How do I set ufw to restrict access to allow only Linode's DNS server's and mirrors and one specific web server?
Linode
Linode Staff
I have two Linodes, "Server" and "Client". I want to setup ufw rules for Client to:
be able to browse "Server" and no other addresses
to only perform DNS lookups from Linode's resolvers
to only access Linode's mirrors to update software
I am running debian 9.
1 Reply
hphillips
Linode Staff
UFW versus iptables
UFW is a simple front end to generate iptables firewall rules. For the complexity you are requesting, you will need to use iptables directly. Here is a script that can use as an example (i have not tested it). It basically:
- Cleans out your old rules
- Set default policies to drop
- Define the server values for easy modification
- Setup the most specific rules first
You will need to run this from the LISH Console as it will block your SSH connection and it will drop.
You will also need to set this up to run at boot time.
The following article explains how to do that:
- https://www.cyberciti.biz/tips/how-do-i-run-firewall-script-as-soon-as-eth0-interface-brings-up.html
NOTE: if you follow their instructions, you will need to disable your network helper in your configuration profile as your changes will get overwritten on boot.
For more information see:
#!/bin/bash
# flush the old rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Define the server we want to be able to browse
SERVER="192.0.0.4"
MIRRORS="66.228.63.118 69.164.223.40 96.126.99.121 04.200.23.162"
RESOLVERS="173.255.244.5 173.230.145.5 173.230.147.5 173.230.155.5 173.255.212.5 173.255.219.5 173.255.241.5 173.255.243.5 74.207.241.5 74.207.242.5"
# accept connections back in that we have established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# local processes sometimes need to send messages to each other using the loopback interface
iptables -A INPUT -i lo -m comment -- comment "Allow incoming loopback connections" -j ACCEPT
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -m comment --comment "Do not allow interfaces other than the loop back to use 127.0.0.0/8" -j REJECT
iptables -A OUTPUT -o lo m comment -- comment "Allow outgoing loopback connections" -j ACCEPT
# leave this rule out if you do not want to be able to ping your server
iptables -A INPUT -p icmp -m comment --comment "Allow other servers to ping us as expected" -j ACCEPT
iptables -A OUTPUT -p icmp -m comment --comment "Allow us to ping other servers" - j ACCEPT
# Run through the list of resolvers and setup rules for each
for RESOLVER_IP in $RESOLVERS
do
iptables -A OUTPUT -p tcp -d $RESOLVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -d $RESOLVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
done
# likewise, setup rules for each mirror
for MIRROR_IP in $MIRRORS
do
iptables -A OUTPUT -p tcp -d "$MIRROR_IP" --dport 80 -m state --state NEW, ESTABLISHED -j ACCEPT
done
iptables -A OUTPUT -p tcp -d "$SERVER" --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP