This document guides you to setup a simple network firewall with UFW Uncomplicated Firewall
on your Khadas SBC.
1. Open the kernel modules configuration file
$ sudo vi /etc/modules-load.d/modules.conf
And add the necessary network related kernel modules at the bottom of the file.
ip_tables nf_tables nf_conntrack iptable_filter iptable_nat iptable_mangle iptable_raw xt_tcp xt_udp xt_LOG xt_limit xt_conntrack xt_addrtype xt_nat xt_MASQUERADE
2. Create symbolic link to iptables-legacy
instead of iptables
$ sudo update-alternatives --set iptables /usr/sbin/iptables-legacy $ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
3. Open the UFW configuration file
$ sudo vi /etc/default/ufw
And disable IPv6
IPV6=no
4. Create a directory to configure UFW
$ sudo mkdir -p /etc/systemd/system/ufw.service.d
5. Create a UFW override configuration file /etc/systemd/system/ufw.service.d/override.conf
to launch the firewall after networking is enabled.
[Unit] After=network.target Requires=network.target
6. Restart the firewall service
$ sudo systemctl restart ufw $ sudo systemctl enable ufw
7. Restart the system
$ sync $ sudo reboot now
The firewall is now configured and will be enabled on system startup.
By default, the firewall will block all the ports from incoming or outgoing data.
To enable a open a particular port to allow data you need to
$ sudo ufw allow <port-number>
To disable a open a particular port to allow data you need to
$ sudo ufw deny <port-number>
After any firewall rule changes, make sure you reload the rules
$ sudo ufw reload
You can check the status of the firewall and what ports are allowed or denied
$ sudo ufw status
You can enable the firewall to startup:
$ sudo ufw enable
or disable the firewall
$ sudo ufw disable
By default when enabled the firewall will deny the port used for SSH, if working with your device in headless mode it is advised to allow the SSH service before you enable the firewall to avoid conflict.
$ sudo ufw disable $ sudo ufw allow ssh $ sudo ufw enable