Table of Contents

VIM3/3L Firewall

Introduction

This document guides you to setup a simple network firewall with UFW Uncomplicated Firewall on your Khadas SBC.

Preparation

1. Open the kernel modules configuration file

$ sudo vi /etc/modules-load.d/modules.conf

And add the necessary network related kernel modules at the bottom of the file.

ip_tables
nf_tables
nf_conntrack

iptable_filter
iptable_nat
iptable_mangle
iptable_raw

xt_tcp
xt_udp
xt_LOG
xt_limit
xt_conntrack
xt_addrtype
xt_nat
xt_MASQUERADE

2. Create symbolic link to iptables-legacy instead of iptables

$ sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
$ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

3. Open the UFW configuration file

$ sudo vi /etc/default/ufw

And disable IPv6

IPV6=no

4. Create a directory to configure UFW

$ sudo mkdir -p /etc/systemd/system/ufw.service.d

5. Create a UFW override configuration file /etc/systemd/system/ufw.service.d/override.conf to launch the firewall after networking is enabled.

[Unit]
After=network.target
Requires=network.target

6. Restart the firewall service

$ sudo systemctl restart ufw
$ sudo systemctl enable ufw

7. Restart the system

$ sync
$ sudo reboot now

The firewall is now configured and will be enabled on system startup.

Usage

By default, the firewall will block all the ports from incoming or outgoing data.

To enable a open a particular port to allow data you need to

$ sudo ufw allow <port-number>

To disable a open a particular port to allow data you need to

$ sudo ufw deny <port-number>

After any firewall rule changes, make sure you reload the rules

$ sudo ufw reload

You can check the status of the firewall and what ports are allowed or denied

$ sudo ufw status

You can enable the firewall to startup:

$ sudo ufw enable

or disable the firewall

$ sudo ufw disable

By default when enabled the firewall will deny the port used for SSH, if working with your device in headless mode it is advised to allow the SSH service before you enable the firewall to avoid conflict.

$ sudo ufw disable
$ sudo ufw allow ssh
$ sudo ufw enable

Further Reading

2024/07/03 02:50 · sravan