UBUNTU: UFW Instalación y Configuración

  • Instalamos:
sudo apt-get install gufw
  • Agregamos las reglas para permitir los puertos 44 (ssh) / 80 y 443 (web)
ufw allow 44/tcp
ufw allow 44/udp
ufw allow 80/tcp
ufw allow 80/udp
ufw allow 443/tcp
ufw allow 443/udp
  • Activamos/Desactivamos el log
sudo ufw logging on
sudo ufw logging off
  • Establecemos la regla defecto que deniegue todo
ufw default deny
  • Activamos/Desactivamos el UFW
ufw enable
ufw disable
    • Aplicamos todas reglas necesarias
    • Deshabilitamos ipv6 abrimos
    nano /etc/default/ufw
    • Y modificamos
    IPV6=yes
    X
    IPV6=no
      • Recargamos
      service ufw stop
      service ufw start
      service ufw status
      • Ahora podemos consultar la reglas
      ufw status
      ufw status numbered
      ufw status verbose
      • RESULTADO:
      Estado: activo
      
       Hasta Acción Desde
       ----- ------ -----
      [ 1] 44/tcp ALLOW IN Anywhere 
      [ 2] 44/udp ALLOW IN Anywhere 
      [ 3] 80/tcp ALLOW IN Anywhere 
      [ 4] 80/udp ALLOW IN Anywhere 
      [ 5] 443/tcp ALLOW IN Anywhere 
      [ 6] 443/udp ALLOW IN Anywhere 
      [ 7] 44/tcp (v6) ALLOW IN Anywhere (v6) 
      [ 8] 44/udp (v6) ALLOW IN Anywhere (v6) 
      [ 9] 80/tcp (v6) ALLOW IN Anywhere (v6) 
      [10] 80/udp (v6) ALLOW IN Anywhere (v6) 
      [11] 443/tcp (v6) ALLOW IN Anywhere (v6) 
      [12] 443/udp (v6) ALLOW IN Anywhere (v6) 

      RESUMEN COMANDOS:

      • Habilitar/deshabilitar
      ufw enable
      ufw disable
      • Ver estado:
      ufw status
      ufw status numbered
      ufw status verbose
      • Desbloquear una IP
      ufw status numbered
      ufw delete NUM
      ufw delete 4
      • Eliminar la configuración y todas las reglas
      ufw reset

      CREACIÓN DE REGLAS

      • Habilitar puertos:
      ufw allow {puerto}/{protocolo}
      ufw allow 22/tcp
      • Habilitar un servicio
      ufw allow {servicio}
      ufw allow ssh
      • Denegar un servicio
      ufw deny out from any to {servicio}
      ufw deny out from any to ssh
      • Permitir una IP
      ufw allow {ip} 
      ufw allow 192.168.1.5
      • Permitir una sured
      ufw allow {subnet}
      ufw allow 192.168.1.0/24
      • Permitir una IP con Puerto y Procotolo
      ufw allow {ip} port {puerto} proto {protocolo}
      ufw allow 192.168.0.4 port 22 proto tcp
      • Bloquear una IP
      ufw deny from {ip} to any
      ufw deny from 192.168.1.5 to any
      • Bloquear una IP solo salida (OUT)
      ufw deny out from any to {ip}
      ufw deny out from any to 207.46.232.182
      • Bloquear una IP con Puerto
      ufw deny from {ip} to any port {púerto}
      ufw deny from 202.54.1.5 to any port 80
      • Bloquear una IP con Puerto y Protocolo
      ufw deny proto {tcp|udp} from {ip} to any port {puerto}
      ufw deny proto tcp from 202.54.1.1 to any port 22
      • Bloquear una red
      ufw deny proto tcp from {subnet} to any port 22
      ufw deny proto tcp from 202.54.1.0/24 to any port 22
      • Deshabilitar PING
      nano /etc/ufw/before.rules
      ************************
      Buscar:
      ************************
      # ok icmp codes
      -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
      ************************
      REMPLAZAR: ACCEPT X DROP
      ************************
      # ok icmp codes
      -A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
      -A ufw-before-input -p icmp --icmp-type source-quench -j DROP
      -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
      -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
      -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

      COMANDOS ADICIONALES

      • Saber la lista de servicios – puertos existentes
      less /etc/services
      • Saber conexiones establecidas
      netstat -tua
      netstat -tuan
      netstat -plut
      netstat -putona
      netstat -lnp
      
      • Saber si un puerto esta abierto
      nmap -p 44 localhost
      
      • Saber los puertos abiertos
      nmap -sT -O localhost
      • RESULTADO
      Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-15 14:18 CST
      Nmap scan report for localhost (127.0.0.1)
      Host is up (0.00015s latency).
      Not shown: 993 closed ports
      PORT STATE SERVICE
      25/tcp open smtp
      80/tcp open http
      139/tcp open netbios-ssn
      443/tcp open https
      445/tcp open microsoft-ds
      631/tcp open ipp
      3306/tcp open mysql
      Device type: general purpose
      Running: Linux 3.X|4.X
      OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
      OS details: Linux 3.8 - 4.9
      Network Distance: 0 hops

      OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
      Nmap done: 1 IP address (1 host up) scanned in 2.39 seconds
      • Si deseamos saber cual es el programa responsable
      fuser -v 25/tcp
      fuser -v 631/tcp