Set Up a Firewall with UFW on Ubuntu 14.04

Introduction

UFW, or Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult for beginners to learn how to use it to properly configure a firewall. If you’re looking to get started securing your network, and you’re not sure which tool to use, UFW may be the right choice for you.

This tutorial will show you how to set up a firewall with UFW on Ubuntu 14.04.

Prerequisites

Before you start using this tutorial, you should have a separate, non-root superuser account—a user with sudo privileges—set up on your Ubuntu server. You can learn how to do this by completing at least steps 1-3 in the Initial Server Setup with Ubuntu 14.04 tutorial.

UFW is installed by default on Ubuntu. If it has been uninstalled for some reason, you can install it with apt-get:

  • sudo apt-get install ufw

Using IPv6 with UFW

If your Ubuntu server has IPv6 enabled, ensure that UFW is configured to support IPv6 so that it will manage firewall rules for IPv6 in addition to IPv4. To do this, open the UFW configuration with your favorite editor. We’ll use nano:

  • sudo nano /etc/default/ufw

Then make sure the value of “IPV6” is to equal “yes”. It should look like this:

/etc/default/ufw excerpt
...
IPV6=yes
...

Save and quit. Hit Ctrl-X to exit the file, then Y to save the changes that you made, then ENTER to confirm the file name.

When UFW is enabled, it will be configured to write both IPv4 and IPv6 firewall rules.

This tutorial is written with IPv4 in mind, but will work fine for IPv6 as long as you enable it.

Check UFW Status and Rules

At any time, you can check the status of UFW with this command:

  • sudo ufw status verbose

By default, UFW is disabled so you should see something like this:

Output:
Status: inactive

If UFW is active, the output will say that it’s active, and it will list any rules that are set. For example, if the firewall is set to allow SSH (port 22) connections from anywhere, the output might look something like this: Continue reading Set Up a Firewall with UFW on Ubuntu 14.04

Iptables Essentials: Common Firewall Rules and Commands

Introduction

Iptables is the software firewall that is included with most Linux distributions by default. This cheat sheet-style guide provides a quick reference to iptables commands that will create firewall rules are useful in common, everyday scenarios. This includes iptables examples of allowing and blocking various services by port, network interface, and source IP address.

How To Use This Guide

  • If you are just getting started with configuring your iptables firewall, check out our introduction to iptables
  • Most of the rules that are described here assume that your iptables is set to DROP incoming traffic, through the default input policy, and you want to selectively allow traffic in
  • Use whichever subsequent sections are applicable to what you are trying to achieve. Most sections are not predicated on any other, so you can use the examples below independently
  • Use the Contents menu on the right side of this page (at wide page widths) or your browser’s find function to locate the sections you need
  • Copy and paste the command-line examples given, substituting the values in red with your own values

Keep in mind that the order of your rules matter. All of these iptables commands use the -A option to append the new rule to the end of a chain. If you want to put it somewhere else in the chain, you can use the -I option which allows you to specify the position of the new rule (or simply place it at the beginning of the chain by not specifying a rule number).

Note: When working with firewalls, take care not to lock yourself out of your own server by blocking SSH traffic (port 22, by default). If you lose access due to your firewall settings, you may need to connect to it via the console to fix your access. Once you are connected via the console, you can change your firewall rules to allow SSH access (or allow all traffic). If your saved firewall rules allow SSH access, another method is to reboot your server.

Remember that you can check your current iptables ruleset with sudo iptables -S and sudo iptables -L.

Let’s take a look at the iptables commands!

Saving Rules

Iptables rules are ephemeral, which means they need to be manually saved for them to persist after a reboot.

Ubuntu

On Ubuntu, the easiest way to save iptables rules, so they will survive a reboot, is to use the iptables-persistent package. Install it with apt-get like this:

  • sudo apt-get install iptables-persistent

During the installation, you will asked if you want to save your current firewall rules.

If you update your firewall rules and want to save the changes, run this command:

  • sudo invoke-rc.d iptables-persistent save

CentOS 6 and Older

On CentOS 6 and older—CentOS 7 uses FirewallD by default—you can use the iptables init script to save your iptables rules:

  • sudo service iptables save

This will save your current iptables rules to the /etc/sysconfig/iptables file.

Listing and Deleting Rules

If you want to learn how to list and delete iptables rules, check out this tutorial: How To List and Delete Iptables Firewall Rules.

Generally Useful Rules

This section includes a variety of iptables commands that will create rules that are generally useful on most servers.

Allow Loopback Connections

The loopback interface, also referred to as lo, is what a computer uses to for network connections to itself. For example, if you run ping localhost or ping 127.0.0.1, your server will ping itself using the loopback. The loopback interface is also used if you configure your application server to connect to a database server with a “localhost” address. As such, you will want to be sure that your firewall is allowing these connections.
Continue reading Iptables Essentials: Common Firewall Rules and Commands

List and Delete Iptables Firewall Rules

Introduction

Iptables is a firewall that plays an essential role in network security for most Linux systems. While many iptables tutorials will teach you how to create firewall rules to secure your server, this one will focus on a different aspect of firewall management: listing and deleting rules.

In this tutorial, we will cover how to do the following iptables tasks:

  • List rules
  • Clear Packet and Byte Counters
  • Delete rules
  • Flush chains (delete all rules in a chain)
  • Flush all chains and tables, delete all chains, and accept all traffic

Note: When working with firewalls, take care not to lock yourself out of your own server by blocking SSH traffic (port 22, by default). If you lose access due to your firewall settings, you may need to connect to it via the console to fix your access. Once you are connected via the console, you can change your firewall rules to allow SSH access (or allow all traffic). If your saved firewall rules allow SSH access, another method is to reboot your server.

Prerequisites

Before you start using this tutorial, you should have a separate, non-root superuser account—a user with sudo privileges—set up on your server. If you need to set this up, follow the appropriate guide:

Let’s look at how to list rules first. There are two different ways to view your active iptables rules: in a table or as a list of rule specifications. Both methods provide roughly the same information in different formats.

List Rules by Specification

To list out all of the active iptables rules by specification, run the iptables command with the -S option:

  • sudo iptables -S
Example: Rule Specification Listing
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

As you can see, the output looks just like the commands that were used to create them, without the preceding iptables command. This will also look similar to the iptables rules configuration files, if you’ve ever used iptables-persistent or iptables save.

List Specific Chain

If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after the -S option. For example, to show all of the rule specifications in the TCP chain, you would run this command:

  • sudo iptables -S TCP
Example: TCP Chain Rule Specification Listing
-N TCP
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

Let’s take a look at the alternative way to view the active iptables rules, as a table of rules.

List Rules as Tables

Listing the iptables rules in the table view can be useful for comparing different rules against each other, Continue reading List and Delete Iptables Firewall Rules

What is a Firewall and How Does It Work?

Introduction

A firewall is a system that provides network security by filtering incoming and outgoing network traffic based on a set of user-defined rules. In general, the purpose of a firewall is to reduce or eliminate the occurrence of unwanted network communications while allowing all legitimate communication to flow freely. In most server infrastructures, firewalls provide an essential layer of security that, combined with other measures, prevent attackers from accessing your servers in malicious ways.

This guide will discuss how firewalls work, with a focus on stateful software firewalls, such as iptables and FirewallD, as they relate to cloud servers. We’ll start with a brief explanation of TCP packets and the different types of firewalls. Then we’ll discuss a variety of topics that a relevant to stateful firewalls. Lastly, we will provide links to other tutorials that will help you set up a firewall on your own server.

TCP Network Packets

Before discussing the different types of firewalls, let’s take a quick look at what Transport Control Protocol (TCP) network traffic looks like.

TCP network traffic moves around a network in packets, which are containers that consist of a packet header—this contains control information such as source and destination addresses, and packet sequence information—and the data (also known as a payload). While the control information in each packet helps to ensure that its associated data gets delivered properly, the elements it contains also provides firewalls a variety of ways to match packets against firewall rules.

It is important to note that successfully receiving incoming TCP packets requires the receiver to send outgoing acknowledgment packets back to the sender. The combination of the control information in the incoming and outgoing packets can be used to determine the connection state (e.g. new, established, related) of between the sender and receiver. Continue reading What is a Firewall and How Does It Work?

Migrate Iptables Firewall Rules to a New Server

Introduction

When migrating from one server to another, it is often desirable to migrate the iptables firewall rules as part of the process. This tutorial will show you how to easily copy your active iptables rule set from one server to another.

Prerequisites

This tutorial requires two servers. We will refer to the source server, which has the existing iptables rules, as Server A. The destination server, where the rules will be migrated to, will be referred to as Server B.

You will also need to have superuser, or sudo, access to both servers.

View Existing Iptables Rules

Before migrating your iptables rules, let’s see what they are set to. You can do that with this command on Server A:

  • sudo iptables -S
Example output:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 15.15.15.51/32 -j DROP

The example rules above will be used to demonstrate the firewall migration process. Continue reading Migrate Iptables Firewall Rules to a New Server

Configure BIND as a Private Network DNS Server on Ubuntu 14.04

Introduction

An important part of managing server configuration and infrastructure includes maintaining an easy way to look up network interfaces and IP addresses by name, by setting up a proper Domain Name System (DNS). Using fully qualified domain names (FQDNs), instead of IP addresses, to specify network addresses eases the configuration of services and applications, and increases the maintainability of configuration files. Setting up your own DNS for your private network is a great way to improve the management of your servers.

In this tutorial, we will go over how to set up an internal DNS server, using the BIND name server software (BIND9) on Ubuntu 14.04, that can be used by your Virtual Private Servers (VPS) to resolve private host names and private IP addresses. This provides a central way to manage your internal hostnames and private IP addresses, which is indispensable when your environment expands to more than a few hosts.

The CentOS version of this tutorial can be found here.

Prerequisites

To complete this tutorial, you will need the following:

  • Some servers that are running in the same datacenter and have private networking enabled
  • A new VPS to serve as the Primary DNS server, ns1
  • Optional: A new VPS to serve as a Secondary DNS server, ns2
  • Root access to all of the above (steps 1-4 here)

If you are unfamiliar with DNS concepts, it is recommended that you read at least the first three parts of our Introduction to Managing DNS.

Example Hosts

For example purposes, we will assume the following:

  • We have two existing VPS called “host1” and “host2”
  • Both VPS exist in the nyc3 datacenter
  • Both VPS have private networking enabled (and are on the 10.128.0.0/16 subnet)
  • Both VPS are somehow related to our web application that runs on “example.com”

With these assumptions, we decide that it makes sense to use a naming scheme that uses “nyc3.example.com” to refer to our private subnet or zone. Therefore, host1‘s private Fully-Qualified Domain Name (FQDN) will be “host1.nyc3.example.com”. Refer to the following table the relevant details:

Host Role Private FQDN Private IP Address
host1 Generic Host 1 host1.nyc3.example.com 10.128.100.101
host2 Generic Host 2 host2.nyc3.example.com 10.128.200.102

Note: Your existing setup will be different, but the example names and IP addresses will be used to demonstrate how to configure a DNS server to provide a functioning internal DNS. You should be able to easily adapt this setup to your own environment by replacing the host names and private IP addresses with your own. It is not necessary to use the region name of the datacenter in your naming scheme, but we use it here to denote that these hosts belong to a particular datacenter’s private network. If you utilize multiple datacenters, you can set up an internal DNS within each respective datacenter.

Our Goal

Continue reading Configure BIND as a Private Network DNS Server on Ubuntu 14.04

Ubuntu Applications

Ubuntu comes with many pre-installed applications, but if you require more, the Ubuntu Software Centre provides an excellent way to browse the additional applications which are available in the software repositories.

You can read more about managing applications in the Official Ubuntu Documentation (see the section on Adding and Removing Software) and the SoftwareManagement page.

Software repositories

To search for applications in the software repositories, either use

To read more about repositories, what they are and what the different repositories in Ubuntu are used for, see the Repositories page.

Continue reading Ubuntu Applications

SwitchingToUbuntu

Introduction

Switching to Ubuntu can be a slow process. The whole process – from the day you start thinking about Ubuntu to the day you get rid of your old operating system – can take two or four years. This guide will discuss some of the issues you will face along the way. Other pages discuss issues faced specifically when migrating from Windows, Mac OS X, or another Linux distribution.

Switching to Ubuntu can be hard work at times, and not everyone makes it. But even if you don’t complete your switch, you’ll learn a lot from the attempt.

Strategies for approaching Ubuntu

The process of switching to Ubuntu pivots around install day – the day you put Ubuntu on your hard drive. The days and weeks following install day can be quite overwhelming, because everything’s new, nothing works how you expect, and all your instincts are telling you “I can do this in 3 clicks if you just give up and go back!” The trick to a successful switch is to push as much work as possible as far as possible away from install day. This section will discuss some popular strategies during the months and years before install day.

The apps-then-OS strategy

Switching to Ubuntu is best done in two stages. First, keep your old operating system and switch to applications that have Ubuntu equivalents. Then, switch your operating system and keep your new applications.

Most major Ubuntu programs are available for other operating systems, and learning them ahead of time will let you settle in much quicker after you switch. The official list of Ubuntu programs is available at packages.ubuntu.com, but it’s usually easier to search on the Internet.

The purchasing strategy

Ubuntu supports the vast majority of hardware available today, but Linux drivers still aren’t available for some uncommon hardware. When you buy new hardware, you should look online and in Ubuntu’s official list of supported hardware. Although Linux support might be added by the time you switch, it’s best not to rely on it.

The Ubuntu away-day strategy

It’s possible to run Ubuntu directly from a “live” CD, without installing it on your computer at all. It’s very useful to make yourself use this for a whole day before installing Ubuntu.

During your Ubuntu away-day, you should try customising your desktop, installing programs, surfing the web, and using all the hardware you have (like printers and scanners). Your live environment gets reset when you reset the computer, so this is a safe way to get you past the most immediate issues you’ll have when you switch.

Continue reading SwitchingToUbuntu

UbuntuReinstallation

Sometimes reinstalling is the quickest way to solve a problem, for example if an upgrade failed or if your graphics driver is broken. When reinstalling, you’re most likely want to preserve two things:

  1. /home folder with your files and settings

  2. Entries in boot menu (if you have multiple OS installed)

How To Reinstall Ubuntu

Since Hardy it is possible to reinstall Ubuntu without losing the content of the /home folder (the folder that contains program settings, internet bookmarks, emails and all your documents, music, videos and other user files). This can be done even if /home is not on a separate partition (which is the case by default if you did not manually separate it when installing Ubuntu originally). This tutorial can also be used to upgrade Ubuntu (eg 11.04 -> 12.04 from a 12.04 live-CD).

Before doing anything

This operation should not damage your documents but, for security, backup your documents and settings (including /home hidden files) on external disk or DVDs. (eg via CloneZilla) Note: Some special applications settings may be in system folders, eg LAMP, see below in the thread.

Run the Ubuntu installer

  1. Run the UbuntuInstaller

  2. Follow the prompts until the “Installation type” (or “Allocate disk space”) menu
  3. Choose the right option as described below:

Choose the right option

There are two possibilities – choose the one that fits what the installer is showing:

If an “Upgrade 1X.XX to 1Y.YY” option is available (like in the screenshot below), choose it. https://i.stack.imgur.com/Su5Ay.png

– Or, if the above option is not available, choose manual partitioning (“Something-else” option), then select Ubuntu system partition, set its mount point as “/”. Be sure to keep the same format type, the same size, and untick the “Format” checkbox or all data on “/” will be deleted!. Also set other partitions (/boot, /home… see DiskSpace) if needed.

Then finish the installation process. (this may take several hours, like a normal install)

After reinstalling

After reinstalling, user accounts must be re-created with the same login and password.

Sumber: https://help.ubuntu.com/community/UbuntuReinstallation

Krita 2.9.8

The eighth bug-fix release of Krita 2.9! We’re still fixing bugs and adding improvements, but a lot of work has gone into the kickstarter goals and the Krita 3.0 porting work, too. Ubuntu Linux users can use the ” krita-lod-unstable” packages from the Krita Lime repository to test-drive the first version of the animation support and the “LOD” performance improvements. Check the LOD option in the View menu, and many brushes and other features will be perform much better on large images!

But for day to day work, please update to Krita 2.9.8! There are some important fixes to the Photoshop-style Layer Styles feature, to the OpenEXR, TIFF, PNG and JPEG import/export filters.

  • Improve performance when adding new layers. (A blank new layer doesn’t need to make Krita update
    the entire image)
  • Fix the pass-through icons so there’s dark and light variants and make some other icons smaller
  • BUG:353261: Make rotation terminology consistent in the rotate image and rotate layer plugin
  • BUG:353248: Prevent a crash when using some types of graphics tablets
  • BUG:352916: Fix a crash in the cage transform worker
  • Improve rendering speed when some layers are invisible
  • Fix a crash when using shape/vector layers
  • BUG:352734: Fix saving single-layer EXR files
  • BUG:352983: Load the layers in a multi-layer EXR file in the right order
  • BUG:352734: Support loading and saving EXR files that have both layers and top-level channgels
  • BUG:310359: Fix loading and saving of L*a*b TIFF images
  • Add a Save Profile checkbox to the TIFF and JPG export filters: you can now save TIFF, JPG and PNG images without an embedded profile.
  • BUG:352845: Store the smoothing options only once
  • Fix Photoshop-style layer styles that use the random noise
  • Improve the performance of Photoshop-style Layer styles.

Download

Sumber: https://krita.org/item/krita-2-9-8/