How to configure iptables firewalls using gufw
By Anthony Weitekamp
Well written GUIs are great tools because they allow everyone to configure their systems the way they should be without requiring an in-depth knowlege of the command line tools that are being used in the background. gufw is a good example of this concept. Before we begin this lesson, you need to make sure that both ufw and gufw are installed on your computer. Open a terminal window and look at the manual pages for both programs.
$ man ufwand
$ man gufwIf you get an error message instead of the manual page, you will need to install the software. There are several ways to get new software. I find it easiest and fastest to use the comand line.
First update your computer using these 2 commands
$ sudo apt-get update $ sudo apt-get upgradeNow install ufw and enable it.
$ sudo apt-get install -y ufwand
$ sudo apt-get install -y gufw
$ sudo ufw enableNow take a look at the manual pages for both programs. If you completed our "How To" on Configuring iptables with bash , this will look very familiar. You can configure your ufw firewall using the command line if you wish. We will use the GUI gufw in this example instead.
Congratulations! You have ufw installed and running. Your computer has the minimum protection on the network. It is now time to decide which services and other applications you want to allow through the firewall. in How To Configure iptables with bash we had to look up port numbers for services and other applications we wanted to block or limit. gufw provides the most common port numbers, but we will still need to look up some of the ports we want to block. Start the gufw program in a terminal window by typing gufw at the prompt.
Note: The iptables firewall continues to run even if the administrator is not logged in. When ufw is turned off, the ufw specific rules running on iptables are disabled.
Now you can see the graphical user interface (GUI) but everything is greyed
out and the only options available to you are to either quit the program or
view the help-about page. Login to the software as an administrator by
clicking on the unock button in the lower right hand corner. You will
be asked to authenticate with the administrative (root) password before
Before we set new rules for the firewall, let's take a look at the default settings.
Note: If you tiinkered with your firweall settings using the command line then you should run the "reset_rules" script. Now change the "Incoming" rules from "Deny" to "Alow", and back to "Deny".
Open a new terminal window and execute the "display_settings" script from How To Configure iptables with bash. You wiil see that gufw sets up the Table Filter rules with basic settings that will deny all incoming and allow all outgoing connections. There is a big difference between deny and reject. Reject sets up a condition where the far end of the connection is notified that the packets are being dropped. Deny silently drops the packets without sending an error message.
Click on the + symbol in the lower left corner of the gufw window to add a rule. The "Firewall: Add Rule" will be displayed.
gufw will use common ports when the "Preconfigured" tab is selected. Say you are running a web server on your computer. Port 80 must be unblocked for all browsers who want to connect to your server. Remember, the default incoming rule is "deny" which means everything is blocked. To open port 80 to everyone, change the basic "Add Rule" settings to "Allow" "In" "Service" "HTTP". Then click the "Add" button. A good rule of thumb is to specifically deny all services and applications that you do not wish other people to connect to on your system, and only allow the ones you need. Once you have added rules to specifically deny incoming service and application requests, then add rules to block outgoing requests from your computer.
Next test your system to find what may be broken. If you planned ahead, and followed your plan without deviating even a little bit, everything will work great. You can take a breather for a moment before diving into your Antivirus sofware software.