Getting started with UFW (Uncomplicated Firewall) Ubuntu CLI

This is a quick reference guide about getting started with UFW (Uncomplicated Firewall) Ubuntu CLI

1.Check the status of the firewall

ufw status

root@FTP:~# ufw status
Status: inactive

IMPORTANT! Please see step 2 before enabling the firewall

root@FTP:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)

ufw status verbose – gives more information about the firewall status.

root@FTP:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)


2. Enabling ufw

2.1 CAUTION! Before enabling your firewall make sure that you have added a policy to allow SSH.

root@FTP:/etc/ufw# ufw  allow ssh
Rules updated
Rules updated (v6)

You can check this has been added in the following file: /etc/ufw/user.rules

nano /etc/ufw/user.rules

]

### RULES ###

### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT

2.2 ufw enable

ufw enable

3. Adding ufw rules

3.1 Basic ufw rule examples

The below rules will be from any source to a specific port on the local server.

root@FTP:~# ufw allow http
Rule added
Rule added (v6)
root@FTP:~# ufw allow https
Rule added
Rule added (v6)
root@FTP:~# ufw allow ftp
Rule added
Rule added (v6)
root@FTP:~# ufw allow tftp
Rule added
Rule added (v6)
root@FTP:~# ufw allow snmp
Rule added
Rule added (v6)
root@FTP:~# ufw allow sftp
Rule added
Rule added (v6)
root@FTP:~# ufw allow smtp
Rule added
Rule added (v6)
root@FTP:~# ufw allow 3389
Rule added
Rule added (v6)

3.2 Check ufw rules

root@FTP:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
21/tcp                     ALLOW       Anywhere
69/udp                     ALLOW       Anywhere
161                        ALLOW       Anywhere
115/tcp                    ALLOW       Anywhere
25/tcp                     ALLOW       Anywhere
3389                       ALLOW       Anywhere

3.3 Source and destination specific ufw rules

root@FTP:~# ufw allow from 10.0.125.0/24 to any
Rule added
root@FTP:~# ufw allow from 10.0.130.0/24 to any  port sftp
Rule added
root@FTP:~# ufw status
Anywhere                   ALLOW       10.0.125.0/24
115/tcp                    ALLOW       10.0.130.0/24

4. Delete ufw rules

root@FTP:~# ufw delete allow https
Rule deleted
Rule deleted (v6)
root@FTP:~#

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

How to port forward IPv4 traffic using ufw on Ubuntu CLI

This is a detailed guide on how to port forward IP traffic on Ubuntu CLI.

Warning: Please make sure that you have access to the device you are working on as making changes to the ufw could potentially lock you out of your machine if working remotely.

Please note this guide also covers Masquerading private IP traffic outbound.

1. nano /etc/default/ufw

Enable packet forwarding by editing DEFAULT_FORWARD_POLICY=”ACCEPT”

root@test:~# nano /etc/default/ufw
# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"

2. nano /etc/ufw/sysctl.conf

Uncomment net/ipv4/ip_forward=1 (remove the # symbol)

# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
#net/ipv6/conf/default/forwarding=1
#net/ipv6/conf/all/forwarding=1

3. nano /etc/ufw/before.rules 

Add the following to /etc/ufw/before.rules 

This will need to be added to the top of the file – please see example below.

Make sure you specify the source subnet you are wanting to NAT and the destination interface where your Public IP address is configured. The example below is 10.0.125.0/24 (source) and destination interface is eth1.

The port forward part of this guide is the following addition to the file:

-A PREROUTING -i eth1 -d 91.203.x.x -p tcp –dport 2200 -j DNAT –to-destination 10.0.125.10:22

This line forwards traffic connecting to public IP address and port 91.203.x.x:2200 to private IP address and port 10.0.125.10:22

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 10.0.125.0/24 -o eth1 -j MASQUERADE
-A PREROUTING -i eth1 -d 91.203.x.x  -p tcp --dport 2200 -j  DNAT --to-destination 10.0.125.10:22
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

IMPORTANT: I have added the whole file as a reference below , so you can see the positioning of the lines.

Example:

root@test:~# cat /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 10.0.125.0/24 -o eth1 -j MASQUERADE
-A PREROUTING -i eth1 -d 91.203.x.x  -p tcp --dport 2200 -j  DNAT --to-destination 10.0.125.10:22
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

4. ufw disable && ufw enable

root@test:~# ufw disable && ufw enable
Firewall stopped and disabled on system startup
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
root@test:~#

5. Check that the configuration is correct

You can check the ufw policy using ” iptables -t nat -L -v”

Check for DNAT (destination NAT)

root@test:~# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 196 packets, 10492 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    52 DNAT       tcp  --  eth1   any     anywhere             91-203-x-x

7. Troubleshoot using tcpdump

Make sure traffic is traversing the Ubuntu device where you have configured the Port Forward.

root@test:~# tcpdump -i eth1 -c 200 port 2200
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

How to secure your FTP server using FTPS and VSFTPD on Linux Cli

This is a detailed guide on how to secure your FTP server using FTPS and VSFTPD on Linux Based Operating Systems.

1.Generate your certificate

1.1 Generate private RSA key

You can change the encryption by replacing -aes256 to say -aes128 for example. The private key is used to generate the certificate.

openssl genrsa -aes256 -out SSL.key

1.2 Generate Certificate Signing Request or CSR

openssl req -new -key SSL.key -out certificate.csr

IMPORTANT: At this point you may want to send the CSR to a Certificate Authority who will create a certificate for you. If this is the case you can skip the rest of step 1 and move to step 2.

1.3 Remove the private key password from the private key

cp SSL.key SSL.key.orig
openssl rsa -in SSL.key.orig -out ssl.key

Please see the difference between the two files below – you also notice that the files are named differently – one is SSL.key and the other is ssl.key (which we use in the final step to create the certificate). VSFTPD will not be able to use the certificate as it would not have the passphrase, so this needs to be removed.

root@GNS3-Server:~# cat SSL.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,E35C0C8969A325B4AF35E737933BD2B6

root@GNS3-Server:~# cat ssl.key
-----BEGIN RSA PRIVATE KEY-----

1.4 Generate Certificate

openssl x509 -req -days 365 -in certificate.csr -signkey ssl.key -out mycertificate.crt

1.5 Copy the private key file and certificate to /etc/pki/tls/certs/

You may need to create these directories /tls/certs

cp ssl.key /etc/pki/tls/certs/
cp mycertificate.crt /etc/pki/tls/certs

2. Configure VSFTP to use your certificate

2.1 Edit /etc/vsftpd

nano  /etc/vsftpd

I have added the full file as an example.

root@GNS3-Server:~# cat /etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
nopriv_user=vsftpd
virtual_use_local_privs=YES
guest_enable=YES
user_sub_token=$USER
local_root=/var/www/$USER
chroot_local_user=YES
hide_ids=YES
guest_username=vsftpd
ssl_enable=YES

allow_anon_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

rsa_cert_file=/etc/pki/tls/certs/mycertificate.crt

rsa_private_key_file=/etc/pki/tls/certs/ssl.key

ssl_ciphers=HIGH

require_ssl_reuse=NO


2.2 Restart VSFTPD

service vsftpd restart

3. Test

You should get a certificate error if the certificate is not signed by a certificate authority.

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

How to generate a certifcate signing request (CSR) to be signed by a Certificate Authority on Linux CLI

This is a quick reference guide on how to generate a certifcate signing request (CSR) to be signed by a Certificate Authority on Linux Based Operating Systems.

1.Generate your certificate

1.1 Generate private RSA key

You can change the encryption by replacing -aes256 to say -aes128 for example. The private key is used to generate the certificate.

openssl genrsa -aes256 -out SSL.key

1.2 Generate Certificate Signing Request or CSR

You will need to ensure that the information below is accurate, especially if you are renewing a current certificate.

Common name (e.g., http://www.example.com), organization name and location (country, state/province, city/town)

root@server:~# openssl req -new -key SSL.key -out certificate.csr
Enter pass phrase for SSL.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

2. Send this to a certificate authority of your choosing.

You will need to send the file that you created (in this case certificate.csr) to a certificate authority.

The certificate authority will sign this CSR which will generate the final SSL certificate.

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

The Journey Begins

Hello to you all & welcome to our blog, keep an eye out for new posts we will blog.

Its a place for us to write up our ideas, experiences and tutorials surrounding:

Networking,
Cloud Computing,
Linux,
Open source computing
& also to promote our own platform which is https://piggybank.cloud

First of all I’ll start with a bit of background about us and what we do, its all a good idea for us to explain what Piggybank Cloud is and how it came about.

Who Are We?

We are 2 technology enthusiast who currently work for a managed services provider as Network & security engineer’s we love what we do but also have a strong passion for anything Linux anything opensource and anything Cloud computing.

We have spent a lot of our spare time in the past labbing up networking gear and following other peoples community guides.

What is Piggybank Cloud

We always wanted to give something back to the community and also set something up of our own and offer a cloud service, so we setup piggybank cloud, the idea being it was a cheap affordable cloud platform for people, we wanted to automate everything from setting users resource, to deploying firewall’s and setting up Ipsec Tunnels.

So we came up with a portal and started adding to it, it started pretty basic but as we got more into it ideas just kept flying.
We ended up with what we have now which we intent to add more and more functionality to.

It gave us an opportunity to delve into software defined networking and use vendor REST API’s to provision network pieces, Ipsec tunnels, NAT rules and more.
The good thing about REST API’s is that they are quick and simple once you have the schema you are just passing data to a REST endpoint.

The good thing as well is that you can easily integrate these into your website and that’s what we did.

Whats next?

So that’s a bit of background on us and what we do, keep your eyes peeled and we will get some more posts out, if you have any questions etc. leave us a comment. If you get chance to have a look at our site please do and any feedback would be much appreciated.

Until next time