Tag Archives: ufw

How to set up a VPN server on Ubuntu

Install PoPToP Point to Point Tunneling Server:

sudo apt-get install pptpd

Edit /etc/pptpd.conf file:

sudo joe /etc/pptpd.conf

Uncomment the following lines (replace IP range if you like)

localip 192.168.0.1
remoteip 192.168.1.1-255

Save and exit.

Edit /etc/ppp/pptpd-options file

sudo joe /etc/ppp/pptpd-options

Make sure you have this:

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
nodefaultroute
lock
nobsdcomp
noipx               ## you don't need IPX
mtu 1490	        ## may help your linux client from disconnecting
mru 1490	        ## may help your linux client from disconnecting

Save and exit.

Next step is to add users who can use this connection.

sudo joe /etc/ppp/chap-secrets

The file should look like this:

# Secrets for authentication using CHAP
# client           server      secret                    IP addresses
cviorel            pptpd       my_secret_password        *
another_user       pptpd       his_secret_password       *

Now we need to configure IP Masquerading on the VPN server.
The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading.

ufw Masquerading
IP Masquerading can be achieved using custom ufw rules. This is possible because the current back-end for ufw is iptables-restore with the rules files located in /etc/ufw/*.rules. These files are a great place to add legacy iptables rules used without ufw, and rules that are more network gateway or bridge related.
The rules are split into two different files, rules that should be executed before ufw command line rules, and rules that are executed after ufw command line rules.

a) First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:

DEFAULT_FORWARD_POLICY="ACCEPT"

Then edit /etc/ufw/sysctl.conf and uncomment:

net.ipv4.ip_forward=1

Similarly, for IPv6 forwarding uncomment:

net.ipv6.conf.default.forwarding=1

b) Now we will add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
 
# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
 
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

The comments are not strictly necessary, but it is considered good practice to document your configuration. Also, when modifying any of the rules files in /etc/ufw, make sure these lines are the last line for each table modified:

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

First, since we trust pptpd completely, I would accept all traffic to/from my pptpd. I added this lines at the beginning of the filter section.

-A ufw-before-input -i ppp+ -j ACCEPT
-A ufw-before-output -i ppp+ -j ACCEPT

Additionally, I must forward traffic to/from my pptpd. These lines was also added after the above lines.

-A ufw-before-forward -s 192.168.0.0/24 -j ACCEPT
-A ufw-before-forward -d 192.168.0.0/24 -j ACCEPT

c) Finally, disable and re-enable ufw to apply the changes:

sudo ufw disable && sudo ufw enable

IP Masquerading should now be enabled. You can also add any additional FORWARD rules to the /etc/ufw/before.rules. It is recommended that these additional rules be
added to the ufw-before-forward chain.

iptables Masquerading
iptables can also be used to enable masquerading.
a) Similar to ufw, the first step is to enable IPv4 packet forwarding by editing /etc/sysctl.conf and uncomment the following line:

net.ipv4.ip_forward=1

If you wish to enable IPv6 forwarding also uncomment:

net.ipv6.conf.default.forwarding=1

– Next, execute the sysctl command to enable the new settings in the configuration file:

sudo sysctl -p

– IP Masquerading can now be accomplished with a single iptables rule, which may differ slightly based on your network configuration:

sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE

The above command assumes that your private address space is 192.168.0.0/16 and that your Internet-facing device is ppp0. The syntax is broken down as follows:

  • -t nat — the rule is to go into the nat table
  • -A POSTROUTING — the rule is to be appended (-A) to the POSTROUTING chain
  • -s 192.168.0.0/16 — the rule applies to traffic originating from the specified address space
  • -o ppp0 — the rule applies to traffic scheduled to be routed through the specified network device
  • -j MASQUERADE — traffic matching this rule is to “jump” (-j) to the MASQUERADE target to be manipulated as described above

b) Also, each chain in the filter table (the default table, and where most or all packet filtering occurs) has a default policy of ACCEPT, but if you are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rule to work:

sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT

The above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them.

c) If you want masquerading to be enabled on reboot, which you probably do, edit /etc/rc.local and add any commands used above. For example add the first command with no filtering:

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE

Logs
Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT).

If you are using ufw, you can turn on logging by entering the following in a terminal:

sudo ufw logging on

To turn logging off in ufw, simply replace on with off in the above command.
If using iptables instead of ufw, enter:

sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "

A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this:

[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0

The above log will also appear in /var/log/messages, /var/log/syslog, and /var/log/kern.log. This behavior can be modified by editing /etc/syslog.conf appropriately or by installing and configuring ulogd and using the ULOG target instead of LOG. The ulogd daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls, and can log to any file you like, or even to a PostgreSQL or MySQL database. Making sense of your firewall logs can be simplified by using a log analyzing tool such as fwanalog, fwlogwatch, or lire.

NOTE: Documentation for this article is taken from https://help.ubuntu.com/8.04/serverguide/C/firewall.html.

Sample firewall script for Hardy Heron

I just thought that you might be interested in a small script you can use in Hardy Heron.

It uses the new UFW (Uncomplicated firewall) introduced in this new Ubuntu distro.

The script is well commented, so everything is easy to understand.

Here is the script:

#!/bin/bash
 
  ## set the default policy to drop (deny) all connections
  sudo ufw default deny
 
  ## set logging ON
  sudo ufw logging on
 
  ## permit unrestricted traffic from a specific static IP address
  sudo ufw allow from 192.168.1.1    # maybe your router
 
  ## permit TCP connections on ssh port 22
  sudo ufw allow 22/tcp
 
  ## Allow Apache2
  sudo ufw allow 80/tcp
 
  ## Allow MySQL
  sudo ufw allow 3306/tcp
 
  ## Allow Bittorrent
  for port in {7881..7889};
  do sudo ufw allow $port/tcp; done
 
  ## Allow eMule
  sudo ufw allow 4662/tcp
  sudo ufw allow 4672/udp
 
  ## Allow DC++
  sudo ufw allow 6845
 
  ## Allow Samba from internal network only 
  sudo ufw allow proto tcp from 192.168.1.0/24 to any port 135 # used by smbd
  sudo ufw allow proto udp from 192.168.1.0/24 to any port 137 # used by nmbd
  sudo ufw allow proto udp from 192.168.1.0/24 to any port 138 # used by nmbd
  sudo ufw allow proto tcp from 192.168.1.0/24 to any port 139 # used by smbd
  sudo ufw allow proto tcp from 192.168.1.0/24 to any port 445 # used by smbd
 
  ## Display rules
  sudo ufw status

You can modify it by adding/removing rules accordingly.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close