Ubuntu ufw - setting firewall rules on a per interface basis
Are you needing to configure your server to prevent SSH access to all but your external IP but are still needing SSH connections in your virtual private network? A simple way to harden your server is to configure ufw - Uncomplicated Fire Wall - to manage access to different network adaptors. In this post we show you how.
Which network adaptors?
Step one is to check which Ethernet network adaptors you have installed. Open a new terminal and type the following:
You should see something similar to:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 162.xx.xxx.xxx netmask 255.255.240.0 broadcast 162.xx.xxx.xxx inet6 xxxx::xxxx:xxx:xxxx:xxxx prefixlen 64 scopeid 0x20<link> ether xx:xx:xx:xx:xx:xx txqueuelen 1000 (Ethernet) RX packets 3620568 bytes 362006705 (362.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4207132 bytes 15241705653 (15.2 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.xxx.xxx.xxx netmask 255.255.0.0 broadcast 10.xxx.xxx.xxx inet6 xxxx::xxxx:xxxx:xxxx:xxxx prefixlen 64 scopeid 0x20<link> ether xx:xx:xx:xx:xx:xx txqueuelen 1000 (Ethernet) RX packets 10596 bytes 19622652 (19.6 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10422 bytes 105107712 (105.1 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 3334690 bytes 2170366969 (2.1 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3334690 bytes 2170366969 (2.1 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
This output shows us which adaptor is the external connection and which the internal: the inet address of eth1 starts with a 10 meaning it's internal. And I happen to know the public facing interface of this particular server has an inet address starting 162. So now we can configure ufw appropriately.
Run the following command at the terminal:
sudo ufw allow in on eth0 from [IP addr you are connecting from] to any port 22
Check the rule has been added by running:
sudo ufw status
Now add a rule allowing connections to and from the VPC:
sudo ufw allow in on eth1 to any port 22
Again check the ufw status to ensure your rules have been added.
If it's SSH you are configuring then it's worth ensuring you can still SSH on to your server before closing the terminal you are currently working from. If all is working then your server is now configured.
Lumina Consultancy are software programming, web development and web security specialists.
We build it, we host it, and we keep it safe.
Please get in touch to learn more about us and our work.
© 2021 Lumina Consultancy Limited | UK Company Registration No: 10627969 | VAT Registration No: 344 5130 25