debian防火墙设置
UFW, or Uncomplicated Firewall, is an interface to iptables
that is geared towards simplifying the process of configuring a firewall. While iptables
is a solid and flexible tool, it can be difficult for beginners to learn how to use it to properly configure a firewall. If you’re looking to get started securing your network and are not sure which tool to use, UFW may be the right choice for you.
UFW,即简单防火墙,是iptables
的接口,旨在简化防火墙的配置过程。 尽管iptables
是可靠且灵活的工具,但对于初学者而言,可能很难学习如何使用它来正确配置防火墙。 如果您希望开始保护网络安全并且不确定使用哪种工具,UFW可能是您的正确选择。
This tutorial will show you how to set up a firewall with UFW on Debian 10.
本教程将向您展示如何在Debian 10上使用UFW设置防火墙。
To follow this tutorial, you will need one Debian 10 server with a sudo
non-root user, which you can set up by following Steps 1-3 in the Initial Server Setup with Debian 10 tutorial.
要遵循本教程,您将需要一台具有sudo
非root用户的Debian 10服务器,您可以按照“ 使用Debian 10进行初始服务器设置”教程中的步骤1-3进行设置 。
Debian does not install UFW by default. If you followed the entire Initial Server Setup tutorial, you will have installed and enabled UFW. If not, install it now using apt
:
Debian默认不安装UFW。 如果您遵循整个“ 初始服务器安装”教程 ,则将安装并启用UFW。 如果没有,请使用apt
立即安装:
We will set up UFW and enable it in the following steps.
我们将在以下步骤中设置并启用UFW。
This tutorial is written with IPv4 in mind, but will work for IPv6 as long as you enable it. If your Debian server has IPv6 enabled, you will want to ensure that UFW is configured to support IPv6; this will ensure that UFW will manage firewall rules for IPv6 in addition to IPv4. To configure this, open the UFW configuration file /etc/default/ufw
with nano
or your favorite editor:
本教程是在考虑IPv4的前提下编写的,但是只要启用它就可以在IPv6上使用。 如果您的Debian服务器已启用IPv6,则需要确保UFW已配置为支持IPv6;否则,请执行以下步骤。 这将确保UFW除了管理IPv4外,还将管理IPv6的防火墙规则。 要进行配置,请使用nano
或您喜欢的编辑器打开UFW配置文件/etc/default/ufw
:
Then make sure the value of IPV6
is yes
. It should look like this:
然后确保IPV6
值为yes
。 它看起来应该像这样:
IPV6=yes
Save and close the file. Now when UFW is enabled, it will be configured to write both IPv4 and IPv6 firewall rules. Before enabling UFW, however, you will want to ensure that your firewall is configured to allow you to connect via SSH. Let’s start with setting the default policies.
保存并关闭文件。 现在,启用UFW后,它将被配置为写入IPv4和IPv6防火墙规则。 但是,在启用UFW之前,您将需要确保已将防火墙配置为允许您通过SSH连接。 让我们从设置默认策略开始。
If you’re just getting started with your firewall, the first rules to define are your default policies. These rules handle traffic that does not explicitly match any other rules. By default, UFW is set to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your server would not be able to connect, while any application within the server would be able to reach the outside world.
如果您刚开始使用防火墙,则定义的第一条规则是默认策略。 这些规则处理未明确匹配任何其他规则的流量。 默认情况下,UFW设置为拒绝所有传入连接并允许所有传出连接。 这意味着尝试访问您的服务器的任何人都将无法连接,而服务器中的任何应用程序都将可以访问外部。
Let’s set your UFW rules back to the defaults so we can be sure that you’ll be able to follow along with this tutorial. To set the defaults used by UFW, use these commands:
让我们将UFW规则重新设置为默认值,这样我们就可以确保您能够按照本教程进行操作。 要设置UFW使用的默认值,请使用以下命令:
These commands set the defaults to deny incoming and allow outgoing connections. These firewall defaults alone might suffice for a personal computer, but servers typically need to respond to incoming requests from outside users. We’ll look into that next.
这些命令将默认设置设置为拒绝传入并允许传出连接。 这些防火墙默认值仅够一台个人计算机就足够了,但是服务器通常需要响应外部用户的传入请求。 接下来,我们将对其进行研究。
If we enabled our UFW firewall now, it would deny all incoming connections. This means that we will need to create rules that explicitly allow legitimate incoming connections — SSH or HTTP connections, for example — if we want our server to respond to those types of requests. If you’re using a cloud server, you will probably want to allow incoming SSH connections so you can connect to and manage your server.
如果我们现在启用UFW防火墙,它将拒绝所有传入连接。 这意味着如果我们希望服务器响应那些类型的请求,我们将需要创建规则,以明确允许合法的传入连接(例如SSH或HTTP连接)。 如果使用的是云服务器,则可能需要允许传入的SSH连接,以便可以连接并管理服务器。
To configure your server to allow incoming SSH connections, you can use this command:
要将服务器配置为允许传入的SSH连接,可以使用以下命令:
This will create firewall rules that will allow all connections on port 22
, which is the port that the SSH daemon listens on by default. UFW knows what port allow ssh
means because it’s listed as a service in the /etc/services
file.
这将创建防火墙规则,该规则将允许端口22
上的所有连接,端口22
是SSH守护程序默认监听的端口。 UFW知道allow ssh
意味着什么端口,因为它在/etc/services
文件中被列为/etc/services
。
However, we can actually write the equivalent rule by specifying the port instead of the service name. For example, this command produces the same result as the one above:
但是,我们实际上可以通过指定端口而不是服务名称来编写等效规则。 例如,此命令产生与上面相同的结果:
If you configured your SSH daemon to use a different port, you will have to specify the appropriate port. For example, if your SSH server is listening on port 2222
, you can use this command to allow connections on that port:
如果将SSH守护程序配置为使用其他端口,则必须指定适当的端口。 例如,如果您的SSH服务器正在侦听端口2222
,则可以使用以下命令来允许该端口上的连接:
sudo ufw allow 2222
sudo ufw允许2222
Now that your firewall is configured to allow incoming SSH connections, you can enable it.
现在,您的防火墙已配置为允许传入的SSH连接,您可以启用它。
To enable UFW, use this command:
要启用UFW,请使用以下命令:
You will receive a warning that says the command may disrupt existing SSH connections. We already set up a firewall rule that allows SSH connections, so it should be fine to continue. Respond to the prompt with y
and hit ENTER
.
您将收到一条警告,指出该命令可能会破坏现有的SSH连接。 我们已经设置了允许SSH连接的防火墙规则,因此可以继续。 用y
响应提示,然后按ENTER
。
The firewall is now active. Run the sudo ufw status verbose
command to see the rules that you have set. The rest of this tutorial covers how to use UFW in more detail, including allowing and denying different types of connections.
防火墙现在处于活动状态。 运行sudo ufw status verbose
命令以查看您设置的规则。 本教程的其余部分详细介绍了如何使用UFW,包括允许和拒绝不同类型的连接。
At this point, you should allow all of the other connections that your server needs to function properly. The connections that you should allow depend on your specific needs. Luckily, you already know how to write rules that allow connections based on a service name or port; we already did this for SSH on port 22
. You can also do this for:
此时,您应该允许服务器正常运行所需的所有其他连接。 您应允许的连接取决于您的特定需求。 幸运的是,您已经知道如何编写规则以允许基于服务名称或端口进行连接; 我们已经在端口22
上针对SSH进行了此操作。 您也可以这样做:
HTTP on port 80
, which is what unencrypted web servers use. To allow this type of traffic, you would type sudo ufw allow http
or sudo ufw allow 80
.
端口80
上的HTTP,这是未加密的Web服务器使用的端口。 要允许这种类型的流量,您可以输入sudo ufw allow http
或sudo ufw allow 80
。
HTTPS on port 443
, which is what encrypted web servers use. To allow this type of traffic, you would type sudo ufw allow https
or sudo ufw allow 443
.
端口443
上的HTTPS,这是加密的Web服务器使用的端口。 要允许这种类型的流量,您可以输入sudo ufw allow https
或sudo ufw allow 443
。
There are other ways to allow connections, however, aside from specifying a port or known service. We will discuss those next.
但是,除了指定端口或已知服务之外,还有其他允许连接的方法。 接下来我们将讨论这些。
You can specify port ranges with UFW. For example, some applications use multiple ports instead of a single port.
您可以使用UFW指定端口范围。 例如,某些应用程序使用多个端口而不是单个端口。
For example, to allow X11
connections, which use ports 6000
-6007
, use these commands:
例如,为了允许X11
连接,这使用端口6000
- 6007
,使用这些命令:
sudo ufw allow 6000:6007/tcp
sudo ufw允许6000 : 6007 / tcp
sudo ufw allow 6000:6007/udp
sudo ufw允许6000 : 6007 / udp
When specifying port ranges with UFW, you must specify the protocol (tcp
or udp
) that the rules should apply to. We haven’t mentioned this before because not specifying the protocol automatically allows both protocols, which is OK in most cases.
使用UFW指定端口范围时,必须指定规则应适用的协议( tcp
或udp
)。 我们之前没有提到这一点,因为未指定协议会自动允许这两种协议,这在大多数情况下是可以的。
When working with UFW, you can also specify IP addresses. For example, if you want to allow connections from a specific IP address, such as a work or home IP address of 203.0.113.4
, you need to specify from
and then the IP address:
使用UFW时,您还可以指定IP地址。 例如,如果要允许来自特定IP地址的连接,例如203.0.113.4
的工作或家庭IP地址, 203.0.113.4
需要指定from
,然后指定IP地址:
sudo ufw allow from 203.0.113.4
sudo ufw允许从203.0.113.4
You can also specify a specific port that the IP address is allowed to connect to by adding to any port
followed by the port number. For example, if you want to allow 203.0.113.4
to connect to port 22
(SSH), use this command:
您还可以通过添加to any port
后跟端口号to any port
指定允许IP地址连接的特定端口。 例如,如果要允许203.0.113.4
连接到端口22
(SSH),请使用以下命令:
sudo ufw allow from 203.0.113.4 to any port 22
sudo ufw允许从203.0.113.4到任何端口22
If you want to allow a subnet of IP addresses, you can do so using CIDR notation to specify a netmask. For example, if you want to allow all of the IP addresses ranging from 203.0.113.1
to 203.0.113.254
you can use this command:
如果要允许IP地址的子网,可以使用CIDR表示法指定网络掩码。 例如,如果要允许所有IP地址从203.0.113.1
到203.0.113.254
,可以使用以下命令:
sudo ufw allow from 203.0.113.0/24
sudo ufw允许从203.0.113.0 / 24
Likewise, you may also specify the destination port that the subnet 203.0.113.0/24
is allowed to connect to. Again, we’ll use port 22
(SSH) as an example:
同样,您也可以指定允许子网203.0.113.0/24
连接到的目标端口。 同样,我们将使用端口22
(SSH)作为示例:
sudo ufw allow from 203.0.113.0/24 to any port 22
sudo ufw允许从203.0.113.0 / 24到任何端口22
If you want to create a firewall rule that only applies to a specific network interface, you can do so by specifying allow in on
, followed by the name of the network interface.
如果要创建仅适用于特定网络接口的防火墙规则,可以通过allow in on
指定allow in on
,然后指定网络接口的名称来实现。
You may want to look up your network interfaces before continuing. To do so, use this command:
您可能需要先查找网络接口,然后再继续。 为此,请使用以下命令:
Output
2: eth0: mtu 1500 qdisc pfifo_fast state
. . .
3: eth1: mtu 1500 qdisc noop state DOWN group default
. . .
The highlighted output indicates the network interface names. They are typically named something like eth0
or enp3s2
.
突出显示的输出指示网络接口名称。 它们通常被命名为eth0
或enp3s2
。
If your server has a public network interface called eth0
, for example, you could allow HTTP traffic to it with this command:
例如,如果您的服务器具有名为eth0
的公共网络接口,则可以使用以下命令允许HTTP流量流向该服务器:
sudo ufw allow in on eth0 to any port 80
sudo ufw在eth0上允许进入任何端口80
Doing so would allow your server to receive HTTP requests from the public internet.
这样做将允许您的服务器从公共互联网接收HTTP请求。
Or, if you want your MySQL database server (port 3306
) to listen for connections on the private network interface eth1
, you could use this command:
或者,如果您希望您MySQL数据库服务器(端口3306
)侦听专用网络接口eth1
上的连接,则可以使用以下命令:
sudo ufw allow in on eth1 to any port 3306
sudo ufw允许在eth1上进入任何端口3306
This would allow other servers on your private network to connect to your MySQL database.
这将允许您专用网络上的其他服务器连接到MySQL数据库。
If you haven’t changed the default policy for incoming connections, UFW is configured to deny all incoming connections. Generally, this simplifies the process of creating a secure firewall policy by requiring you to create rules that explicitly allow specific ports and IP addresses through.
如果您尚未更改传入连接的默认策略,则UFW被配置为拒绝所有传入连接。 通常,这要求您创建明确允许特定端口和IP地址通过的规则,从而简化了创建安全防火墙策略的过程。
Sometimes you will want to deny specific connections based on the source IP address or subnet, however, perhaps because you know that your server is being attacked from there. Also, if you want to change your default incoming policy to allow (which is not recommended), you would need to create deny rules for any services or IP addresses that you don’t want to allow connections for.
有时,您可能想基于源IP地址或子网拒绝特定的连接,也许是因为您知道服务器正受到来自那里的攻击。 另外,如果要将默认传入策略更改为允许 (不建议这样做),则需要为不想允许连接的任何服务或IP地址创建拒绝规则。
To write deny rules, you can use the commands described above, replacing allow with deny.
要编写拒绝规则,您可以使用上述命令,将allow替换为deny 。
For example, to deny HTTP connections, you could use this command:
例如,要拒绝HTTP连接,可以使用以下命令:
Or if you want to deny all connections from 203.0.113.4
you could use this command:
或者,如果您要拒绝203.0.113.4
所有连接, 203.0.113.4
可以使用以下命令:
sudo ufw deny from 203.0.113.4
sudo ufw从203.0.113.4拒绝
Now let’s take a look at how to delete rules.
现在让我们看一下如何删除规则。
Knowing how to delete firewall rules is just as important as knowing how to create them. There are two ways to specify which rules to delete: by the rule number or by the rule itself. This is similar to how the rules were specified when they were created. We’ll start by explaining the delete by rule number method.
知道如何删除防火墙规则与知道如何创建防火墙规则一样重要。 有两种方法可以指定要删除的规则:按规则编号或按规则本身。 这类似于创建规则时如何指定规则。 我们将从解释按规则编号删除方法开始。
If you’re using the rule number to delete firewall rules, the first thing you’ll want to do is get a list of your firewall rules. The UFW status
command has the numbered
option, which displays numbers next to each rule:
如果您使用规则号删除防火墙规则,则要做的第一件事就是获取防火墙规则列表。 UFW status
命令具有numbered
选项,该选项在每个规则旁边显示数字:
Output
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN 15.15.15.0/24
[ 2] 80 ALLOW IN Anywhere
If we decide that we want to delete rule 2
, which allows HTTP connections on port 80
, we can specify this in the following UFW delete
command:
如果我们决定删除规则2
(该规则允许端口80
上的HTTP连接),则可以在以下UFW delete
命令中指定此规则:
sudo ufw delete 2
sudo ufw删除2
This will show a confirmation prompt, which you can answer with y/n
. Typing y
will then delete rule 2
. Note that if you have IPv6 enabled, you will want to delete the corresponding IPv6 rule as well.
这将显示一个确认提示,您可以用y/n
回答。 然后输入y
将删除规则2
。 请注意,如果启用了IPv6,则也将要删除相应的IPv6规则。
The alternative to rule numbers is to specify the actual rule to delete. For example, if you want to remove the allow http
rule, you could write it like this:
规则编号的替代方法是指定要删除的实际规则。 例如,如果要删除allow http
规则,则可以这样编写:
sudo ufw delete allow http
sudo ufw删除允许http
You can also specify the rule with allow 80
instead of the service name:
您还可以使用allow 80
代替服务名称来指定规则:
sudo ufw delete allow 80
sudo ufw删除允许80
This method will delete both IPv4 and IPv6 rules, if they exist.
此方法将删除IPv4和IPv6规则(如果存在)。
At any time, you can check the status of UFW with this command:
您可以随时使用以下命令检查UFW的状态:
If UFW is disabled, which is the default, you’ll see something like this:
如果禁用UFW(这是默认设置),您将看到类似以下内容:
Output
Status: inactive
If UFW is active, which it should be if you followed Step 3, the output will say that it’s active and will list any rules that you have set. For example, if the firewall is set to allow SSH (port 22
) connections from anywhere, the output might look something like this:
如果UFW处于活动状态(如果遵循步骤3,则应该是活动状态),输出将显示该状态为活动状态,并列出您设置的所有规则。 例如,如果防火墙设置为允许从任何地方进行SSH(端口22
)连接,则输出可能类似于以下内容:
Output
Status: active
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
Use the status
command if you want to check how UFW has configured the firewall.
如果要检查UFW如何配置防火墙,请使用status
命令。
If you decide you don’t want to use UFW, you can disable it with this command:
如果您决定不想使用UFW,则可以使用以下命令将其禁用:
Any rules that you created with UFW will no longer be active. You can always run sudo ufw enable
if you need to activate it later.
您用UFW创建的任何规则将不再有效。 如果以后需要激活它,可以始终运行sudo ufw enable
。
If you already have UFW rules configured but you decide that you want to start over, you can use the reset command:
如果已经配置了UFW规则,但是您决定要重新开始,则可以使用reset命令:
This will disable UFW and delete any rules that you have previously defined. Keep in mind that the default policies won’t change to their original settings if you modified them at any point. This should give you a fresh start with UFW.
这将禁用UFW并删除您先前定义的任何规则。 请记住,如果您随时修改默认策略,它们将不会更改为其原始设置。 这应该使您从UFW重新开始。
Your firewall is now configured to allow (at least) SSH connections. Be sure to allow any other incoming connections that your server needs, while also limiting unnecessary connections. This will ensure that your server is both functional and secure.
现在,您的防火墙已配置为允许(至少)SSH连接。 确保允许服务器需要的任何其他传入连接,同时还要限制不必要的连接。 这将确保您的服务器既功能正常又安全。
To learn about more common UFW configurations, check out this tutorial on UFW Essentials: Common Firewall Rules and Commands.
要了解更多常见的UFW配置,请查看有关UFW Essentials的本教程:通用防火墙规则和命令 。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10
debian防火墙设置