andrei suggests or you might
consider using tcpwrappers (/etc/hosts.allow, /etc/hosts.deny) to
control access rather than iptables (you would still need an iptables
acceptance rule, but without an IP address). While the man pages show
hostnames, IP addresses and blocks may be used. If you have no choice
but to list a dynamic address, you can check the ISP's CIDR block and
allow that. It's not as secure as a single address, but it's better than
letting the whole world in. You can of course also use IP address blocks
in iptables rules.

--
Joe

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D7D3FF6.8010507@jretrading.com">http://lists.debian.org/4D7D3FF6.8010507@jretrading.com

All times are GMT. The time now is 05:05 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.