Setting up a secure Firewall configuration

Hello, as the title says I’m trying to set up the Ubuntu Firewall to secure my computer, and I need a few tips on how to do so. First the scenario:
The computer has set up an Apache web server (listening on Custom Port) and that one needs to be accessible from both the LAN and the Internet. The default SSH port needs to be open just for the LAN. All other ports should, in theory, remain closed.

Of course I tested it on the LAN first. I tried to use the graphical config utility, and set up rules to block all incoming connections but the ones for those specific ports, but it didn’t work when I tested it (the Firewall just blocked all incomming traffic). Its not the first Firewall I set up, so I’m definitely missing something here. With the firewall down I can access the apache and SSH just fine.

On a different note… what would you recommend to block certain IPs? IPTables on the Firewall or Htaccess on the Apache server? Say, I have a big blacklist of known malicious IPs (from China, Kazastan, Ucraine, the usual stuff…) and I want to block them from accessing or contacting the web services in my Apache. Which of the two is the best way to proceed? Thanks in advance! :smile:

You can use ufw (or gufw) to setup rules. Rules are executed in sequence, 1,2,3, … so the top rules would be 1. deny from ip’s in China, 2. deny from ip’s in Ukraine, then 3. allow http, https, ssh from other nets. You can move rules up/down to change which executes first. As for blocking ip’s, take a look at fail2ban.



Apache will need both the internal and external port forward, while ssh will need only the internal forwarded with the external blocked.

Everything from China, and Russia. There’s also a lot of bots from France, so you may want that too. Course this only stops the ones who don’t route their bots through a VPN, but still it does mitigate the most primitive ones.

IPtables would be best for that, leave .htaccess alone for when you need specific parameters changed in php of mysql, like a larger buffer or file upload size.


A good one I’ve come across is arno_iptables comes with pretty good default stuff setup.