Blocking traffic using UFW a lot of this is available elsewhere and better explained. I did have some problems finding correct information on blocking out bound traffic though. So I’m putting it here for my own notes.
First the basics. UFW Uncomplicated Fire Wall.
ufw enable Turns UFW on.
ufw disable Turns UFW off.
The default is to block all inbound traffic and allow all outbound traffic. by running the rules above in that order I allow SSH in and block all other traffic. Since I’m not physically on the machine I will need SSH to allow me to stay connected and make more changes as I go along.
ufw allow ssh
ufw allow http
ufw allow https
The two above are if I am running a web server and want to allow connections from any IP to this machine.
ufw allow out to 10.10.240.0/24 port 161
ufw deny out 161
This rule allows 161 (SNMP) to one range of IP addresses 10.10.240.0/24 and the second rule blocks any traffic on 161 (SNMP) to any other IP addresses.
I know you don’t need to block outbound traffic if you know what you are doing, but I have no clue so I did it this way.
ufw status numbered
To Action From
— —— —-
[ 1] 22 ALLOW IN any
[ 2] 443 ALLOW IN any
[ 3] 80 ALLOW IN any
[ 4] 10.10.240.0/24 161 ALLOW OUT Anywhere (out)
[ 5] 161 DENY OUT Anywhere (out)
Will show a list of what has been written in UFW and show the rules with numbers. To delete a rule select the rule number and run:
ufw delete 2
This would delete rule number two.
Insert will add a new rule and insert at the number that you specify.
ufw insert 4 allow out to 10.182.96.41 port 161
It is important in what order you add a rule as they are processed in order a rule to allow any connection to port 22 with a rule like “ufw deny from 18.104.22.168 to any port 22” will be ignored unless it comes before “ufw allow ssh” at rule number one.
There are also UFW limit rules to slow things like brute force attacks.
ufw insert 1 limit ssh
This will limit the number of SSH attempts to connect slowing a possible dictionary attack on SSH. Unless someone has a reason to keep hitting your machine they will usually just move on to the next target. Again since rules are processed in order this would need to come before before any allow SSH rules if you want it to work on all SSH connections. I found a useful bit on using port forwarding with UFW here.