ufw is stands for Uncomplicated Firewall, this program is for managing a Linux firewall and aims to provide an easy to use interface for the user, as well as support package integration and dynamic-detection of open ports. ufw  is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to  add  or  remove simple rules. It is currently mainly used for host-based firewalls.

Installation

$ sudo apt-get install ufw

For help use

$ man ufw

To enable firewall

$ sudo ufw enable

When we enable the firewall it will set firewall with default settings, it will deny ssh ports, telnet and many other services. So when we enable firewall on the remort servers we must enable ssh ports first, this can done using.

$ ufw allow proto tcp from any to any port 22

To disable a firewall

$ sudo sfw disable

Examples

Deny all access to port 53:

$ sudo ufw deny 53

Allow all access to tcp port 80:

$ sudo ufw allow 80/tcp

Allow all access from RFC1918 networks to this host:

$ sudo ufw allow from 10.0.0.0/8
$ sudo ufw allow from 172.16.0.0/12
$ sudo ufw allow from 192.168.0.0/16

Deny access to udp port 514 from host 1.2.3.4:

$ sudo ufw deny proto udp from 1.2.3.4 to any port 514

Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469:

$ sudo ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469

Port forwarding is a feature of the IPTables system. It allows one computer to forward connections made to it so that another computer can actually process the request. If you want a very simple metaphor you can think of it as mail forwarding. Each computer has a number of addresses called ports, and IPTables allows connections to these ports to be sent to another computer. With port forwarders, you can redirect data connections from the Internet to an internal, privately addressed machine behind your IP MASQ server. This forwarding ability includes network protocols such as TELNET, WWW, and SMTP. Protocols such as FTP, legacy ICQ, and others require special handling via kernel modules.

Setup

On Ubuntu you need to enable port forwarding. For doing this you have to be the root user.

root@shahid-laptop:~# echo 1 > /proc/sys/net/ipv4/ip_forward

After this you need to write iptable rule.

root@shahid-laptop:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@shahid-laptop:~# iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.10 --dport 555 -j DNAT --to 192.168.0.12:22
root@shahid-laptop:~# iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.12 --dport 22 -j ACCEPT

In this rule, when we tries to connect to the IP 192.168.0.10 through the port 555 this system redirects the connection to the IP and 192.168.0.12 and port 22.

To see the iptables rule use the command ‘iptables -L’

root@shahid-laptop:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.0.12        tcp dpt:ssh 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Saving Data

When you reboot the system the iptables rules will be removed from the kernel module , so either you need to use iptables-save and iptables-restorefor saving and restoring iptable rules or you need to write a script which will execut on every boot for enabling and create the iptable rule.

Writting iptables rules

The IP addresses in this article are modified from the real addresses. We’ll use the private IP space 192.168.0.0/16, subnetted into smaller blocks.

In this example, the FORWARD chain will only provide the global counters.

$ sudo iptables -N system-1

The rule will match any source and any destination. Everything that is being passed through this router matches this rule and will provide the total of combined downloaded and uploaded data.

# System-1 Downloads
  iptables -A FORWARD -d 192.168.1.0/26 -j system-1
# System-1 Uploads
  iptables -A FORWARD -s 192.168.1.0/26 -j system-1

The rules created above give us separate totals for all downloads to and uploads for system-1. This is accomplished by matching the source and destination of all traffic through the router for target-1’s specific subnet. After a rule is matched, the -j option invokes a jump to one of the custom chains. These custom chains can then be used to add additional rules pertaining to the subnet. For instance, rules can be created for each individual IP address in that subnet to track bandwidth on a per-host basis:

# Town A, Host 192.168.1.10 Download
  iptables -A town-a -d 192.168.1.10
# Town A, Host 192.168.1.10 Upload
  iptables -A town-a -s 192.168.1.10

You could repeat this process for every IP address for all systems within the subnet.

Bandwidth statistics

Viewing the current bandwidth usage is a matter of running iptables with the -L and -v options. The -L outputs the statistics for a chain (or all chains if none is provided). The -v option provides verbose output, including the packet and byte counters that we are interested in. I recommend using the -n option as well to prevent DNS lookups, meaning iptables will show the IP addresses without attempting to resolve the hostnames for the IP addresses, which would put additional and unnecessary load on the router.

$ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 311K packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 system-1   all  --  *      *       0.0.0.0/0            192.168.1.0/26
    0     0 system-1   all  --  *      *       192.168.1.0/26       0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 325K packets, 29M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain system-1 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  *      *       0.0.0.0/0            192.168.1.10
    0     0            all  --  *      *       192.168.1.10         0.0.0.0/0

Saving data across reboots

If you reboot the machine or remove the iptables kernel modules, you’ll lose all of your packet and byte counters. So you want to make backups of the running counters, and in the event of a reboot, restore the counters rather than starting from zero.

The iptables package comes with two programs that aid in this: iptables-save and iptables-restore. Both programs need to be told to explicitly use the packet and byte counters during backup and restore using the -c command line option.

The backup and restore process is fairly straightforward. To back up your iptables data, use

$ sudo iptables-save -c > iptables-backup.txt.

To restore the data, after reboot, use

$ sudo iptables-restore -c < iptables-backup.txt.

Conclution

The flexibility and power of iptables allows for more complex onitoring scenarios. You can create rules to not only track different subnets, but also to track specific ports and protocols, which lets you rack exactly how much of each customer’s traffic is Web, email, file
sharing, etc.

In addition, these bandwidth monitoring rules can also become blocking rules. If a host has used too much bandwidth, its rule in a town’s specific chain can be modified by adding -j DROP to both the download and upload rules. This effectively stops traffic being routed to and from that host.