How to set up a firewall with UFW on Ubuntu 18.04

s2 0

A properly configured firewall is one of the most important aspects of overall system security. Ubuntu comes with a firewall configuration tool called UFW (Uncomplicated Firewall) by default. UFW is an easy to use front end for managing iptables firewall rules and its main goal is to make managing iptables easier or, as the name suggests, straightforward.

requirements

Before starting this tutorial, make sure that you are logged into your server with a user account with sudo rights or with the root user. The best practice is to run administrative commands as the sudo user instead of root. If you don’t have a sudo user on your Ubuntu system, you can create one by following these instructions.

Install UFW

Uncomplicated Firewall should be installed by default in Ubuntu 18.04, but if it isn’t installed on your system you can install the package by typing:

sudo apt install ufw

Check UFW status

Once the installation is complete, you can check the status of UFW with the following command:

sudo ufw status verbose

UFW is disabled by default. If you’ve never activated UFW, the output will look like this:

Status: inactive

When UFW is enabled, the output looks like this:

UFW standard guidelines

By default, UFW blocks all incoming connections and allows all outgoing connections. This means that anyone trying to access your server will not be able to connect unless you specifically open the port, while all applications and services running on your server can access the outside world.

The standard guidelines are in the /etc/default/ufw File and can be changed with the sudo ufw default <policy> <chain> Command.

Firewall policies are the basis for creating more detailed and custom rules. In most cases, the initial UFW standard guidelines are a good place to start.

Application profiles

When installing a package with the apt
An application profile is added to the command /etc/ufw/applications.d Directory. The profile describes the service and contains UFW settings.

You can list all of the application profiles available on your server by typing:

sudo ufw app list

Depending on the packages installed on your system, the output looks like this:

Available applications:
  Dovecot IMAP
  Dovecot POP3
  Dovecot Secure IMAP
  Dovecot Secure POP3
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH
  Postfix
  Postfix SMTPS
  Postfix Submission

For more information about a specific profile and the rules it contains, use the following command:

sudo ufw app info 'Nginx Full'
Profile: Nginx Full
Title: Web Server (Nginx, HTTP + HTTPS)
Description: Small, but very powerful and efficient web server

Ports:
  80,443/tcp

As you can see in the output above, the ‘Nginx Full’ profile opens the port 80 and 443.

Allow SSH connections

Before enabling the UFW firewall, we need to add a rule that allows incoming SSH connections. If you connect to your server remotely, which almost always does, and you enable the UFW firewall before explicitly allowing incoming SSH connections, you will no longer be able to connect to your Ubuntu server.

Enter the following command to configure your UFW firewall to allow incoming SSH connections:

sudo ufw allow ssh
Rules updated
Rules updated (v6)

If you’ve changed the SSH port to a custom port instead of port 22, you’ll need to open that port.

For example, if your ssh daemon is listening on port 4422, then you can use the following command to allow connections on that port:

sudo ufw allow 4422/tcp

Activate UFW

Now that your UFW firewall is configured to allow incoming SSH connections, we can enable it by typing:

sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

You are warned that activating the firewall can interrupt existing SSH connections. Just enter y and hit Enter.

Allow connections on other ports

Depending on the applications running on your server and your specific needs, you may need to allow inbound access to a few other ports as well.

Below we show you a few examples of how to allow inbound connections to some of the most common services:

Open port 80 – HTTP

HTTP connections can be allowed with the following command:

sudo ufw allow http

instead of http you can use port number 80:

sudo ufw allow 80/tcp

or you can use the application profile, in this case ‘Nginx HTTP’:

sudo ufw allow 'Nginx HTTP'

Open port 443 – HTTPS

HTTP connections can be allowed with the following command:

sudo ufw allow https

To achieve the same thing instead https Profile you can use the port number, 443:

sudo ufw allow 443/tcp

or you can use the ‘Nginx HTTPS’ application profile:

sudo ufw allow 'Nginx HTTPS'

Open port 8080

If you are running tomcat or any other application listening on port 8080 to allow incoming connections, enter:

sudo ufw allow 8080/tcp

Allow port ranges

Instead of allowing access to individual ports, UFW allows us to access port ranges. If you allow port ranges with UFW, you must either specify the protocol tcp or udp. For example, if you want to allow ports from 7100 to 7200 on both tcp and udp Then run the following command:

sudo ufw allow 7100:7200/tcpsudo ufw allow 7100:7200/udp

Allow specific IP addresses

To allow access to all ports from your home computer with the IP address 64.63.62.61, enter from followed by the IP address you want to whitelist:

sudo ufw allow from 64.63.62.61

Allow certain IP addresses on certain ports

To allow access to a specific port, let’s say port 22 from your work computer with IP address 64.63.62.61, use to any port followed by the port number:

sudo ufw allow from 64.63.62.61 to any port 22

Allow subnets

The command to allow connection to a subnet of IP addresses is the same as using a single IP address, the only difference is that you need to specify the netmask. For example, if you want to allow access for IP addresses in the range 192.168.1.1 to 192.168.1.254 to port 3360 (MySQL) you can use this command:

sudo ufw allow from 192.168.1.0/24 to any port 3306

Allow connections to a specific network interface

To allow access to a specific port, let’s say port 3360 only for a specific network interface eth2, then you have to show off allow in on and the name of the network interface:

sudo ufw allow in on eth2 to any port 3306

Deny connections

The default policy for all incoming connections is on. set deny and if you haven’t changed it, UFW will block all incoming connections unless you specifically open the connection.

Let’s say you opened the ports 80 and 443 and your server is under attack from the 23.24.25.0/24 Network. To refuse all connections from 23.24.25.0/24 You can use the following command:

sudo ufw deny from 23.24.25.0/24

If you just want to deny access to ports 80 and 443 from 23.24.25.0/24 You can use the following command:

sudo ufw deny from 23.24.25.0/24 to any port 80sudo ufw deny from 23.24.25.0/24 to any port 443

Writing deny rules is the same as writing allow rules, you just need to replace allow With deny.

Delete UFW rules

There are two different ways to delete UFW rules, by rule number and by specifying the actual rule.

Deleting UFW rules by rule number is easier, especially if you’re new to UFW. To delete a rule by a rule number, you first need to find the number of the rule you want to delete, you can do it with the following command:

sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 8080/tcp                   ALLOW IN    Anywhere

To delete rule number 3, the rule that allows connections on port 8080, use the following command:

sudo ufw delete 3

The second method is to delete a rule by specifying the actual rule, for example if you added a rule to open the port 8069 You can delete it with:

sudo ufw delete allow 8069

Deactivate UFW

If for some reason you want to stop UFW and turn off all the rules that you can use:

sudo ufw disable

Later on, if you want to re-enable UTF and enable all the rules, just type:

sudo ufw enable

Reset UFW

Resetting UFW deactivates UFW and clears all active rules. This is useful when you want to undo all of your changes and start over.

To reset UFW, just enter the following command:

sudo ufw reset

Conclusion

You learned how to install and configure the UFW firewall on your Ubuntu 18.04 server. Make sure to allow all incoming connections necessary for your system to work properly while limiting any unnecessary connections.

If you have any questions, feel free to leave a comment below.