Introduction: In this tutorial, we'll cover how to secure your server by blocking outgoing traffic to private networks using Uncomplicated Firewall (UFW). This method is particularly useful in environments where you need to ensure that your server does not accidentally or maliciously communicate with specified internal networks, which is a common requirement in many secured deployments. We'll go through the installation of UFW, configuring basic rules, and setting up specific denials for private IP ranges.

Requirements

  • A server running Ubuntu or any other Debian-based Linux distribution.
  • Administrative access to the server.

Step 1 - Install and Enable UFW

Install UFW:
UFW, or Uncomplicated Firewall, is a user-friendly front-end for managing iptables firewall rules. Its simplicity makes managing a Linux firewall straightforward and less prone to errors. Begin by installing UFW on your server if it isn't already installed:

sudo apt install ufw

Enable UFW:
Before configuring any specific rules, enable UFW to ensure it's actively managing network traffic:

sudo ufw enable

Step 2 - Configure UFW Basic Security Settings

Set Default Policies:
First, set the default policies to deny all incoming and outgoing connections, which establishes a secure baseline:

sudo ufw default deny incoming
sudo ufw default deny outgoing​

Allow Necessary Services:
Next, configure the necessary ports for your services like SSH, HTTP, and HTTPS to ensure your server remains accessible as needed:

sudo ufw allow (add your port here)
sudo ufw allow 22    # Allow SSH​

Reload UFW :

sudo ufw reload


Confirm UFW Status:

After configuring your rules, confirm that UFW is running and the rules are applied correctly:

sudo ufw status verbose

Step 3 - Block Communications to Private Networks

Understanding Private IP Ranges:
Private IP addresses are reserved for use within private networks. They are commonly used for local communications within a network and are not routable on the internet. The blocks we will deny are:

  • 10.0.0.0/8
  • 172.0.0.0/8
  • 192.0.0.0/8
  • 100.0.0.0/8
  • 198.0.0.0/8
  • 169.0.0.0/8
  • 102.0.0.0/8 
  • 185.234.0.0/14

Block Outgoing Communications:
To block outgoing communications to these networks, use the following UFW commands:

sudo ufw deny out from any to 10.0.0.0/8
sudo ufw deny out from any to 172.0.0.0/8
sudo ufw deny out from any to 192.0.0.0/8
sudo ufw deny out from any to 100.0.0.0/8
sudo ufw deny out from any to 198.0.0.0/8
sudo ufw deny out from any to 169.0.0.0/8
sudo ufw deny out from any to 102.0.0.0/8
sudo ufw deny out from any to 185.234.0.0/14

Check and Verify:
After setting these rules, verify your firewall configuration:

sudo ufw status verbose

You might also want to verify the rules with:

sudo iptables-save

Testing the Configuration:
Test your firewall settings by attempting to ping a device within the blocked ranges, for example:

ping 172.16.5.204

Conclusion: Implementing firewall rules to block outgoing traffic to private networks is a critical security measure, particularly when you don't have full control over the software installed on your server. Using UFW simplifies this process and ensures that your server adheres to network access policies, protecting your systems from potential internal threats.

Esta resposta foi útil? 457 Utilizadores acharam útil (684 Votos)