ufw
ufw(Uncomplicated Firewall)是ubuntu默认的防火墙配置工具,其屏蔽了iptables的复杂操作方式,提供了非常友好的方式去配置规则。 一般情况下都会是默认安装的,若没有安装则可以输入如下命令进行安装:
apt install ufw
ufw的配置在/etc/ufw/路径下,自己配置的规则基本都是在user的两个文件中(有数字6的待变ipv6的相关规则),其他的都是系统默认的一下规则。
常用命令
下面的命令使用前提是用户拥有root权限。如果是普通用户,则需要切换root用户或者获取root权限(在命令前加sudo)。
开启防火墙
ufw enable
关闭防火墙
ufw disable
开放端口(以22端口为例)
//默认开放tcp和udp协议
ufw allow 22
//只开放单个协议
ufw allow 22/tcp
关闭已开放的端口(以22端口为例)
ufw deny 22
删除安全规则(以22端口为例)
ufw delete deny 22
ufw delete allow 22
查看防火墙状态
ufw status
查看防火墙详细信息
ufw status verbose
运行一个特殊的ip或一个网段有权限访问一个端口
//允许192.168.0.2主机进行ssh访问,以访问此主机上的任何IP地址
ufw allow proto tcp from 192.168.0.2 to any port 22
//允许一个网段
ufw allow proto tcp from 192.168.0.0/24 to any port 22
在命令行中输入命令 ufw --help 即可查看ufw的基本命令,如下所示:
ufw详细使用规则
在命令行输入 man ufw 即可查看到如下的详细ufw的使用方式:
NAME
ufw - program for managing a netfilter firewall
DESCRIPTION
This program is for managing a Linux firewall and aims to provide an easy to use interface for the user.
USAGE
ufw [--dry-run] enable|disable|reload
ufw [--dry-run] default allow|deny|reject [incoming|outgoing|routed]
ufw [--dry-run] logging on|off|LEVEL
ufw [--dry-run] reset
ufw [--dry-run] status [verbose|numbered]
ufw [--dry-run] show REPORT
ufw [--dry-run] [delete] [insert NUM] allow|deny|reject|limit [in|out] [log|log-all] [ PORT[/PROTOCOL] | APPNAME ] [comment COMMENT]
ufw [--dry-run] [rule] [delete] [insert NUM] allow|deny|reject|limit [in|out [on INTERFACE]] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME ]] [to ADDRESS [port PORT | app APPNAME ]] [comment COMMENT]
ufw [--dry-run] route [delete] [insert NUM] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME]] [to ADDRESS [port PORT | app APPNAME]] [comment COMMENT]
ufw [--dry-run] delete NUM
ufw [--dry-run] app list|info|default|update
OPTIONS
--version
show program's version number and exit
-h, --help
show help message and exit
--dry-run
don't modify anything, just show the changes
enable reloads firewall and enables firewall on boot.
disable
unloads firewall and disables firewall on boot
reload reloads firewall
default allow|deny|reject DIRECTION
change the default policy for traffic going DIRECTION, where DIRECTION is one of incoming, outgoing or routed. Note that existing rules will have to be migrated manually when changing the default policy. See RULE SYN‐
TAX for more on deny and reject.
logging on|off|LEVEL
toggle logging. Logged packets use the LOG_KERN syslog facility. Systems configured for rsyslog support may also log to /var/log/ufw.log. Specifying a LEVEL turns logging on for the specified LEVEL. The default log
level is 'low'. See LOGGING for details.
参考资料
ubantu官方文档:
https://help.ubuntu.com/lts/serverguide/firewall.html#ip-masquerading