A firewall is a tool used to monitor and filter incoming and outgoing network traffic. It works by defining a set of security rules that determine whether certain traffic is allowed or blocked.
Ubuntu comes with a firewall configuration tool called UFW (Uncomplicated Firewall). It is an easy to use front end for managing iptables firewall rules. Its main goal is to make managing the firewall easier or, as the name suggests, straightforward.
This article describes how to use the UFW tool to configure and manage a firewall on Ubuntu 20.04. A properly configured firewall is one of the most important aspects of overall system security.
Only root or users with sudo privileges can manage the system firewall. The best practice is to perform administrative tasks as a sudo user.
UFW is part of the standard installation of Ubuntu 20.04 and should be present on your system. If for some reason it’s not installed, you can install the package by typing:
sudo apt update
sudo apt install ufw
Check UFW status
UFW is disabled by default. You can check the status of the UFW service with the following command:
sudo ufw status verbose
The output indicates that the firewall status is inactive:
When UFW is enabled, the output looks like this:
UFW standard guidelines
The default behavior of the UFW firewall is to block all inbound and forwarding traffic and to allow all outbound traffic. This means that anyone trying to access your server will not be able to connect unless you specifically open the port. Applications and services running on your server can access the outside world.
The standard guidelines are in the
/etc/default/ufw File and can be changed either by manually changing the file or with the
sudo ufw default <policy> <chain> Command.
Firewall policies are the basis for creating more complex and custom rules. In general, the initial UFW standard guidelines are a good place to start.
An application profile is a text file in INI format that describes the service and contains firewall rules for the service. Application profiles are saved in
/etc/ufw/applications.d Directory during the installation of the package.
You can list all of the application profiles available on your server by typing:
sudo ufw app list
Depending on the packages installed on your system, the output looks like this:
Available applications: Nginx Full Nginx HTTP Nginx HTTPS OpenSSH
For more information about a specific profile and rules it contains, use the following command:
sudo ufw app info 'Nginx Full'
The output shows that the profile ‘Nginx Full’ opens ports
Profile: Nginx Full Title: Web Server (Nginx, HTTP + HTTPS) Description: Small, but very powerful and efficient web server Ports: 80,443/tcp
You can also create custom profiles for your applications.
If you’re connecting to your Ubuntu remotely, you’ll need to explicitly allow incoming SSH connections before enabling the UFW firewall. Otherwise you will no longer be able to connect to the device.
Enter the following command to configure your UFW firewall to allow incoming SSH connections:
sudo ufw allow ssh
Rules updated Rules updated (v6)
If SSH is running on a non-standard port, you will need to open that port.
For example, if your ssh daemon is listening on port
7722, enter the following command to allow connections on this port:
sudo ufw allow 7722/tcp
Now that the firewall is configured to allow incoming SSH connections, you can enable it by typing:
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
You are warned that activating the firewall can interrupt existing SSH connections. Just enter
y and hit
Depending on the applications that are running on the system, you may need to open other ports as well. The general syntax for opening a port is as follows:
ufw allow port_number/protocol
Here are a few ways to allow HTTP connections.
The first option is to use the service name. UFW checks the
/etc/services File for port and protocol of the specified service:
sudo ufw allow http
You can also specify the port number and protocol:
sudo ufw allow 80/tcp
If no protocol is specified, UFW creates rules for both
Another option is to use the application profile; in this case ‘Nginx HTTP’:
sudo ufw allow 'Nginx HTTP'
UFW also supports a different syntax for specifying the protocol with the
sudo ufw allow proto tcp to any port 80
You can also use UFW to open port ranges. The start and end ports are separated by a colon (
:), and you must either provide the protocol
For example, if you want to allow ports from
7200 on both
udp, you would run the following command:
sudo ufw allow 7100:7200/tcp
sudo ufw allow 7100:7200/udp
Specific IP address and port
To allow connections on all ports from a specific source IP, use the
from Keyword followed by the source address.
Here is an example of an IP address whitelisting:
sudo ufw allow from 184.108.40.206
If you only want to allow the specified IP address access to a specific port, use the
to any port Keyword followed by the port number.
For example, to allow access to port
22 from a computer with the IP address
sudo ufw allow from 220.127.116.11 to any port 22
The syntax for allowing connections to a subnet of IP addresses is the same as when using a single IP address. The only difference is that you have to specify the netmask.
Below is an example that shows how to set access for IP addresses in the range of
192.168.1.254 to the harbour
sudo ufw allow from 192.168.1.0/24 to any port 3306
Specific network interface
To allow connections on a specific network interface, use the
in on Keyword followed by the name of the network interface:
sudo ufw allow in on eth2 to any port 3306
The default policy for all incoming connections is on. set
deny, and if you haven’t changed it, UFW will block all incoming connections unless you specifically open the connection.
Writing deny rules is the same as writing allow rules; you just need that
deny Keyword instead
Let’s say you opened ports
443, and your server will be used by the
18.104.22.168/24 Network. To deny all connections from
22.214.171.124/24 You would run the following command:
sudo ufw deny from 126.96.36.199/24
Here is an example of denying access to ports only
188.8.131.52/24 You can use the following command:
sudo ufw deny proto tcp from 184.108.40.206/24 to any port 80,443
Deletion of UFW rules
There are two different ways to delete UFW rules by rule number and by specifying the actual rule.
Deleting rules by rule number is easier, especially if you’re new to UFW. To first delete a rule based on a rule number, you need to find the number of the rule that you want to delete. To get a list of the numbered rules use the
ufw status numbered Command:
sudo ufw status numbered
Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere [ 3] 8080/tcp ALLOW IN Anywhere
Delete rule number
3, the one that allows connections to the port
8080, you would type:
sudo ufw delete 3
The second method is to delete a rule by specifying the actual rule. For example, if you added a rule to open the port
8069 You can delete it with:
sudo ufw delete allow 8069
If for some reason you want to stop UFW and disable all rules, you can use:
sudo ufw disable
Later on, if you want to re-enable UTF and enable all rules, just type:
sudo ufw enable
Resetting UFW deactivates UFW and clears all active rules. This is useful when you want to undo all of your changes and start over.
To reset UFW, enter the following command:
sudo ufw reset
IP masquerading is a variant of NAT (Network Address Translation) in the Linux kernel that translates network traffic by rewriting the source and destination IP addresses and ports. With IP masquerading, you can allow one or more computers on a private network to communicate with the Internet using a Linux computer that acts as a gateway.
There are several steps involved in configuring IP masquerading with UFW.
First, you need to enable IP forwarding. To do this, open the
sudo nano /etc/ufw/sysctl.conf
Find and comment on the line that says
net.ipv4.ip_forward = 1:
Next you need to configure UFW to allow forwarded packets. Open the UFW configuration file:
sudo nano /etc/default/ufw
DEFAULT_FORWARD_POLICY Key and change the value of
Now you need to set the default policy for the
POSTROUTING Chain in the
nat Table and the masquerade rule. To do this, open the
/etc/ufw/before.rules File and append the lines marked in yellow as shown below:
sudo nano /etc/ufw/before.rules
Append the following lines:
#NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through eth0 - Change to public network interface -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these rules won't be processed COMMIT
Don’t forget to replace
eth0 by doing
-A POSTROUTING Line that corresponds to the name of the public network interface:
When you’re done, save and close the file.
Finally, reload the UFW rules by disabling and re-enabling UFW:
sudo ufw disable
sudo ufw enable
We showed you how to install and configure a UFW firewall on your Ubuntu 20.04 server. Make sure to allow all incoming connections necessary for your system to work properly while limiting any unnecessary connections.
Further information on this topic can be found on the UFW manpage
If you have any questions, feel free to leave a comment below.