Vulnarex | Elite Cybersecurity Learning Platform

#Networking and Firewall Configuration#link

A system is only as secure as its network exposure. In this lesson, you will learn how to configure network interfaces, manage firewall rules, and implement network-level security controls on Linux. We cover both the legacy iptables and the modern nftables framework, plus UFW for simplified management.

Network Interface Configuration

Before configuring firewalls, you need to understand how Linux manages network interfaces. Modern Linux uses the ip command (from the iproute2 package) as the replacement for the deprecated ifconfig.

Network Interface Commands

root@vulnarex:~## Show all interfaces and IP addresses ip addr show # Show routing table ip route show # Show interface statistics ip -s link # Bring an interface up/down sudo ip link set eth0 down sudo ip link set eth0 up # Assign a static IP sudo ip addr add 192.168.1.100/24 dev eth0 # Add a default route sudo ip route add default via 192.168.1.1 # Show ARP table ip neigh show

UFW — Uncomplicated Firewall

UFW (Uncomplicated Firewall) is the default firewall management tool on Ubuntu and Debian. It provides a simple interface to iptables/nftables and is the recommended starting point for most security configurations.

UFW Configuration

root@vulnarex:~## Check UFW status sudo ufw status verbose # Default policies: deny all incoming, allow all outgoing sudo ufw default deny incoming sudo ufw default allow outgoing # Allow SSH (always do this BEFORE enabling!) sudo ufw allow 22/tcp sudo ufw allow from 192.168.1.0/24 to any port 22 # Allow HTTP/HTTPS sudo ufw allow 80/tcp sudo ufw allow 443/tcp # Allow a specific IP range sudo ufw allow from 10.0.0.0/8 to any port 3306 # Deny a specific IP sudo ufw deny from 203.0.113.50 # Enable the firewall sudo ufw enable # View numbered rules sudo ufw status numbered

STRICT SECURE AUDIT RULE

⚠️ ALWAYS configure your SSH allow rule BEFORE enabling UFW. If you enable UFW with a default deny policy without allowing SSH, you will lock yourself out of remote systems. For local VMs, ensure console access is available as a backup.

iptables — The Foundation

iptables is the underlying firewall framework that UFW abstracts. For advanced configurations, you will need to work with iptables directly. Understanding iptables is essential for security professionals.

bash

# iptables rule structure:
# iptables -A CHAIN -p PROTOCOL --dport PORT -j TARGET

# List all rules with line numbers
sudo iptables -L -n -v --line-numbers

# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow SSH from specific subnet only
sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

# Rate limit SSH to prevent brute force
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

# Drop invalid packets
sudo iptables -A INPUT -m state --state INVALID -j DROP

# Log dropped packets (for analysis)
sudo iptables -A INPUT -j LOG --log-prefix "IPTABLES-DROP: " --log-level 4

# Set default policy to DROP
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

nftables — The Modern Replacement

nftables is the successor to iptables, available on modern Linux distributions (Ubuntu 22.04+, RHEL 8+, Debian 10+). It uses a more efficient kernel framework and a cleaner syntax.

nftables Configuration

root@vulnarex:~## Check nftables rules sudo nft list ruleset # Create a basic firewall configuration sudo nft add table inet filter sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; } sudo nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; } sudo nft add chain inet filter output { type filter hook output priority 0 \; policy accept \; } # Allow loopback sudo nft add rule inet filter input iif lo accept # Allow established connections sudo nft add rule inet filter input ct state established,related accept # Allow SSH sudo nft add rule inet filter input tcp dport 22 ip saddr 192.168.1.0/24 accept # Allow HTTP/HTTPS sudo nft add rule inet filter input tcp dport { 80, 443 } accept # Rate limit new connections sudo nft add rule inet filter input tcp dport 22 ct state new limit rate 5/minute accept # Save rules permanently sudo nft list ruleset > /etc/nftables.conf

info

💡 The rate-limiting rule on SSH (limit rate 5/minute) is a critical defense against brute-force attacks. Combined with key-based authentication and fail2ban (which we cover later), this makes SSH extremely resistant to automated attacks.

Firewall Best Practices Summary

▪Default deny: Block all incoming traffic, allow only what is explicitly needed
▪Principle of least privilege: Restrict source IPs, not just ports
▪Rate limit: Prevent brute-force and DoS attacks on exposed services
▪Log dropped packets: You cannot analyze what you do not log
▪Test before applying: Always have a rollback plan (console access or scheduled rule flush)
▪Use UFW for simple setups, iptables/nftables for advanced configurations
▪Persist rules: Ensure firewall rules survive reboots (iptables-persistent, nftables.service)

quiz BLOCK (★ 50 XP)

You are hardening a remote Linux server accessible via SSH. You configure UFW with 'default deny incoming' and enable it, but you forgot to add an allow rule for SSH. What happens?

Select your proof vectors above