am a new Ubuntu Linux version 12.04 LTS user. How do I stop or start iptables based firewall service on Ubuntu Linux using bash command line options?

You can type the following commands start / stop firewall service on Ubuntu based server or desktop.

a] ufw command – This command is used for managing a Linux firewall and aims to provide an easy to use interface for the user.

b] iptables command – This command is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.

Find status of firewall

Login as root user either by opening the Terminal or login over the ssh based session. Type the following command:

$ sudo ufw status

Sample outputs:

Status: inactive

Ubuntu stop iptables service command

Type the following command to unloads firewall and disables firewall on boot:

$ sudo ufw disable

Ubuntu start iptables service command

Type the following command to reloads firewall and enables firewall on boot:

$ sudo ufw enable

Ubuntu reload / restart iptables service command

Type the following command to reloads firewall:

$ sudo ufw reload

Alternative method to enable/disable firewall on Ubuntu and other Linux distros

If you are not using ufw command and/or ufw is not installed, try the following generic methods:

Get IPv4 iptables status

$ sudo iptables -L -n -v

Get IPv6 ip6tables status

$ sudo ip6tables -L -n -v

Save IPv4 iptables firewall

Use the iptables-save command to save current firewall rules:

$ sudo iptables-save > $HOME/firewall.txt

Save IPv6 ip6tables firewall

$ sudo ip6tables-save > $HOME/firewall-6.txt

Restore IPv4 iptables firewall

Use the iptables-restore command to restore firewall rules:

$ sudo iptables-restore < $HOME/firewall.txt

Restore IPv6 ip6tables firewall

$ sudo ip6tables-restore < $HOME/firewall-6.txt

Putting it all together

To stop Ipv4 based iptables firewall, enter:

sudo iptables-save > $HOME/firewall.txt

sudo iptables -X

sudo iptables -t nat -F

sudo iptables -t nat -X

sudo iptables -t mangle -F

sudo iptables -t mangle -X

sudo iptables -P INPUT ACCEPT

sudo iptables -P FORWARD ACCEPT

sudo iptables -P OUTPUT ACCEPT

To stop Ipv6 based iptables firewall, enter:

sudo ip6tables-save > $HOME/firewall-6.txt

sudo ip6tables -X

sudo ip6tables -t mangle -F

sudo ip6tables -t mangle -X

sudo ip6tables -P INPUT ACCEPT

sudo ip6tables -P FORWARD ACCEPT

sudo ip6tables -P OUTPUT ACCEPT

Where,

-F : Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

-X : Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted.

-P chainNameHere ACCEPT : Set the policy for the chain to the given target.

-L : List rules.

-v : Verbose output.

-n : Numeric output. IP addresses and port numbers will be printed in numeric format.

Recommend readings

Debian / Ubuntu Linux: Install and Configure Shoreline Firewall (Shorewall)

Man pages IPv4 firewall: iptables(8),ufw(8),iptables-save(8),iptables-restore(8)

Man pages IPv6 firewall: ip6tables man page

ow do I open port 80 and 443 on a Ubuntu Linux LTS version 14.04 server?

Ubuntu Linux server comes with firewall configuration tool called ufw (Uncomplicated Firewall). It is the default tool. ufw is very easy to use and configure host based firewall settings. This program is for managing a Linux firewall and aims to provide an easy to use interface for the user. For example:

You can open/close ports.

Block an IPv4/IPv6 address.

Delete existing firewall rules.

Turn on or off firewall logs.

And more.

How do I see the current status of my firewall?

Type the following command:

sudo ufw status verbose

Sample outputs:

Fig.01: Check the status of UFW on a Ubuntu Linux

How do I open tcp port # 22?

To allow incoming tcp packets on port 22, enter:

sudo ufw allow 22/tcp

Verify it:

sudo ufw status verbose

How do I open tcp port # 80 and 443?

The service specific syntax is as follows to open http and https service ports:

sudo ufw allow http

sudo ufw allow https

OR

sudo ufw allow 80/tcp

sudo ufw allow 443/tcp

How do I open tcp and udp port # 53?

To allow incoming tcp and udp packet on port 53, enter:

sudo ufw allow 53

Verify it:

sudo ufw status verbose

Advanced examples

To allow IP address 192.168.1.10 access to port 22 for all protocols

sudo ufw allow from 192.168.1.10 to any port 22

Open port 74.86.26.69:443 (SSL 443 nginx/apache/lighttpd server) for all, enter:

sudo ufw allow from any to 74.86.26.69 port 443 proto tcp

To allows subnet 192.168.1.0/24 to Sabma services, enter:

ufw allow from 192.168.1.0/24 to any app Samba

You can find service info as follows:

sudo ufw app list

Sample outputs:

Available applications:

Nginx Full

Nginx HTTP

Nginx HTTPS

Squid

To get information on Squid profile/app, run:

ufw app info Squid

Sample outputs:

Profile: Squid

Title: Squid proxy cache

Description: Internet object cache (WWW proxy cache)

Ports:

2048,3128,3130,3401,4827/tcp

See ufw command man page for more info.

This entry is 6 of 6 in the Uncomplicated Firewall (UFW) series. Keep reading the rest of the series:

How to install UFW firewall on Ubuntu 16.04 LTS server

How to open ssh port using ufw on Ubuntu/Debian Linux

How to configure ufw to forward port 80/443 to internal server hosted on LAN

How to block an IP address with ufw on Ubuntu Linux server

How to limit SSH (TCP port 22) connections with ufw on Ubuntu Linux

How To: Ubuntu Linux Firewall Open Port Command Using UFW

recently added NAT rules on my RHEL 6.x system. How do I see the rules including line numbers that I just added in Linux?

Yes, you can easily view your rules using the following commands on Linux:

iptables command – IPv4 netfilter admin tool.

ip6tables command – IPv6 netfilter admin tool.

Viewing all iptables rules in Linux

The syntax is:

iptables –list

iptables -L

iptables –table NameHere –list

iptables -t NameHere -L -n -v –line-numbers

Examples

Type the following command as root user:

# iptables -L

Sample outputs:

target     prot opt source               destination

ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:domain

ACCEPT     udp  —  anywhere             anywhere             udp dpt:domain

ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:bootps

ACCEPT     udp  —  anywhere             anywhere             udp dpt:bootps

ufw-before-logging-input  all  —  anywhere             anywhere

ufw-before-input  all  —  anywhere             anywhere

ufw-after-input  all  —  anywhere             anywhere

ufw-after-logging-input  all  —  anywhere             anywhere

ufw-reject-input  all  —  anywhere             anywhere

ufw-track-input  all  —  anywhere             anywhere

Chain FORWARD (policy DROP)

target     prot opt source               destination

ACCEPT     all  —  anywhere             anywhere

ACCEPT     all  —  anywhere             anywhere

ufw-before-logging-forward  all  —  anywhere             anywhere

ufw-before-forward  all  —  anywhere             anywhere

ufw-after-forward  all  —  anywhere             anywhere

ufw-after-logging-forward  all  —  anywhere             anywhere

ufw-reject-forward  all  —  anywhere             anywhere

ufw-track-forward  all  —  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

ufw-before-logging-output  all  —  anywhere             anywhere

ufw-before-output  all  —  anywhere             anywhere

ufw-after-output  all  —  anywhere             anywhere

ufw-after-logging-output  all  —  anywhere             anywhere

ufw-reject-output  all  —  anywhere             anywhere

ufw-track-output  all  —  anywhere             anywhere

…..

..

..

Chain ufw-user-limit (0 references)

target     prot opt source               destination

LOG        all  —  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix  [UFW LIMIT BLOCK]

REJECT     all  —  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)

target     prot opt source               destination

ACCEPT     all  —  anywhere             anywhere

Chain ufw-user-logging-forward (0 references)

target     prot opt source               destination

Chain ufw-user-logging-input (0 references)

target     prot opt source               destination

Chain ufw-user-logging-output (0 references)

target     prot opt source               destination

Chain ufw-user-output (1 references)

target     prot opt source               destination

HOW TO SEE NAT RULES:

By default the filter table is used. To see NAT rules, enter:

# iptables -t nat -L

Other table options:

# iptables -t filter -L

# iptables -t raw -L

# iptables -t security -L

# iptables -t mangle -L

# iptables -t nat -L

HOW TO SEE NAT RULES WITH LINE NUMBERS:

Pass the –line-numbers option:

# iptables -t nat -L –line-numbers -n

Sample outputs:

Chain PREROUTING (policy ACCEPT 28M packets, 1661M bytes)

num   pkts bytes target     prot opt in     out     source               destination

1        0     0 DNAT       tcp  —  eth0   *       10.10.29.68          0.0.0.0/0            tcp dpt:3306 to:10.0.3.19:3306

2        0     0 DNAT       tcp  —  eth0   *       10.10.29.68          0.0.0.0/0            tcp dpt:11211 to:10.0.3.20:11211

3        0     0 DNAT       udp  —  eth0   *       10.10.29.68          0.0.0.0/0            udp dpt:11211 to:10.0.3.20:11211

Chain INPUT (policy ACCEPT 18M packets, 1030M bytes)

num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 23M packets, 1408M bytes)

num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 33M packets, 1979M bytes)

num   pkts bytes target     prot opt in     out     source               destination

1    38927 2336K MASQUERADE  all  —  *      *       10.0.3.0/24         !10.0.3.0/24

2        0     0 MASQUERADE  all  —  *      *       10.0.3.0/24         !10.0.3.0/24

HOW TO SEE NAT RULES WITH COUNTERS (BYTES AND PACKETS)

Pass the -v option to iptables command:

# iptables -t nat -L -n -v

Sample outputs:

Fig.01: Linux viewing all iptables NAT, DNAT, MASQUERADE rules

Say hello to ip6tables

ip6tables is administration tool for IPv6 packet filtering and NAT. To see IPv6 tables, enter:

# ip6tables -L -n -v

Chain INPUT (policy DROP 239 packets, 16202 bytes)

pkts bytes target     prot opt in     out     source               destination

136K   30M ufw6-before-logging-input  all      *      *       ::/0                 ::/0

136K   30M ufw6-before-input  all      *      *       ::/0                 ::/0

241 16360 ufw6-after-input  all      *      *       ::/0                 ::/0

239 16202 ufw6-after-logging-input  all      *      *       ::/0                 ::/0

239 16202 ufw6-reject-input  all      *      *       ::/0                 ::/0

239 16202 ufw6-track-input  all      *      *       ::/0                 ::/0

Chain FORWARD (policy DROP 483 packets, 32628 bytes)

pkts bytes target     prot opt in     out     source               destination

483 32628 ufw6-before-logging-forward  all      *      *       ::/0                 ::/0

483 32628 ufw6-before-forward  all      *      *       ::/0                 ::/0

483 32628 ufw6-after-forward  all      *      *       ::/0                 ::/0

483 32628 ufw6-after-logging-forward  all      *      *       ::/0                 ::/0

483 32628 ufw6-reject-forward  all      *      *       ::/0                 ::/0

483 32628 ufw6-track-forward  all      *      *       ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 122 packets, 8555 bytes)

pkts bytes target     prot opt in     out     source               destination

136K   30M ufw6-before-logging-output  all      *      *       ::/0                 ::/0

136K   30M ufw6-before-output  all      *      *       ::/0                 ::/0

183 14107 ufw6-after-output  all      *      *       ::/0                 ::/0

183 14107 ufw6-after-logging-output  all      *      *       ::/0                 ::/0

183 14107 ufw6-reject-output  all      *      *       ::/0                 ::/0

183 14107 ufw6-track-output  all      *      *       ::/0                 ::/0

Chain ufw6-after-forward (1 references)

pkts bytes target     prot opt in     out     source               destination

…

….

..

pkts bytes target     prot opt in     out     source               destination

19  1520 ACCEPT     tcp      *      *       ::/0                 ::/0                 ctstate NEW

42  4032 ACCEPT     udp      *      *       ::/0                 ::/0                 ctstate NEW

Chain ufw6-user-forward (1 references)

pkts bytes target     prot opt in     out     source               destination

Chain ufw6-user-input (1 references)

pkts bytes target     prot opt in     out     source               destination

Chain ufw6-user-limit (0 references)

pkts bytes target     prot opt in     out     source               destination

0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 5 LOG flags 0

level 4 prefix  [UFW LIMIT BLOCK]

0     0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable

Chain ufw6-user-limit-accept (0 references)

pkts bytes target     prot opt in     out     source               destination

0     0 ACCEPT     all      *      *       ::/0                 ::/0

Chain ufw6-user-logging-forward (0 references)

pkts bytes target     prot opt in     out     source               destination

Chain ufw6-user-logging-input (0 references)

pkts bytes target     prot opt in     out     source               destination

Chain ufw6-user-logging-output (0 references)

pkts bytes target     prot opt in     out     source               destination

Chain ufw6-user-output (1 references)

pkts bytes target     prot opt in     out     source               destination

To see nat rules and line-numbers, enter:

# ip6tables -L -n -v -t nat –line-numbers

am a new Ubuntu Linux server user. How do I setup an OpenVPN Server on Ubuntu Linux version 14.04 or 16.04 LTS server to shield my browsing activity from bad guys on public Wi-Fi, and more?

OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online.

This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Ubuntu Linux v14.04/16.04 LTS version including ufw/iptables firewall configuration. The steps are as follows:

Find and note down your public IP address

Download openvpn-install.sh script

Run openvpn-install.sh to install OpenVPN server

Connect an OpenVPN server using IOS/Android/Linux/Windows client

Verify your connectivity

Find your public IP address

Use any one of the following command to find out your IPv4 public address. If your internface name is eth0 or eth1, enter:

$ ip addr show eth0

OR

$ ip addr show eth1

Or use the host command or dig command as follows:

$ host myip.opendns.com resolver1.opendns.com

OR

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

Sample outputs:

Fig.01: Find out your public IPv4 address using the CLI

Note down the public IP address 139.59.1.155 i.e. public ip address of your OpenVPN server.

Download openvpn-install.sh script

Type the following command:

$ wget https://git.io/vpn -O openvpn-install.sh

Sample outputs:

–2016-06-27 07:30:25–  https://git.io/vpn

Resolving git.io (git.io)… 23.23.173.104, 54.243.161.116, 23.23.111.66

Connecting to git.io (git.io)|23.23.173.104|:443… connected.

HTTP request sent, awaiting response… 302 Found

Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]

–2016-06-27 07:30:26–  https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh

Resolving raw.github.com (raw.github.com)… 151.101.100.133

Connecting to raw.github.com (raw.github.com)|151.101.100.133|:443… connected.

HTTP request sent, awaiting response… 301 Moved Permanently

Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]

–2016-06-27 07:30:27–  https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh

Resolving raw.githubusercontent.com (raw.githubusercontent.com)… 151.101.100.133

Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.100.133|:443… connected.

HTTP request sent, awaiting response… 200 OK

Length: 13340 (13K) [text/plain]

Saving to: ‘openvpn-install.shâ€

openvpn-install.sh            100%[==============================================>]  13.03K  80.9KB/s    in 0.2s

2016-06-27 07:30:28 (80.9 KB/s) – ‘openvpn-install.sh†saved [13340/13340]

Run openvpn-install.sh to install OpenVPN server

Type the following command:

$ sudo bash openvpn-install.sh

When prompted set IP address to 139.59.1.155 and Port to 1194. Use Google or OpenDNS DNS servers with the vpn. Next, type client name (such as iPhone, Nexus6, LinuxRouter etc). Finally, press [Enter] key to install and setup OpenVPN on your system:

Fig.02: Setting up OpenVPN server on an Ubuntu Linux server v16.04 LTS

The script will now generate keys, DH parameters and more as follows:

Okay, that was all I needed. We are ready to setup your OpenVPN server now

Press any key to continue…

Get:1 http://security.ubuntu.com

……

…

..

–2016-06-27 17:10:38–  https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz

Resolving github.com (github.com)… 192.30.252.120

Connecting to github.com (github.com)|192.30.252.120|:443… connected.

HTTP request sent, awaiting response… 302 Found

Location: https://github-cloud.s3.amazonaws.com/releases/4519663/9dab10e8-7b6a-11e5-91af-0660987e9192.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160627T114040Z&X-Amz-Expires=300&X-Amz-Signature=717ae4f606d1999b4c7c164ae06d163c494197f04aafffa9f760a8e0bf136136&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.1.tgz&response-content-type=application%2Foctet-stream [following]

–2016-06-27 17:10:40–  https://github-cloud.s3.amazonaws.com/releases/4519663/9dab10e8-7b6a-11e5-91af-0660987e9192.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160627T114040Z&X-Amz-Expires=300&X-Amz-Signature=717ae4f606d1999b4c7c164ae06d163c494197f04aafffa9f760a8e0bf136136&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.1.tgz&response-content-type=application%2Foctet-stream

Resolving github-cloud.s3.amazonaws.com (github-cloud.s3.amazonaws.com)… 54.231.72.3

Connecting to github-cloud.s3.amazonaws.com (github-cloud.s3.amazonaws.com)|54.231.72.3|:443… connected.

HTTP request sent, awaiting response… 200 OK

Length: 40960 (40K) [application/octet-stream]

Saving to: ‘/root/EasyRSA-3.0.1.tgzâ€

/root/EasyRSA-3.0.1.tgz       100%[================================================>]  40.00K  38.8KB/s   in 1.0s

2016-06-27 17:10:43 (38.8 KB/s) – ‘/root/EasyRSA-3.0.1.tgz†saved [40960/40960]

init-pki complete; you may now create a CA or requests.

Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Generating a 2048 bit RSA private key

……..+++

…………………………………………………………………………………..+++

writing new private key to  /etc/openvpn/easy-rsa/pki/private/ca.key.BjRh5frdDd

Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

….+…..+……………………………………………………………………..+………………………………………………………………………………………………………………………………………………+………………………………..

…

..

…………………………………………………………………………………………………..+……………………………………………………………………………………………………………………….+……………………………+………………………………………………+…++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

Generating a 2048 bit RSA private key

……………………………………………………………..+++

…………………………………………..+++

writing new private key to  /etc/openvpn/easy-rsa/pki/private/server.key.9ieuluTC2R

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

Check that the request matches the signature

Signature ok

The Subject s Distinguished Name is as follows

commonName            :ASN.1 12: server

Certificate is to be certified until Jun 25 11:55:48 2026 GMT (3650 days)

Write out database with 1 new entries

Data Base Updated

Generating a 2048 bit RSA private key

………+++

………+++

writing new private key to  /etc/openvpn/easy-rsa/pki/private/iphone.key.lokNfOiobc

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

Check that the request matches the signature

Signature ok

The Subject s Distinguished Name is as follows

commonName            :ASN.1 12: iphone

Certificate is to be certified until Jun 25 11:55:48 2026 GMT (3650 days)

Write out database with 1 new entries

Data Base Updated

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

An updated CRL has been created.

CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

244

Looks like your server is behind a NAT!

If your server is NATed (e.g. LowEndSpirit), I need to know the external IP

If that s not the case, just ignore this and leave the next field blank

External IP:

That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/rc.local file:

$ cat /etc/rc.local

Sample outputs:

iptables -I FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT

iptables -I INPUT -p udp –dport 1194 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to 139.59.1.155

You can view your openvpn server config file generated by the script as follows (do not edit this file by hand):

$ sudo more /etc/openvpn/server.conf

$ sudo vi /etc/openvpn/server.conf

Sample outputs:

port 1194

proto udp

dev tun

sndbuf 0

rcvbuf 0

ca ca.crt

cert server.crt

key server.key

dh dh.pem

tls-auth ta.key 0

topology subnet

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push  redirect-gateway def1 bypass-dhcp

push  dhcp-option DNS 8.8.8.8

push  dhcp-option DNS 8.8.4.4

keepalive 10 120

cipher AES-128-CBC

comp-lzo

user nobody

group nogroup

persist-key

persist-tun

status openvpn-status.log

verb 3

crl-verify crl.pem

How do I start/stop/restart OpenVPN server on Ubuntu Linux 16.04 LTS?

Type the following command stop the OpenVPN service:

$ sudo systemctl stop openvpn@server

Type the following command start the OpenVPN service:

$ sudo systemctl start openvpn@server

Type the following command restart the OpenVPN service:

$ sudo systemctl restart openvpn@server

How do I start/stop/restart OpenVPN server on Ubuntu Linux 14.04 LTS?

Type the following command stop the OpenVPN service:

$ sudo /etc/init.d/openvpn stop

Type the following command start the OpenVPN service:

$ sudo /etc/init.d/openvpn start

Type the following command restart the OpenVPN service:

$ sudo /etc/init.d/openvpn restart

{Optional} How to configure and use the ufw firewall rules for the OpenVPN server

The default rules added to the /etc/rc.local file should work out of the box. However, if you have complicated firewall settings or prefer ufw to control all firewall settings on Ubuntu Linux server, try the following. First, edit the /etc/rc.local file using a text editor and comment out all firewall rules added by the script. Type the following ufw command to open port 1194 and 22 (ssh):

$ sudo ufw allow 1194/udp

$ sudo ufw allow 22/tcp

Edit the file /etc/ufw/before.rules, enter:

$ sudo vi /etc/ufw/before.rules

At top of the file add the following rules:

# START OPENVPN RULES by vg

# NAT table rules

*nat

:POSTROUTING ACCEPT [0:0]

#****************************************[README]*****************************************************#

# Allow traffic from OpenVPN client to 139.59.1.155. Replace 139.59.1.155 with your actual IP address*#

#****************************************[README]*****************************************************#

-A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-source  139.59.1.155

COMMIT

# END OPENVPN RULES by vg

Next scroll down and find the comment that read s follows

# ok icmp code for FORWARD

Append the following rules:

#OpenVPN Forward by vg

-A ufw-before-forward -m state –state RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT

-A ufw-before-forward -i tun+ -j ACCEPT

-A ufw-before-forward -i tap+ -j ACCEPT

#OpenVPN END by vg

Save and close the file. Next edit the /etc/ufw/sysctl.conf file, enter:

$ sudo vi /etc/ufw/sysctl.conf

Find and uncomment the following line to allow this host to route packets between interfaces

net/ipv4/ip_forward=1

Save and close the file. Enable ufw or reload if already running:

$ sudo ufw enable

OR

$ sudo ufw reload

Verify new firewall rules:

$ sudo ufw status

$ sudo iptables -t nat -L -n -v

$ sudo iptables -L FORWARD -n -v

$ sudo iptables -L ufw-before-forward -n -v

Client configuration

On server your will find a client configuration file called ~/iphone.ovpn. All you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:

$ scp vivek@139.59.1.155:~/iphone.ovpn .

Next, you need to download OpenVPN client as per your operating system:

Download OpenVPN client for Apple IOS version 6.x or above and install it.

Download OpenVPN client for Android and install it.

Download OpenVPN client for Apple MacOS (OS X) and install it.

Download OpenVPN client for Windows 8/10 and install it.

MacOS/OS X OpenVPN client configuration

Just double click on iphone.ovpn file and it will open in your tunnelblick client > Click on the “Only me” to install it.

Fig.03: MacOS / OS X openvpn client configuration

Once installed click on Connect button and you will be online. Use the following command on MacOS client to verify that your public IP changed to the VPN server IP:

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

You can ping to OpenVPN server private IP:

$ ping 10.8.0.1

Linux OpenVPN client configuration

First, install the openvpn client, enter:

$ sudo yum install openvpn

OR

$ sudo apt install openvpn

Next, copy iphone.ovpn as follows:

$ sudo cp iphone.ovpn /etc/openvpn/client.conf

Test connectivity from the CLI:

$ sudo openvpn –client –config /etc/openvpn/client.conf

Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:

$ sudo /etc/init.d/openvpn start

For systemd based system, use the following command:

$ sudo systemctl start openvpn@client

Test the connectivity:

$ ping 10.8.0.1 #Ping to OpenVPN server gateway

$ ip route #Make sure routing setup

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Make sure your public IP set to OpenVPN server

FreeBSD OpenVPN client configuration

First, install the openvpn client, enter:

$ sudo pkg install openvpn

Next, copy iphone.ovpn as follows:

$ mkdir -p /usr/local/etc/openvpn/

$ sudo cp iphone.ovpn /usr/local/etc/openvpn/client.conf

Edit /etc/rc.conf and add the following:

openvpn_enable= YES

openvpn_configfile= /usr/local/etc/openvpn/client.conf

Start the OpenVPN service:

$ sudo /usr/local/etc/rc.d/openvpn start

Verify it:

$ ping 10.8.0.1 #Ping to OpenVPN server gateway

$

$ netstat -nr #Make sure routing setup

$

$ drill myip.opendns.com @resolver1.opendns.com #Make sure your public IP set to OpenVPN server

How do I add a new client?

For demo purpose I added a new device called iphone. Let us add one more device called googlephone by running the script again:

$ sudo bash openvpn-install.sh

Sample outputs:

Looks like OpenVPN is already installed

What do you want to do?

1) Add a cert for a new user

2) Revoke existing user cert

3) Remove OpenVPN

4) Exit

Select an option [1-4]:

Select option 1 and type googlephone as a client name:

Tell me a name for the client cert

Please, use one word only, no special characters

Client name: googlephone

Generating a 2048 bit RSA private key

………+++

…………………………………………………………………………………….+++

writing new private key to  /etc/openvpn/easy-rsa/pki/private/googlephone.key.FNaDMaP56c

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

Check that the request matches the signature

Signature ok

The Subject s Distinguished Name is as follows

commonName            :ASN.1 12: googlephone

Certificate is to be certified until Sep 25 07:31:46 2027 GMT (3650 days)

Write out database with 1 new entries

Data Base Updated

Client googlephone added, certs available at ~/googlephone.ovpn

Now you can use googlephone.ovpn with Google Android phone. You can add as many users you want using this method.

How do I delete/revoke existing user certificate?

Run the script:

$ sudo bash openvpn-install.sh

Sample outputs:

Looks like OpenVPN is already installed

What do you want to do?

1) Add a cert for a new user

2) Revoke existing user cert

3) Remove OpenVPN

4) Exit

Select an option [1-4]:

Type 2 option and you will see a list of all the existing client certificate you want to revoke:

Select the existing client certificate you want to revoke

1) iphone6

2) googlephone

3) delllaptop

4) macbook

Select one client [1-4]: 2

Sample outputs when I revoked googlephone certificate:

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

Revoking Certificate 09.

Data Base Updated

Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

An updated CRL has been created.

CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

Certificate for client googlephone revoked

References

OpenVPN project.

OpenVPN road warrior installer Linux.

And there you have it, OpenVPN server installed in five minutes to increase your privacy.

This entry is 1 of 5 in the OpenVPN Tutorial series. Keep reading the rest of the series:

How To Setup OpenVPN Server In 5 Minutes on Ubuntu Server

Install Pi-hole with an OpenVPN to block ads

How to update/upgrade Pi-hole with an OpenVPN

How to install an OpenVPN server on Debian 9/8

How to import a OpenVPN .ovpn file with Network Manager

am a new Linux server sysadmin. I need to delete POSTROUTING rule. How do I delete postrouting rule on Linux server?

You need to use iptables and ip6tables command. These commands are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Let us see how to use the iptables command to to delete postrouting rule on Linux system. You must be root user to run this command.

Step #1: List postrouting rules

The syntax is as follows:

iptables -t nat -v -L POSTROUTING -n –line-number

OR

# iptables -t nat -v -L -n –line-number

Sample outputs:

Fig.01: Linux iptables list nat rules command

Where,

-t nat : Select nat table.

-v : Verbose output.

-L : List all rules in the selected chain i.e show all rules in nat table.

-n : Numeric output. IP addresses and port numbers will be printed in numeric format

–line-number : When listing rules, add line numbers to the beginning of each rule, corresponding to that rule’s position in the chain. You need to use line numbers to delete nat rules.

Step #2: Delete postrouting nat rule (version 1)

The syntax is:

iptables -t nat -D POSTROUTING {number-here}

To delete rule # 5 i.e. the following rule:

5       40  3360 SNAT       all  —  *      *       10.8.0.0/24          0.0.0.0/0            to:202.54.1.5

Type the following command:

iptables -t nat -D POSTROUTING 5

OR

iptables -t nat –delete POSTROUTING 5

Verify it, enter:

# iptables -t nat -v -L POSTROUTING -n –line-number

Sample outputs:

Chain POSTROUTING (policy ACCEPT 94 packets, 6392 bytes)

num   pkts bytes target     prot opt in     out     source               destination

1       10   762 MASQUERADE  all  —  *      eth1    10.8.0.0/24          0.0.0.0/0

2        0     0 MASQUERADE  all  —  *      eth1    10.8.0.0/24          0.0.0.0/0

3        0     0 MASQUERADE  all  —  *      eth1    10.0.0.0/8           0.0.0.0/0

4        0     0 MASQUERADE  all  —  *      eth1    10.0.0.0/8           0.0.0.0/0

Another syntax to remove specific postrouting rules from iptables (version 2)

Say, you execute the following postrouting command:

# iptables -t nat -A POSTROUTING -o eth1 -s 10.8.0.0/24 -j MASQUERADE

To delete, run the same above commands but replace the “-A” with “-D”

iptables -t nat -D POSTROUTING -o eth1 -s 10.8.0.0/24 -j MASQUERADE

Another example, run the same commands but replace the “-I” with “-D“. For example:

# iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j SNAT –to 202.54.1.5

Becomes:

# iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT –to 202.54.1.5

OR

# iptables -t nat –delete POSTROUTING -s 10.8.0.0/24 -j SNAT –to 202.54.1.5

The -D or –delete option delete one or more rules from the selected chain. There are two versions of this command, the rule can be specified as a number in the chain (version 1) or a rule to match (version 2) as described above.

ow do I setup a firewall with UFW (uncomplicated firewall) on an Ubuntu Linux 16.04 LTS server to restrict traffic on my personal web-server that hosts my pictures and blogs for my family members?

UFW is an acronym for uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. In this tutorial you will learn how to use UFW a frontend to iptables for managing firewall on Ubuntu Linux 16.04 LTS server.

Installing UFW

UFW is included with Ubuntu but not with Debian Linux. Type the following apt-get command to install UFW in Debian Linux server:

$ sudo apt-get update

$ sudo apt-get install ufw

Sample outputs:

Fig.01: Installing UFW firewall on Debain or Ubuntu LInux

How do I view status of ufw?

By default ufw is inactive status i.e. no firewall rules are configured and all traffic is allowed. To see status, enter:

$ sudo ufw status

Sample outputs:

Status: inactive

Setting up default policy

By default when ufw activated it blocks all incoming traffic to the firewall/server. Only outgoing traffic allowed. You can view UFW’s defaults by typing the following command:

$ grep  DEFAULT_  /etc/default/ufw

Sample outputs:

DEFAULT_INPUT_POLICY= DROP

DEFAULT_OUTPUT_POLICY= ACCEPT

DEFAULT_FORWARD_POLICY= DROP

DEFAULT_APPLICATION_POLICY= SKIP

The default policy works out well for both the servers and laptop/workstation as you only need to open a limited number of incoming ports. It is a good policy as it closes all ports on the server/firewall and you need to only open ports one by one. You can run the following commands to set policy to block all incoming connection and only allow outgoing connections from the server/firewall:

$ sudo ufw default allow outgoing

$ sudo ufw default deny incoming

Writing your first firewall rule to allow connection to ssh (tcp port 22)

Type the following command to allow SSH connections to your server:

$ sudo ufw allow ssh

OR

sudo ufw allow 22/tcp

Say if you are running ssh on port 2020, enter:

$ sudo ufw allow 2020/tcp

The following rules allow access to tcp ssh port 22 only on 10.8.0.1 (i.e. your ssh server is listing on 10.8.0.1 port 22) from anywhere:

$ sudo ufw allow proto tcp from any to 10.8.0.1 port 22

The following rules allow access to tcp ssh port 22 only on 10.8.0.1 (i.e. your ssh server is listing on 10.8.0.1 port 22) from 10.8.0.2 IP address only:

$ sudo ufw allow proto tcp from 10.8.0.2 to 10.8.0.1 port 22

How do I add a comment for the rule?

Use the following syntax

$ sudo ufw rule comment  my cool comment here

Open port 53 and write a comment about rule too:

ufw allow 53 comment  open tcp and udp port 53 for dns

Another example:

$ sudo ufw allow proto tcp from any to any port 80,443 comment  my cool web app ports

OR

$ sudo ufw allow proto tcp from any to 10.8.0.1 port 22  SSHD port 22 for private lan

Enable the UFW based firewall

Now you have default policy and ssh port allowed. It is safe to start enable the firewall, enter:

$ sudo ufw enable

Sample outputs:

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y

Firewall is active and enabled on system startup

Once enabled, the firewall runs after reboots too.

DISABLE THE UFW BASED FIREWALL

If you need to stop the firewall and disable on system startup, enter:

$ sudo ufw disable

Sample outputs:

Firewall stopped and disabled on system startup

How do I check the status of my rules?

Use the status command:

$ sudo ufw status

$ sudo ufw status verbose

Sample outputs:

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), deny (routed)

New profiles: skip

To                         Action      From

—                         ——      —-

192.168.1.10 443/tcp       ALLOW       Anywhere

192.168.1.10 22/tcp        ALLOW       Anywhere

Adding more rules (open ports and allow IPs)

The syntax is as follows to open tcp port 22 and 443:

$ sudo ufw allow 80/tcp

$ sudo ufw allow 443/tcp

Open UDP/1194 (OpenVPN) server:

$ sudo ufw allow 1194/udp

Open port 25 (smtpd/email server):

$ sudo ufw allow 25

Allowing port ranges

You can allow port ranges too say, tcp and udp 3000 to 5000:

$ sudo ufw allow 3000:5000/tcp

$ sudo ufw allow 3000:5000/udp

Make sure you allow connections from an IP address called 1.2.3.4, enter:

$ sudo ufw allow from 1.2.3.4

Make sure you allow connections from an IP address called 1.2.3.4 to our port 22, enter:

$ sudo ufw allow from 1.2.3.4 to any port 22 proto tcp

OR (dest 222.222.222.222 port 22)

$ sudo ufw allow from 1.2.3.4 to 222.222.222.222 port 22 proto tcp

How to allow incoming HTTPS traffic (open port 443)

$ sudo ufw allow https comment  Allow all to access Nginx server

allow only from 139.1.1.1 ##

$ sudo ufw allow from 139.1.1.1 to any port 443

allow only from 203.11.11.2/29 ##

$ sudo ufw allow from 203.11.11.2/29 to any port 443

How to allow incoming HTTP traffic (open port 80)

$ sudo ufw allow http comment  Allow all to access Apache server

allow only from 139.1.1.1 ##

$ sudo ufw allow from 139.1.1.1 to any port 80

allow only from 203.11.11.2/29 ##

$ sudo ufw allow from 203.11.11.2/29 to any port 80

How to allow incoming MySQL/MariaDB traffic (open port 3306)

Allow access to MySQL/MariaDB port 3306 from selected subnet only (see MySQL/MariaDB remote access tutorial):

$ sudo ufw allow from 192.168.1.0/24 to any port 3306

Allow access to MySQL/MariaDB port 3306 Apache server only:

$ sudo ufw allow from 202.54.1.1 to any port 3306

How to allow incoming PostgreSQL traffic (open port 5432)

Allow access to PostgreSQL port 5432 from selected subnet only (see PostgreSQL remote access tutorial):

$ sudo ufw allow from 192.168.1.0/24 to any port 5432

Allow access to PostgreSQL port 5432 Apache server only:

$ sudo ufw allow from 202.54.1.1 to any port 5432

How to allow incoming SMTPD/Postfix/Sendmail (mail server) traffic (open port 25)

$ sudo ufw allow 25

$ sudo ufw allow smtp

How to allow incoming IMAP/IMAPS

$ sudo ufw allow 143

$ sudo ufw allow 993

How to allow incoming POP3/POP3S

$ sudo ufw allow 110

$ sudo ufw allow 995

Denying access to port or connections (close ports and block IPs)

The syntax is as follows to deny access (i.e. simply ignoring access to port 443) to port tcp port 443:

$ sudo ufw deny 443/tcp

Make sure you deny all connections from an IP address called 1.2.3.4, enter:

$ sudo ufw deny from 1.2.3.4

Make sure you deny all connections from an IP/subnet called 123.45.67.89/24, enter:

$ sudo ufw deny from 123.45.67.89/24

Make sure you deny access to 1.2.3.4 (say hackers IP) on port 22:

$ sudo ufw deny from 1.2.3.4 to any port 22 proto tcp

Rejecting access to port or connections (reject and let user know they are blocked by firewall)

The deny syntax simply ignores traffic. If you want let the sender know when traffic is being denied, rather than simply ignoring it, use reject syntax:

$ sudo ufw reject in smtp

$ sudo ufw reject out smtp

$ sudo sudo ufw reject 1194 comment  No more vpn traffic

$ sudo ufw reject 23 comment  Unencrypted port not allowed

If somebody try to connect to port 23 they will get reject message as follows:

telnet: Unable to connect to remote host: Connection refused

Deleting the UFW firewall rules

Now you know how to add, deny, and list the firewall rules. It is time to delete unwanted rules. There are two options to deleting rules. The first syntax is:

$ sudo ufw delete {rule-here}

In this example, delete HTTPS (tcp port 443) traffic rule,

$ sudo ufw delete allow 443

If you no longer wished to allow smptd/email (port 25) traffic, execute:

$ sudo ufw delete allow 25

The second option is to list list all of the current rules in a numbered list format:

$ sudo ufw status numbered

Sample outputs:

Status: active

To                         Action      From

—                         ——      —-

[ 1] 10.8.0.1 22/tcp            ALLOW IN    Anywhere

[ 2] Anywhere                   DENY IN     123.45.67.0/24

[ 3] 22/tcp                     DENY IN     1.2.3.4

To delete 2nd rule ( ufw deny from 123.45.67.89/24 ), you type the command:

$ sudo ufw delete 2

Sample outputs:

Deleting:

deny from 123.45.67.0/24

Proceed with operation (y|n)? y

Rule deleted

How do I reset the firewall?

The syntax is as follows to reset ufw rules to their factory default settings and in an inactive mode, run:

$ sudo ufw reset

Sample outputs:

Resetting all rules to installed defaults. This may disrupt existing ssh

connections. Proceed with operation (y|n)? y

Backing up  user6.rules  to  /etc/ufw/user6.rules.20160801_121710

Backing up  after.rules  to  /etc/ufw/after.rules.20160801_121710

Backing up  before.rules  to  /etc/ufw/before.rules.20160801_121710

Backing up  after6.rules  to  /etc/ufw/after6.rules.20160801_121710

Backing up  user.rules  to  /etc/ufw/user.rules.20160801_121710

Backing up  before6.rules  to  /etc/ufw/before6.rules.20160801_121710

How do I reload the firewall?

The syntax is as follows to reload firewall:

$ sudo ufw reload

When you edit UFW  configuration file, you need to run reload command. For example, you can edit /etc/ufw/before.rules, enter:

$ sudo nano /etc/ufw/before.rules

OR

$ sudo vi /etc/ufw/before.rules

To allow all traffic fro eth0 to eth0 (add after line that read as  # End required lines ), enter:

# allow all on eth0

-A ufw-before-input -i eth0 -j ACCEPT

-A ufw-before-output -o eth0 -j ACCEPT

Save and close the file. Reload the firwall:

$ sudo ufw reload

How do I see the firewall logs?

By default all UFW entries are logged into /var/log/ufw.log file:

$ sudo more /var/log/ufw.log

$ sudo tail -f /var/log/ufw.log

Sample outputs:

Aug  1 12:09:48 server2 kernel: [15727.245115] [UFW BLOCK] IN=br1 OUT= MAC=00:25:90:4f:b0:6f:44:d3:ca:5f:89:40:08:00 SRC=62.210.181.123 DST=75.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=20343 DF PROTO=TCP SPT=2328 DPT=80 WINDOW=512 RES=0x00 SYN URGP=0

Aug  1 12:09:58 server2 kernel: [15737.485726] [UFW BLOCK] IN=br1 OUT= MAC=00:25:90:4f:b0:6f:44:d3:ca:5f:89:40:08:00 SRC=187.134.225.91 DST=75.xxx.yyy.zzz  LEN=46 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=54704 DPT=53413 LEN=26

Aug  1 12:09:58 server2 kernel: [15737.486102] [UFW BLOCK] IN=br1 OUT= MAC=00:25:90:4f:b0:6f:44:d3:ca:5f:89:40:08:00 SRC=187.134.225.91 DST=75.xxx.yyy.zzz  LEN=151 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=54704 DPT=53413 LEN=131

You can search log file with grep command:

$ sudo grep something /var/log/ufw.log

$ sudo grep  187.134.225.91  /var/log/ufw.log

How do I see ufw reports?

The added report displays the list of rules as they were added on the command-line:

$ sudo ufw show added

Sample outputs:

Added user rules (see  ufw status  for running firewall):

ufw allow 22

ufw reject 23

The raw report shows the complete firewall, while the others show a subset of what is in the raw report:

$ sudo ufw show raw

$ sudo ufw show raw | more

The listening report will display the ports on the live system in the listening state for tcp and the open state for udp, along with the address of the interface and the executable listening on the port. An  *  is used in place of the address of the interface when the executable is bound to all interfaces on that port. Following this information is a list of rules which may affect connections on this port. The rules are listed in the order they are evaluated by the kernel, and the first match wins. Please note that the default policy is not listed and tcp6 and udp6 are shown only if IPV6 is enabled:

$ sudo ufw show listening

$ sudo ufw show listening | more

tcp:

22 10.86.115.66 (sshd)

[ 1] allow 22

22 10.8.0.1 (sshd)

[ 1] allow 22

443 75.xxx.yyy.zzz (openvpn)

udp:

123 10.8.0.1 (ntpd)

123 75.xxx.yyy.zzz (ntpd)

123 10.86.115.66 (ntpd)

123 * (ntpd)

udp6:

123 * (ntpd)

Other possible reports are:

$ sudo ufw show builtins

$ sudo ufw show before-rules

$ sudo ufw show user-rules

$ sudo ufw show after-rules

$ sudo ufw show logging-rules

This entry is 1 of 6 in the Uncomplicated Firewall (UFW) series. Keep reading the rest of the series:

How to install UFW firewall on Ubuntu 16.04 LTS server

How to open ssh port using ufw on Ubuntu/Debian Linux

How to configure ufw to forward port 80/443 to internal server hosted on LAN

How to block an IP address with ufw on Ubuntu Linux server

How to limit SSH (TCP port 22) connections with ufw on Ubuntu Linux

How To: Ubuntu Linux Firewall Open Port Command Using UFW

ow do I limit ssh connection attempts using UFW (Uncomplicated Firewall) on Ubuntu or Debian Linux server?

UFW means Uncomplicated Firewall. It defaults on Ubuntu and can be installed on other Linux distros such as Arch Linux, Debian and more. It is nothing but a front-end for managing a Netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.

Rate limiting with ufw

You can add limit rule. Currently only IPv4 is supported. With this syntax you can deny connections from an IP address that has attempted to initiate 6 or more connections in the last 30 seconds. This option is very useful for services such as sshd.

Syntax

The syntax is pretty simple:

ufw limit ssh various usage ##

ufw limit ssh

ufw limit ssh/tcp

ufw limit ssh comment  Rate limit for openssh serer

if sshd is running on tcp port 2022 ####

ufw limit 2022/tcp comment  SSH port rate limit

The above rules are useful for protecting against brute-force login attacks. When a limit rule is used, ufw will normally allow the connection but will deny connections if an IP address attempts to initiate six or more connections within thirty seconds. Once setup you can verify it with the following command:

$ sudo ufw limit ssh/tcp comment  Rate limit for openssh serer

$ sudo ufw status

Sample outputs:

Status: active

To                         Action      From

—                         ——      —-

22/tcp                     LIMIT       Anywhere                   # Rate limit for openssh serer

22/tcp (v6)                LIMIT       Anywhere (v6)              # Rate limit for openssh serer

The actual rules are as follows in iptables:

-A ufw-user-input -p tcp -m tcp –dport 22 -m conntrack –ctstate NEW -m recent –set –name DEFAULT –mask 255.255.255.255 –rsource

-A ufw-user-input -p tcp -m tcp –dport 22 -m conntrack –ctstate NEW -m recent –update –seconds 30 –hitcount 6 –name DEFAULT –mask 255.255.255.255 –rsource -j ufw-user-limit

-A ufw-user-input -p tcp -m tcp –dport 22 -j ufw-user-limit-accept

Please note that the new ssh rule will then replace the previous ssh rule.

This entry is 5 of 6 in the Uncomplicated Firewall (UFW) series. Keep reading the rest of the series:

How to install UFW firewall on Ubuntu 16.04 LTS server

How to open ssh port using ufw on Ubuntu/Debian Linux

How to configure ufw to forward port 80/443 to internal server hosted on LAN

How to block an IP address with ufw on Ubuntu Linux server

How to limit SSH (TCP port 22) connections with ufw on Ubuntu Linux

How To: Ubuntu Linux Firewall Open Port Command Using UFW

am using UFW to protect my network. How do I forward TCP HTTP port # 80 and 443 to an internal server hosted at 192.168.1.100:80 and 192.168.1.100:443 using UFW on Ubuntu Linux server?

UFW is an acronym for uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. In this tutorial, you will learn how to forward incoming traffic to your server running ufw on port 80/443 to port 80/443 on another internal server hosted in your LAN/VLAN.

Our sample setup

Let us say you want to forward requests going to {80,443} to a server listening on 192.168.1.100:{80,443}:

Fig.01: How to configure ufw to redirect http traffic to another IP:port

All request for 202.54.1.1 port 80 and 443 need to redirect to another internal server.

DNAT

If you have a server on your internal network that you want make available externally, you can use the -j DNAT target of the PREROUTING chain in NAT to specify a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded. The syntax is:

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} –dport 80 -j DNAT –to {INTERNAL_IP}:80

OR

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} –dport 443 -j DNAT –to {INTERNAL_IP}:443

Postrouting and IP Masquerading

To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall’s external device such as eth0. The syntax is:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

OR

/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE

How to configure ufw to setup a port forward

You need to edit /etc/ufw/before.rules file, enter:

$ sudo vi /etc/ufw/before.rules

Next configure ufw to redirect http traffic to another (LAN) IP:port. At the top file, append:

*nat

:PREROUTING ACCEPT [0:0]

# forward 202.54.1.1  port 80 to 192.168.1.100:80

# forward 202.54.1.1  port 443 to 192.168.1.100:443

-A PREROUTING -i eth0 -d 202.54.1.1   -p tcp –dport 80 -j  DNAT –to-destination 192.168.1.100:80

-A PREROUTING -i eth0 -d 202.54.1.1   -p tcp –dport 443 -j  DNAT –to-destination 192.168.1.100:443

# setup routing

-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE

COMMIT

Save and close the file. Edit /etc/sysctl.conf:

$ sudo vi /etc/sysctl.conf

Set/edit as follows:

net.ipv4.ip_forward=1

Save and close the file. Reload changes:

$ sudo sysctl -p

Finally, restart the firewall to enable routing:

$ sudo systemctl restart ufw

Make sure port 80 and 443 is allowed, otherwise ufw will block the requests that are redirected to internal 192.168.1.100:{80,443}:

$ sudo ufw allow proto tcp from any to 202.54.1.1 port 80

$ sudo ufw allow proto tcp from any to 202.54.1.1 port 443

Verify new settings:

$ sudo ufw status

$ sudo iptables -t nat -L -n -v

Finally, make sure your domain has DNS type ‘a’ set to 202.54.1.1.

This entry is 3 of 6 in the Uncomplicated Firewall (UFW) series. Keep reading the rest of the series:

How to install UFW firewall on Ubuntu 16.04 LTS server

How to open ssh port using ufw on Ubuntu/Debian Linux

How to configure ufw to forward port 80/443 to internal server hosted on LAN

How to block an IP address with ufw on Ubuntu Linux server

How to limit SSH (TCP port 22) connections with ufw on Ubuntu Linux

How To: Ubuntu Linux Firewall Open Port Command Using UFW

ow do I allow incoming SSH connections from a specific IP address or subnet on a Ubuntu or Debian Linux server using ufw?

UFW is an acronym for uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. In this tutorial, you will learn how to use UFW a frontend to iptables for opening incoming SSH connection on Ubuntu Linux 16.04 LTS or Debian Linux server.

Fig.01: Allow Incoming SSH from Specific IP Address or Subnet

Open incoming SSH port for all

The syntax is:

sudo ufw allow ssh

OR

$ sudo ufw allow 22/tcp

OR (add the comment)

$ sudo ufw allow 22/tcp comment  Open port ssh tcp port 22

If you are running ssh on TCP port # 2222, enter:

$ sudo ufw allow 2222/tcp

How to allow incoming SSH from specific IP address

The syntax is:

$ sudo ufw allow from {IP_ADDRESS_HERE} to any port 22

To allow incoming SSH connections from a specific IP address named 202.54.1.1, enter:

$ sudo ufw allow from 202.54.1.1 to any port 22

How to allow incoming SSH from specific subnets

The syntax is:

$ sudo ufw allow from {IP_SUB/net} to any port 22

OR

$ sudo ufw allow from {IP_SUB/net} to any port 22 proto tcp

OR

$ sudo ufw allow from {IP_SUB/net} to {ssh-server-ip-address} port 22 proto tcp

To allow incoming SSH connections from a specific IP subnet named 202.54.1.1/29, enter:

$ sudo ufw allow from 202.54.1.1/29 to any port 22

To allow incoming SSH connections from a specific IP subnet named 10.8.0.0/24 to 10.8.0.1 and tcp port 22, enter:

$ sudo ufw allow from 10.8.0.0/24 to 10.8.0.1 port 22 proto tcp

Limit incoming SSH port for all

Open incoming SSH but deny connections from an IP address that has attempted to initiate 6 or more connections in the last 30 seconds. The syntax is:

$ sudo ufw limit ssh

OR

$ sudo ufw limit 22/tcp

How to check the status of ufw

The syntax is:

$ sudo ufw status

Sample outputs:

Status: active

To                         Action      From

—                         ——      —-

22                         ALLOW       Anywhere

72.14.190.12 443/tcp       ALLOW       Anywhere

72.14.190.12 80/tcp        ALLOW       Anywhere

if ufw was not enabled the output would be:

sudo ufw status

Status: inactive

To turn on UFW on with the default set of rules including open SSH port, enter:

$ sudo ufw enable

$ sudo ufw status verbose

This entry is 2 of 6 in the Uncomplicated Firewall (UFW) series. Keep reading the rest of the series:

How to install UFW firewall on Ubuntu 16.04 LTS server

How to open ssh port using ufw on Ubuntu/Debian Linux

How to configure ufw to forward port 80/443 to internal server hosted on LAN

How to block an IP address with ufw on Ubuntu Linux server

How to limit SSH (TCP port 22) connections with ufw on Ubuntu Linux

How To: Ubuntu Linux Firewall Open Port Command Using UFW

need to specific multiple IP address in iptables using Linux script. How do I create a rule that uses multiple source or destination IP addresses ?

You can set multiple source (-s or –source or destination (-d or –destination) IP ranges using the following easy to use syntax.

This tutorial shows you how to use multiple IP address in source or destination with IPtables on Linux.

How to add multiple sources in a single iptables command

The syntax is:

iptables -A INPUT -s ip1,ip2,ip3 -j ACCEPT

iptables -A INPUT -s ip1,ip2,ip3 -j DROP

iptables -I INPUT -s ip1,ip2,ip3 -d ip2 -j DROP

To accept 92.168.1.5 and 192.168.2.6, run:

iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -j ACCEPT

Another example:

iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -p tcp –dport 443 -j ACCEPT

In this example DROP packets for port 80 for two ip address:

iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -p tcp –dport 80 -j DROP

In this example forward traffic to internal hosts for two source ip address:

source= 139.59.1.155,23.239.7.187

dest= 104.20.187.5

port=443

redirect= 10.105.28.43:443

iptables -A PREROUTING -s ${source} -d ${dest} -p tcp –dport ${port} -j DNAT –to-destination ${redirect}

It is possible to drop given IP address using a new chain as follows:

#!/bin/bash

_input= /root/block.ip.address.list.txt

IPT=/sbin/iptables

$IPT -N droplist

egrep -v  ^#|^$  x | while IFS= read -r ip

do

$IPT -A droplist -i eth1 -s $ip -j LOG –log-prefix   myBad IP BlockList

$IPT -A droplist -i eth1 -s $ip -j DROP

done <  $_input

# Drop it

$IPT -I INPUT -j droplist

$IPT -I OUTPUT -j droplist

$IPT -I FORWARD -j droplist

How to add multiple destination in a single iptables command

The syntax is:

iptables -A INPUT -d ip1,ip2,ip3 -j ACCEPT

iptables -A INPUT -d ip1,ip2,ip3 -j DROP

iptables -I INPUT -d ip1,ip2,ip3 -s ip2 -j DROP

Some examples:

iptables -A INPUT -d 192.168.1.5,192.168.1.6 -j ACCEPT

iptables -A INPUT -d 192.168.1.5,192.168.1.6 -p tcp –dport 22 -j ACCEPT

iptables -A INPUT -d 192.168.1.5,192.168.1.6 -s 192.168.1.0/24 -p tcp –dport 22 -j ACCEPT

To view added rule run:

iptables -t filter -L INPUT -n -v

Sample outputs:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination

5632 6156K ACCEPT     all  —  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

1    80 ACCEPT     all  —  lo     *       0.0.0.0/0            0.0.0.0/0

553  128K INPUT_direct  all  —  *      *       0.0.0.0/0            0.0.0.0/0

553  128K INPUT_ZONES_SOURCE  all  —  *      *       0.0.0.0/0            0.0.0.0/0

553  128K INPUT_ZONES  all  —  *      *       0.0.0.0/0            0.0.0.0/0

0     0 DROP       all  —  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID

551  128K REJECT     all  —  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

0     0 ACCEPT     tcp  —  *      *       192.168.1.0/24       192.168.1.5          tcp dpt:22

0     0 ACCEPT     tcp  —  *      *       192.168.1.0/24       192.168.1.6          tcp dpt:22

0     0 ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.1.5          tcp dpt:22

0     0 ACCEPT     tcp  —  *      *       0.0.0.0/0            192.168.1.6          tcp dpt:22

0     0 ACCEPT     all  —  *      *       0.0.0.0/0            192.168.1.5

0     0 ACCEPT     all  —  *      *       0.0.0.0/0            192.168.1.6

0     0 ACCEPT     tcp  —  *      *       192.168.1.5          192.168.1.254        tcp dpt:443

0     0 ACCEPT     tcp  —  *      *       192.168.2.6          192.168.1.254        tcp dpt:443

A note about user defined chain

It is possible to create a new user-defined chain as follows:

iptables -N ALLOWED

iptables -A ALLOWED -d 127.0.0.0/8 -j RETURN

iptables -A ALLOWED -d 192.168.1.0/24 -j RETURN

iptables -A ALLOWED -d 205.54.1.5 -j RETURN

iptables -A INPUT -j ALLOWED

See iptables man page for more info:

$ man iptables