Erik's blog

Code, notes, recipes, general musings

getting started with ufw on Ubuntu server

with 2 comments

Rather than read the entrails of iptables syntax, I’d prefer to continue respecting myself, and use something more user-friendly, something like the Uncomplicated Firewall (ufw). I just learned about this, but it’s the Ubuntu default. I’d like to have faith, but for now I just hope it doesn’t suck.

The UFW wiki page linked above states “Setting the default mode of ufw is recommended before turning it on …”: sudo ufw default deny

That was easy. Next, I’ll enable it: sudo ufw enable

Now, I’ll allow port 2222 for ssh: sudo ufw allow 2222

And allow port 80 for tcp: sudo ufw allow 80/tcp

Check the current settings: sudo ufw status

Turn on logging: sudo ufw logging on

Ubuntu’s saying I need to restart in order for the changes to take effect. Fingers-crossed. Holding breath: sudo shutdown -r now …

As an aside, why does it have to be this way? Why can’t we just know that it will work? To be fair, UFW does seem pretty simple, and UFW’s –dry-run might be exactly what I’m looking for. Hopefully, UFW keeps me safe. Once I figure out how to automate deployment, things might be ok.

Ok, let’s check on the our ability to log in locally …

Good. I can still log in locally, so I didn’t lock myself out utterly. Checking local ssh as a sanity check: ssh -v localhost -p 2222

That works. Checking remote log in: ssh erik@172.16.83.133 -p 2222

Hmm. That still doesn’t work, and nothing is showing up in either /var/logs/auth.log or /var/logs/messages. Lemme try viewing the iptables directly:
sudo iptables -L

Wow. UFW knows how to generate iptables. The list goes on forever. Let’s try again w/ less: sudo iptables -L | less

I can see 2222, www, and ssh allowed, so it’s not obvious why I can’t ssh in. Following a couple suggestions on the vmware forums, I set /etc/hosts.allow to “SSHD:ALL”, and set networking to “bridged”, but still no luck.

Ok. I’ll hang it up for now. Here’s a nice, soothing picture of a kelp forrest to chill out to:

Kelp Forrest at Monterey Bay Aquarium

Photo credit: Moral Threat

Advertisements

Written by Erik

October 18, 2010 at 11:03 pm

Posted in Uncategorized

2 Responses

Subscribe to comments with RSS.

  1. […] there’s a rule in there to ignore ssh, or no rule to allow ssh. I’ll continue this in another post. Categories: notes Tags: maverick, server, setup, ssh, ubuntu Comments (0) […]

  2. […] I’ve been playing around with an Ubuntu 10.10 64-bit server vm for the past couple days. My previous last post ended with me unable to ssh into the vm. Today, I read a post on serverfault that got me thinking […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: