2,187
edits
Difference between revisions of "Configuration (Ubuntu)"
Jump to navigation
Jump to search
→Firewall: Added "Deny a Specific Host"
m (→Packages: Added a few commands) |
(→Firewall: Added "Deny a Specific Host") |
||
| Line 34: | Line 34: | ||
= Firewall = | = Firewall = | ||
Ubuntu comes with UFW (Uncomplicated Firewall), which is a config tool used to modify the standard inbuilt Netfilter. If preferred, iptables can still be used. | Ubuntu comes with UFW (Uncomplicated Firewall), which is a config tool used to modify the standard inbuilt Netfilter. If preferred, <code>iptables</code> can still be used, both <code>ufw</code> and <code>iptables</code> are essentially config tools for Netfilter. | ||
Changes are applied immediately. Once you've added your first rule there's an implied deny all. | Changes are applied immediately. Once you've added your first rule there's an implied deny all. | ||
| Line 62: | Line 62: | ||
ufw enable | ufw enable | ||
Be aware that '''rules are processed in order''', despite the fact that there is no easy way to alter the order of your rules using <code>ufw</code> or insert rules above existing ones. Therefore you need to think about the order of your rules carefully. | |||
=== Deny a Specific Host === | |||
If you want to deny a specific host (because its spamming or hacking you for example) you need to ensure that the deny rule is one of the first processed. Otherwise the host might still be able to access on port 80 (if you're running a web server and have a general allow rule for http traffic). It's easiest to edit the config files directly. | |||
To deny all traffic from 46.118.117.13... | |||
# Edit <code>/etc/ufw/before.rules</code> | |||
# Create a new section under the <code> # drop INVALID packets </code> section (near the top of the file) | |||
# Add deny rules as required | |||
#* <code> # Block IP's</code> | |||
#* <code> -A ufw-before-input -s 46.118.117.13 -j DROP</code> | |||
# Repeat the last line for as many IP's as you need to block (CIDR style notation can be used for ranges, eg 46.118.117.0/24) | |||
# Reload the firewall to apply the new config | |||
#* <code> ufw reload </code> | |||
Note that the denied hosts will ''not'' appear when showing the firewall status, which is an irritation. | |||
= SNMP = | = SNMP = | ||