ubuntu ufw 配置
<h1>ubuntu ufw 配置</h1><p> </p>
<p>Ubuntu 18.04 LTS 系统中已经默认附带了 UFW 工具,如果您的系统中没有安装,可以在「终端」中执行如下命令进行安装:</p>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_602704" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo apt install ufw</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<p><strong>检查UFW状态</strong></p>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_755749" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw status verbose</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<p>无论您使用的是 Ubuntu 18.04 系统附带还是刚手动安装的 UFW,默认都是禁用状态,所以输出是「不活动」</p>
<p><strong>UFW默认策略</strong></p>
<p>防火墙策略是构建用户自定义规则的基础,在绝大多数情况下,初始的 UFW 默认策略就是一个很好的起点。</p>
<p>而默认情况下,UFW 将阻止所有传入连接并允许所有传出连接。也就是说,除非您专门打开特定端口,否则任何尝试访问您的服务器的人都无法连接,但服务器上运行的应用程序和服务却能够对外访问。</p>
<p>UFW 默认策略在 <span class="red-code">/etc/default/ufw 文件中进行定义,可以使用 <span class="red-code">sudo ufw default 命令对策略进行更改。</span></span></p>
<h3>打开80端口——HTTP</h3>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_172660" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw allow http</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<p>也可以直接指定端口号 80:</p>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_264644" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw allow </code><code class="java value">80</code><code class="java plain">/tcp</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<h3>打开443端口——HTTPS</h3>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_110045" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw allow https</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<p>也可以直接指定端口号 443:</p>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_196575" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw allow </code><code class="java value">443</code><code class="java plain">/tcp</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<h2>允许端口范围</h2>
<p>在使用 UFW 的端口范围时,必需指定 tcp 或 udp 协议。例如,要开启服务器上 7100 到 7200 的 tcp 和 udp 端口,可以运行以下命令:</p>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_422844" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
<div class="line number2 index1 alt1">2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw allow </code><code class="java value">7100</code><code class="java plain">:</code><code class="java value">7200</code><code class="java plain">/tcp</code></div>
<div class="line number2 index1 alt1"><code class="java plain">sudo ufw allow </code><code class="java value">7100</code><code class="java plain">:</code><code class="java value">7200</code><code class="java plain">/udp</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<h2>允许特定IP地址</h2>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_678211" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw allow from </code><code class="java value">123.123</code><code class="java plain">.</code><code class="java value">123.123</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<h2>允许子网</h2>
<p>如果要允许特定子网范围的计算机对服务器某个端口的访问,例如:允许从 192.168.1.1 到 192.168.1.254 网段到服务器 3306(MySQL)端口的访问,可以执行如下命令:</p>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_818256" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw allow from </code><code class="java value">192.168</code><code class="java plain">.</code><code class="java value">1.0</code><code class="java plain">/</code><code class="java value">24</code> <code class="java plain">to any port </code><code class="java value">3306</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<h2>拒绝连接</h2>
<p>前面已经介绍过,传入连接的默认策略都被设置为拒绝。假设您打开了 80 和 443 端口,而服务器又受到来自 23.34.45.0/24 的攻击,可以通过如下命令拒绝该网络的所有连接:</p>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_292678" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw deny from </code><code class="java value">23.34</code><code class="java plain">.</code><code class="java value">45.0</code><code class="java plain">/</code><code class="java value">24</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<p>如果只想拒绝访问 80 和 443 端口,则可以使用以下命令:</p>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_650499" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
<div class="line number2 index1 alt1">2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw deny from </code><code class="java value">23.34</code><code class="java plain">.</code><code class="java value">45.0</code><code class="java plain">/</code><code class="java value">24</code> <code class="java plain">to any port </code><code class="java value">80</code></div>
<div class="line number2 index1 alt1"><code class="java plain">sudo ufw deny from </code><code class="java value">23.34</code><code class="java plain">.</code><code class="java value">45.0</code><code class="java plain">/</code><code class="java value">24</code> <code class="java plain">to any port </code><code class="java value">443</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<p>编写拒绝规则与编写允许规则相同,您只需要将 allow 替换为 deny 就行</p>
<h2>删除UFW策略</h2>
<p>对新手用户而言,通过规则编号来删除特定规则比较好,不过在此之前需要先用命令列出规则编号的数字:</p>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_894392" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw status numbered</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<p>例如要删除开放 8080 端口的规则 4 可以使用如下命令:</p>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_207817" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw delete </code><code class="java value">4</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<p>例如要删除打开8069 端口的规则,可以使用如下命令:</p>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_851357" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw delete allow </code><code class="java value">8069</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<h2>禁用UFW</h2>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_195109" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw disable</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<h2>重置UFW</h2>
<div class="cnblogs_Highlighter sh-gutter">
<div>
<div id="highlighter_636604" class="syntaxhighlighterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="gutter">
<div class="line number1 index0 alt2">1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2"><code class="java plain">sudo ufw reset</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<p> </p>
<p>================ End</p>
<p> </p><br><br>
来源:https://www.cnblogs.com/lsgxeva/p/11588882.html
頁:
[1]