Ubuntu 18.04 配置 ufw 加强系统安全

一. 安装:

sudo apt-get install ufw

一般Ubuntu默认已经安装了ufw

二. 查看ufw规则:

sudo ufw status

输出:

状态: 激活

至                          动作          来自
-                          --          --
20,21,22,80,888,8888/tcp   ALLOW       Anywhere                                  
666/tcp                    ALLOW       Anywhere                  
666/udp                    ALLOW       Anywhere                  
2333/tcp                   ALLOW       Anywhere                  
2333/udp                   ALLOW       Anywhere                  
20,21,22,80,888,8888/tcp (v6) ALLOW       Anywhere (v6)             
39000:40000/tcp (v6)       ALLOW       Anywhere (v6)             
888/tcp (v6)               ALLOW       Anywhere (v6)             
666/tcp (v6)               ALLOW       Anywhere (v6)             
666/udp (v6)               ALLOW       Anywhere (v6)             
2333/tcp (v6)              ALLOW       Anywhere (v6)             
2333/udp (v6)              ALLOW       Anywhere (v6)

三. 配置ufw:

因为我只需要ssh连接到服务器以及远程访问Jupyter Notebook,所以只需要打开22、2333端口,删除其他端口

查看ufw规则的规则号:

sudo ufw status numbered

输出:

状态: 激活

     至                          动作          来自
     -                          --          --
[ 1] 20,21,22,80,888,8888/tcp   ALLOW IN    Anywhere                  
[ 2] 666/tcp                    ALLOW IN    Anywhere                  
[ 3] 666/udp                    ALLOW IN    Anywhere                  
[ 4] 2333/tcp                   ALLOW IN    Anywhere                  
[ 5] 2333/udp                   ALLOW IN    Anywhere                  
[ 6] 20,21,22,80,888,8888/tcp (v6) ALLOW IN    Anywhere (v6)             
[ 7] 39000:40000/tcp (v6)       ALLOW IN    Anywhere (v6)             
[ 8] 888/tcp (v6)               ALLOW IN    Anywhere (v6)             
[ 9] 666/tcp (v6)               ALLOW IN    Anywhere (v6)             
[10] 666/udp (v6)               ALLOW IN    Anywhere (v6)             
[11] 2333/tcp (v6)              ALLOW IN    Anywhere (v6)             
[12] 2333/udp (v6)              ALLOW IN    Anywhere (v6)
  • 通过规则号删除端口:
sudo ufw delete 规则号

直到:

状态: 激活

     至                          动作          来自
     -                          --          --
[ 1] 20,21,22,80,888,8888/tcp   ALLOW IN    Anywhere                  
[ 2] 2333/tcp                   ALLOW IN    Anywhere                  
[ 3] 2333/udp                   ALLOW IN    Anywhere                  
[ 4] 2333/tcp (v6)              ALLOW IN    Anywhere (v6)             
[ 5] 2333/udp (v6)              ALLOW IN    Anywhere (v6)
  • 通过规则删除:
sudo ufw delete allow 端口号
  • 一行多个端口无法单独删除,所以我们先单独添加一行22端口再删除[1]端口

1.添加22端口号

sudo ufw allow 22/tcp
sudo ufw status

输出:

状态: 激活

至                          动作          来自
-                          --          --
20,21,22,80,888,8888/tcp   ALLOW       Anywhere                  
2333/tcp                   ALLOW       Anywhere                  
2333/udp                   ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
2333/tcp (v6)              ALLOW       Anywhere (v6)             
2333/udp (v6)              ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)

2.删除[1]规则

sudo ufw delete 1

查看一下当前规则:

sudo ufw status

输出:

状态: 激活

至                          动作          来自
-                          --          --
2333/tcp                   ALLOW       Anywhere                  
2333/udp                   ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
2333/tcp (v6)              ALLOW       Anywhere (v6)             
2333/udp (v6)              ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)

完成配置!

注:

  1. 因为我是ssh连接服务器进行操作,所以无法直接删除[1]规则,否则会导致连接断开
  2. 重置防火墙规则可使用命令sudo ufw reset
  3. UFW的所有规则文件都在路径/etc/ufw/
  4. 允许范围内端口开放可使用该命令sudo ufw allow 6000:6007/tcp
  5. UFW默认情况下允许所有的出站连接,拒绝所有的入站连接