UBUNTU: UFW Instalación y Configuración

  • Instalamos:
sudo apt-get install gufw
  • Agregamos las reglas para permitir los puertos 44 (ssh) / 80 y 443 (web)
ufw allow 44/tcp
ufw allow 44/udp
ufw allow 80/tcp
ufw allow 80/udp
ufw allow 443/tcp
ufw allow 443/udp
  • Activamos/Desactivamos el log
sudo ufw logging on
sudo ufw logging off
  • Establecemos la regla defecto que deniegue todo
ufw default deny
  • Activamos/Desactivamos el UFW
ufw enable
ufw disable
  • Ahora podemos consultar la reglas
ufw status
ufw status numbered
ufw status verbose
  • RESULTADO:
Estado: activo

Hasta Acción Desde
----- ------ -----
[ 1] 44/tcp ALLOW IN Anywhere
[ 2] 44/udp ALLOW IN Anywhere
[ 3] 80/tcp ALLOW IN Anywhere
[ 4] 80/udp ALLOW IN Anywhere
[ 5] 443/tcp ALLOW IN Anywhere
[ 6] 443/udp ALLOW IN Anywhere
[ 7] 44/tcp (v6) ALLOW IN Anywhere (v6)
[ 8] 44/udp (v6) ALLOW IN Anywhere (v6)
[ 9] 80/tcp (v6) ALLOW IN Anywhere (v6)
[10] 80/udp (v6) ALLOW IN Anywhere (v6)
[11] 443/tcp (v6) ALLOW IN Anywhere (v6)
[12] 443/udp (v6) ALLOW IN Anywhere (v6)

RESUMEN COMANDOS:

  • Habilitar/deshabilitar
ufw enable
ufw disable
  • Ver estado:
ufw status
ufw status numbered
ufw status verbose
  • Desbloquear una IP
ufw status numbered
ufw delete NUM
ufw delete 4
  • Eliminar la configuración y todas las reglas
ufw reset

CREACIÓN DE REGLAS

  • Habilitar puertos:
ufw allow {puerto}/{protocolo}
ufw allow 22/tcp
  • Habilitar un servicio
ufw allow {servicio}
ufw allow ssh
  • Denegar un servicio
ufw deny out from any to {servicio}
ufw deny out from any to ssh
  • Permitir una IP
ufw allow {ip} 
ufw allow 192.168.1.5
  • Permitir una sured
ufw allow {subnet}
ufw allow 192.168.1.0/24
  • Permitir una IP con Puerto y Procotolo
ufw allow {ip} port {puerto} proto {protocolo}
ufw allow 192.168.0.4 port 22 proto tcp
  • Bloquear una IP
ufw deny from {ip} to any
ufw deny from 192.168.1.5 to any
  • Bloquear una IP solo salida (OUT)
ufw deny out from any to {ip}
ufw deny out from any to 207.46.232.182
  • Bloquear una IP con Puerto
ufw deny from {ip} to any port {púerto}
ufw deny from 202.54.1.5 to any port 80
  • Bloquear una IP con Puerto y Protocolo
ufw deny proto {tcp|udp} from {ip} to any port {puerto}
ufw deny proto tcp from 202.54.1.1 to any port 22
  • Bloquear una red
ufw deny proto tcp from {subnet} to any port 22
ufw deny proto tcp from 202.54.1.0/24 to any port 22
  • Deshabilitar PING
nano /etc/ufw/before.rules
************************
Buscar:
************************
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
************************
REMPLAZAR: ACCEPT X DROP
************************
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

COMANDOS ADICIONALES

  • Saber la lista de servicios – puertos existentes
less /etc/services
  • Saber conexiones establecidas
netstat -tua
netstat -tuan
netstat -plut
netstat -putona
netstat -lnp
  • Saber si un puerto esta abierto
nmap -p 44 localhost
  • Saber los puertos abiertos
nmap -sT -O localhost
  • RESULTADO
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-15 14:18 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
3306/tcp open mysql
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.8 - 4.9
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.39 seconds
  • Si deseamos saber cual es el programa responsable
fuser -v 25/tcp
fuser -v 631/tcp