The firewall has not been turned on on the Ubuntu server. From a security perspective, there are many risks if it is not turned on, so I decided to turn it on. The specific steps are as follows:
1. Check firewall status
Enter root privileges
ufw status verbose
Status: Inactive
2. First enable ssh permissions
The purpose of this is to prevent yourself from being locked out. If you use another port, remember to replace 22 with your actual ssh port.
ufw allow 22
Firewall rules updated
Rules updated (v6)
3. Turn on the firewall
After completing the above two steps, you can open the firewall:
ufw enable
This command may interrupt the current ssh connection. Do you want to continue (y|n)? y
Enable and activate the firewall on system startup
4. Add rules
Add rules as needed. You can add rules according to the ports currently opened by your server. If you need to check the current port opening status, you can use the following command:
netstat -tnlp
Add firewall rules (xxx represents the port number):
ufw allow xxx
Delete existing firewall rules:
ufw delete allow xxx
Denied access rules:
ufw deny xxx
Default rules:
ufw default deny
5.Fix the problem of docker opening firewall by default
In actual use, the docker container may be used. If it is not set, it may cause the firewall to be set but not effective. For example, access to port 80 has been denied, but remote access using curl is still possible. The reason is that docker has automatically added firewall rules, which causes the firewall to automatically open the corresponding port as long as docker has a mapped port.
To solve this problem, you need to make changes in the docker configuration file:
1) Modify the docker configuration file
Modify /etc/docker/daemon.json (if it doesn’t exist, create a new one):
vi /etc/docker/daemon.json
Add the following:
{
"iptables": false
}
2) Restart docker:
systemctl restart docker
When you visit again, you will find that the firewall has taken effect.
6. The setting cannot ping the host
In order to effectively protect your own host, you can prevent the remote terminal from pinging your own host. This needs to be set separately, and both ipv4 and ipv6 need to be set:
1) ipv4 settings
edit file:
vi /etc/ufw/before.rules
Find this line and change the last word from ACCEPT to DROP:
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
After the modification is completed, save and exit;
2) Modify ipv6 settings
edit file:
vi /etc/ufw/before6.rules
Similarly, find this line and change the last word from ACCEPT to DROP:
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j DROP
Save and exit;
3) Reload the firewall
ufw reload
If you test again, you will find that you cannot ping the host. At this point, the basic firewall settings are complete.
Here is my game example, you can try it: