본문 바로가기
공부/Ubuntu

ubuntu 방화벽 관리

by CITTA 2023. 2. 7.
728x90
반응형
  1. ufw 란?
  • ufw(Uncomplicated FireWall) - ubuntu 18.04 LTS 이후 버전에서부터 사용, CLI 사용과 iptables를 사용하여 netfilter firewall을 관리
## ufw 활성화 (default disable)
$ ufw enable

## ufw 비활성화
$ ufw disable

## 상태 조회
$ ufw status
Status: inactive

## ufw default rules 조회
ufw show raw
IPV4 (raw):
Chain INPUT (policy ACCEPT 5 packets, 436 bytes)
    pkts      bytes target     prot opt in     out     source               destination
   11975  2075326 KUBE-PROXY-FIREWALL  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes load balancer firewall */
  814690 133824307 KUBE-NODEPORTS  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes health check service ports */
   11975  2075326 KUBE-EXTERNAL-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes externally-visible service portals */
  821641 135896207 KUBE-FIREWALL  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 DROP       tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:6784 ADDRTYPE match src-type !LOCAL ! ctstate RELATED,ESTABLISHED /* Block non-local access to Weave Net control port */
    8411   706329 WEAVE-NPC-EGRESS  all  --  weave  *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
      22     2660 WEAVE-NPC-EGRESS  all  --  weave  *       0.0.0.0/0            0.0.0.0/0            /* NOTE: this must go before '-j KUBE-FORWARD' */
      14     2880 WEAVE-NPC  all  --  *      weave   0.0.0.0/0            0.0.0.0/0            /* NOTE: this must go before '-j KUBE-FORWARD' */
       0        0 NFLOG      all  --  *      weave   0.0.0.0/0            0.0.0.0/0            state NEW nflog-group 86
       0        0 DROP       all  --  *      weave   0.0.0.0/0            0.0.0.0/0
       5      441 ACCEPT     all  --  weave  !weave  0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  *      weave   0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 KUBE-PROXY-FIREWALL  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes load balancer firewall */
       0        0 KUBE-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes forwarding rules */
       0        0 KUBE-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes service portals */
       0        0 KUBE-EXTERNAL-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes externally-visible service portals */
       0        0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
...

## rules 파일 내용 확인
$ cat /etc/ufw/user.rules
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
COMMIT
  1. ufw 사용 예제
## default rules 허용
$ ufw default allow

## default rules 차단
$ ufw default deny

## ufw port 8080 허용
$ ufw allow 8080

## ufw tcp 8080 허용
$ ufw allow 8080/tcp

## ufw udp 8080 허용
$ ufw allow 8080/udp

## ufw port 22 차단
$ ufw deny 22 

## ufw rule delete (8080 tcp 포트 차단 해제)
$ ufw delete deny 8080/tcp

## ufw ssh service 허용 
$ ufw allow ssh

## ufw ssh service 차단
$ ufw deny ssh

## 특정 IP 방화벽 허용/차단
$ ufw allow from 192.168.130.131

## 특정 subnet(net mask) 허용/차단
$ ufw allow from 192.168.130.0/24
$ ufw deny from 192.168.130.0/24

## 특정 IP 주소와 프로토콜과 포트 허용/차단
$ ufw allow from 192.168.130.131 to any port 22
$ ufw deny from 192.168.130.131 to any port 22

## ping 허용 / 거부 (default ping요청 허락)

## ufw ping(icmp) 허용
$ vi /etc/ufw/before.rules
...
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
...

## ufw ping(icmp) 차단
$ vi /etc/ufw/before.rules
...
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
...
728x90
반응형
저작자표시 비영리 변경금지

'공부 > Ubuntu' 카테고리의 다른 글

ubuntu 설치 후 부팅 시 cloud-init message 발생  (0) 2023.02.13
Netplan bonding (active-backup)  (0) 2023.02.13
ubuntu gui root 로그인 허용  (0) 2023.02.06
ubuntu gui package 설치  (0) 2023.02.06
ubuntu network 설정  (0) 2023.02.03

관련글

댓글

티스토리툴바