------------------------------------------------------------ revno: 3660 committer: Adam Sommer <[EMAIL PROTECTED]> branch nick: ubuntu-hardy timestamp: Wed 2008-02-13 22:48:48 -0500 message: ufw IP Masquerading section adjustments, based on feedback from Jamie Strandboge. modified: generic/server/C/security.xml
=== modified file 'generic/server/C/security.xml' --- a/generic/server/C/security.xml 2008-02-13 05:29:08 +0000 +++ b/generic/server/C/security.xml 2008-02-14 03:48:48 +0000 @@ -371,13 +371,13 @@ </para> </sect2> <sect2 id="firewall-ufw" status="review"> - <title>UFW - Uncomplicated Firewall</title> + <title>ufw - Uncomplicated Firewall</title> <para> - The default firewall configuration tool for Ubuntu is <application>UFW</application>. Developed to ease iptables firewall configuration - UFW provides a user friendly way to create a IPv4 or IPv6 host-based firewall. + The default firewall configuration tool for Ubuntu is <application>ufw</application>. Developed to ease iptables firewall configuration, + <application>ufw</application> provides a user friendly way to create an IPv4 or IPv6 host-based firewall. </para> <para> - <application>UFW</application> by default is initially disabled. From the UFW man page: + <application>ufw</application> by default is initially disabled. From the <application>ufw</application> man page: </para> <para> <quote> @@ -385,12 +385,12 @@ </quote> </para> <para> - The following are some examples of how to use <application>UFW</application>: + The following are some examples of how to use <application>ufw</application>: </para> <itemizedlist> <listitem> <para> - First, <application>UFW</application> needs to be enabled. From a terminal prompt enter: + First, <application>ufw</application> needs to be enabled. From a terminal prompt enter: </para> <screen> <command>sudo ufw enable</command> @@ -398,7 +398,7 @@ </listitem> <listitem> <para> - To open a port, ssh in this example: + To open a port (ssh in this example): </para> <screen> <command>sudo ufw allow 22</command> @@ -414,7 +414,7 @@ </listitem> <listitem> <para> - To remove a rule use delete then the rule name: + To remove a rule, use delete followed by the rule: </para> <screen> <command>sudo ufw delete deny 22</command> @@ -422,11 +422,11 @@ </listitem> <listitem> <para> - It is also possible to only open a port to specific hosts or networks. The following example allows ssh access - only from host 192.168.0.2: + It is also possible to allow access from specific hosts or networks to a port. The following example allows ssh access + from host 192.168.0.2 to any ip address on this host: </para> <screen> -<command>sudo ufw allow proto tcp from 192.168.0.2 to 192.168.0.1 port 22</command> +<command>sudo ufw allow proto tcp from 192.168.0.2 to any port 22</command> </screen> <para> Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire subnet. @@ -434,7 +434,7 @@ </listitem> <listitem> <para> - <application>UFW</application> can be disabled by: + <application>ufw</application> can be disabled by: </para> <screen> <command>sudo ufw disable</command> @@ -443,12 +443,12 @@ </itemizedlist> <note> <para> - If the port you want to open or close is defined in <filename>/etc/services</filename> you can use the port name instead of the number. - Using the example above replace <emphasis>22</emphasis> with <emphasis>ssh</emphasis>. + If the port you want to open or close is defined in <filename>/etc/services</filename>, you can use the port name instead of the number. + In the above examples, replace <emphasis>22</emphasis> with <emphasis>ssh</emphasis>. </para> </note> <para> - This is a short example of using <application>UFW</application> please refer to the UFW man page for more information. + This is a quick introduction to using <application>ufw</application>. Please refer to the <application>ufw</application> man page for more information. </para> </sect2> <sect2 id="ip-masquerading" status="complete"> @@ -469,33 +469,39 @@ Connection Sharing. </para> <sect3 id="ip-masquerade-ufw" status="review"> - <title>UFW Masquerading</title> + <title>ufw Masquerading</title> <para> - IP Masquerading can be achieved using custom <application>UFW</application> rules. This is possible because the current - back-end for UFW is <application>iptables-restore</application> with the rules files located in + IP Masquerading can be achieved using custom <application>ufw</application> rules. This is possible because the current + back-end for <application>ufw</application> is <application>iptables-restore</application> with the rules files located in <filename>/etc/ufw/*.rules</filename>. These files are a great place to add legacy iptables rules used - without UFW, and rules that are more network gateway or bridge related. + without <application>ufw</application>, and rules that are more network gateway or bridge related. </para> <para> The rules are split into two different files, rules that should be executed before - UFW command line rules, and rules that are executed after UFW command line rules. + <application>ufw</application> command line rules, and rules that are executed after <application>ufw</application> command line rules. </para> <itemizedlist> - <listitem> - <para> - The first step to enabling IP Masquerading is to edit <filename>/etc/sysctl.conf</filename> and uncomment the following line - to enable IPv4 packet forwarding: - </para> + <listitem> + <para> + First, packet forwarding needs to be enabled in <application>ufw</application>. Two configuration files will need to be adjusted, in + <filename>/etc/default/ufw</filename> change the <emphasis>DEFAULT_FORWARD_POLICY</emphasis> to <quote>ACCEPT</quote>: + </para> +<programlisting> +DEFAULT_FORWARD_POLICY="ACCEPT" +</programlisting> + <para> + Then edit <filename>/etc/ufw/sysctl.conf</filename> and uncomment: + </para> <programlisting> net.ipv4.ip_forward=1 </programlisting> - <para> - If you wish to enable IPv6 forwarding also uncomment: - </para> + <para> + Similarly, for IPv6 forwarding uncomment: + </para> <programlisting> -net.ipv6.ip_forward=1 +net.ipv6.conf.default.forwarding=1 </programlisting> - </listitem> + </listitem> <listitem> <para> Now we will add rules to the <filename>/etc/ufw/before.rules</filename> file. The default rules only configure the <emphasis>filter</emphasis> @@ -505,9 +511,7 @@ <programlisting> # nat Table rules *nat -:PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] # Forward traffic from eth1 through eth0. -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE @@ -516,30 +520,29 @@ COMMIT </programlisting> <para> - The comments were added to match the existing ones, but are not strictly necessary. However, it is good practice to document which - configuration lines accomplish what. + The comments are not strictly necessary, but it is considered good practice to document your configuration. Also, when modifying + any of the <emphasis>rules</emphasis> files in <filename class="directory">/etc/ufw</filename>, make sure these lines are the last + line for each table modified: </para> - </listitem> - <listitem> - <para> - Next, a rule needs to be added to the <emphasis>filter</emphasis> table to enable forwarding. Add the following to the top of the - <emphasis>required lines</emphasis> section: - </para> + <programlisting> -:FORWARD ACCEPT [0:0] +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT </programlisting> </listitem> <listitem> <para> - Finally, restart <application>UFW</application> to enable the newly configured rules: + Finally, disable and re-enable <application>ufw</application> to apply the changes: </para> <programlisting> -<command>sudo /etc/init.d/ufw restart</command> +<command>sudo ufw disable && sudo ufw enable</command> </programlisting> </listitem> </itemizedlist> <para> - IP Masquerading should now be enabled, and all filtering rules can be configured using UFW. + IP Masquerading should now be enabled. You can also add any additional FORWARD rules + to the <filename>/etc/ufw/before.rules</filename>. It is recommended that these additional + rules be added to the <emphasis>ufw-before-forward</emphasis> chain. </para> </sect3> <sect3 id="ip-masquerading-iptables" status="review"> @@ -548,10 +551,28 @@ <application>iptables</application> can also be used to enable masquerading. </para> <itemizedlist> + <listitem> + <para> + Similar to <application>ufw</application>, the first step is to enable IPv4 packet forwarding by editing + <filename>/etc/sysctl.conf</filename> and uncomment the following line + </para> +<programlisting> +net.ipv4.ip_forward=1 +</programlisting> + <para> + If you wish to enable IPv6 forwarding also uncomment: + </para> +<programlisting> +net.ipv6.conf.default.forwarding=1 +</programlisting> + </listitem> <listitem> <para> - The first step is to turn on IP forwarding in <filename>/etc/sysctl.conf</filename> the same as above. + Next, execute the <application>sysctl</application> command to enable the new settings in the configuration file: </para> +<screen> +<command>sudo sysctl -p</command> +</screen> </listitem> <listitem> <para> @@ -617,16 +638,16 @@ that decides the fate of the packet, such as ACCEPT, DROP, or REJECT). </para> <para> - If you are using <application>UFW</application> you can turn on logging by entering the following from a terminal: + If you are using <application>ufw</application>, you can turn on logging by entering the following in a terminal: </para> <screen> <command>sudo ufw logging on</command> </screen> <para> - To turn logging off simply replace <emphasis role="italic">on</emphasis> with <emphasis role="italic">off</emphasis> in the above command. + To turn logging off in <application>ufw</application>, simply replace <emphasis role="italic">on</emphasis> with <emphasis role="italic">off</emphasis> in the above command. </para> <para> - Using <application>iptables</application> enter: + If using <application>iptables</application> instead of <application>ufw</application>, enter: </para> <screen> sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: " @@ -703,7 +724,7 @@ <listitem> <para> The <ulink url="https://wiki.ubuntu.com/UbuntuFirewall">Ubuntu Firewall</ulink> wiki page contains information on the development - of <application>UFW</application>. + of <application>ufw</application>. </para> </listitem> <listitem> -- https://code.launchpad.net/~ubuntu-core-doc/ubuntu-doc/ubuntu-hardy You are receiving this branch notification because you are subscribed to it. -- ubuntu-doc-commits mailing list ubuntu-doc-commits@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc-commits