Skip to content

UFW Firewall

Jump to bottom
Matvey Gladkikh edited this page Nov 7, 2022 · 9 revisions 
#install ufw (for local traffic):
apt-get -y install ufw

#install ufw-docker (for docker traffic):
curl -L https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker > /usr/local/bin/ufw-docker; chmod +x /usr/local/bin/ufw-docker; /usr/local/bin/ufw-docker install;

#allow local services ssh:
ufw allow 22

#allow docker services:
#ufw-docker allow DOCKER-CONTAINER-NAME


#synproxy rules:
cat >> /etc/ufw/before.rules <<EOF
*raw
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack
COMMIT

*filter
-A ufw-before-logging-input -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
-A ufw-before-logging-input -m conntrack --ctstate INVALID -j DROP
COMMIT
EOF

ufw enable

#disable external traffic to non routable ips:
ufw deny out from any to 10.0.0.0/8
ufw deny out from any to 172.16.0.0/12
ufw deny out from any to 192.168.0.0/16
ufw deny out from any to 100.64.0.0/10
ufw deny out from any to 198.18.0.0/15
ufw deny out from any to 169.254.0.0/16
Clone this wiki locally