How do I setup a firewall with UFW (uncomplicated firewall) on an Ubuntu Linux 18.04 LTS server to restrict traffic on my personal Ubuntu web-server that hosts my cat’s blog? How do I set up a firewall with UFW on Ubuntu 18.04 LTS?
Introduction : UFW is an acronym for an uncomplicated firewall. Securing a network with the uncomplicated firewall is super easy. The Ubuntu Linux comes with packet filtering called Netfilter. The iptables frontend command used to manage netfilter. However, ufw provide easy to use frontend for netfilter, and it is one of the most popular among Ubuntu sysadmins and developers. This page shows how to set up and secure your Ubuntu 18.04 LTS server with ufw.
How to setup a UFW firewall on Ubuntu Linux 18.04 LTS
The procedure to set up a firewall with UFW on Ubuntu 18.04:
- Make sure ufw installed
- Setup a default deny firewall policy with ufw on Ubuntu
- Open required ports with sudo ufw allow port syntax on Ubuntu
- At least you need to open SSH, HTTP/HTTPS and other TCP/IP ports using ufw.
- Enable ufw with sudo ufw enable
- Delete ufw rules ufw delete num command
- Check the status of netfilter with ufw status
- Disable ufw if needed
Let us see all commands to set up and securing your Ubuntu Linux 18.04 LTS server.
Ubuntu setup UFW firewall
By default UFW installed with Ubuntu. If not installed for some reason or removed by the previous sysadmin, type the following apt-get command/apt command to install UFW in Ubuntu:
# apt update
# apt install ufw
How do I view status of ufw on Ubuntu?
Type the following:
# ufw status
Sample outputs:
Status: inactive
Setting up default UFW policy
The default policy firewall works out well for both the servers and laptop/workstation as you only need to open a limited number of incoming ports. It is a good policy as it closes all ports on the server/firewall and you need to open ports one by one. You can run the following commands to set the system to block all incoming connection and only allow outgoing connections from the Ubuntu:
# ufw default allow outgoing
# ufw default deny incoming
How to add a new rule to allow SSH access
Type the following command to allow SSH connections to your server:
# ufw allow ssh
OR
sudo ufw allow 22/tcp
Say if you are running ssh on port 2020, enter:
# ufw allow 2020/tcp
The following rules allow access to tcp ssh port 22 only on 10.8.0.1 (i.e. your ssh server is listing on 10.8.0.1 port 22) from anywhere:
# ufw allow proto tcp from any to 192.168.0.165 port 22
The following rules allow access to tcp ssh port 22 only on 192.168.0.165 (i.e. your ssh server is listing on 192.168.0.165 port 22) from 192.168.0.113 IP address only:
# ufw allow proto tcp from 192.168.0.165 to 192.168.0.113 port 22
How do I add a comment for the ufw rule on Ubuntu?
The syntax is:
# ufw rule comment 'my comment here about rule'
For example allow only TCP traffic over HTTPS (TCP port 443):
# ufw allow https/tcp comment 'Open port Apache port 443'
You can view all added rules before enabling or starting the firewall on Ubuntu:
# ufw show added
How to enable the UFW based firewall
Simply run:
# ufw enable
We set up a firewall with UFW on Ubuntu 18.04 LTS
Once enabled, the firewall runs after reboots too.
How do I disable the UFW based firewall?
If you need to stop the firewall and disable on system startup, excute:
# ufw disable
Sample outputs:
Firewall stopped and disabled on system startup
How do I check the status of my fiewall rules?
Use the status command:
# ufw status
# ufw status numbered
# ufw status verbose
How to add more rules (open ports and allow IP address) with ufw
The syntax is as follows to open tcp port 25:
# ufw allow 25/tcp comment 'accept email'
Open UDP/1194 (OpenVPN) server:
# ufw allow 1194/udp
How to allow port ranges via ufw
You can allow port ranges too say, tcp and udp 4000 to 6000:
# ufw allow 4000:6000/tcp
# ufw allow 4000:6000/udp
Say you want to allow connections from an IP address called 1.2.3.4, enter:
# ufw allow from 1.2.3.4
Let us allow connections from an IP address called 1.2.3.4 to our port 22, enter:
# ufw allow from 1.2.3.4 to any port 22 proto tcp
OR (dest 222.222.222.222 port 22)
# ufw allow from 1.2.3.4 to 222.222.222.222 port 22 proto tcp
How to allow incoming MySQL/MariaDB traffic (open port 3306)
Allow access to MySQL/MariaDB port 3306 from selected subnet only (see MySQL/MariaDB remote access tutorial):
# ufw allow from 192.168.0.0/24 to any port 3306
Allow access to MySQL/MariaDB port 3306 Apache server only:
# ufw allow from 202.54.1.1 to any port 3306
Set up and allow PostgreSQL traffic by opening port 5432
Allow access to PostgreSQL port 5432 from selected subnet only (see PostgreSQL remote access tutorial):
# ufw allow from 192.168.0.0/24 to any port 5432
Allow access to PostgreSQL port 5432 Apache server only:
# ufw allow from 202.54.1.1 to any port 5432
Open incoming IMAP/IMAPS mail server ports
# ufw allow 143
# ufw allow 993
POP3/POP3S port opened with ufw
# ufw allow 110
# ufw allow 995
How to denying access to port or connections
Do you want to close ports and block IP address? The syntax is as follows to deny access (i.e. simply ignoring access to port 443):
# ufw deny 443/tcp
Make sure you deny all connections from an IP address called 1.2.3.4, enter:
# ufw deny from 1.2.3.4
Deny all connections from an IP/subnet called 123.45.67.89/24, enter:
# ufw deny from 123.45.67.89/24
Want to deny access to 1.2.3.4 (say hackers IP) on port 22? Try:
# ufw deny from 1.2.3.4 to any port 22 proto tcp
How to reject access to port or connections (reject and let user know they are blocked by the firewall)
The deny syntax simply ignores traffic. If you want let the sender know when traffic is being denied, rather than simply ignoring it, use reject syntax:
# ufw reject in smtp
# ufw reject out smtp
# sudo ufw reject 1194 comment 'No more vpn traffic'
# ufw reject 23 comment 'Unenc ufw reject out smtp rypted port not allowed'
If somebody try to connect to port 23 they will get reject message as follows:
telnet: Unable to connect to remote host: Connection refused
How to delete the UFW firewall rules
So far you learned how to add, deny, and list the firewall rules. It is time to delete unwanted rules. There are two options to deleting rules. The first syntax is:
# ufw delete {rule-here}
In this example, delete HTTPS (tcp port 443) traffic rule,
# ufw delete allow 443
If you no longer wished to allow smptd/email (port 25) traffic, execute:
# ufw delete allow 25
The second option is to list list all of the current rules in a numbered list format:
# ufw status numbered
Sample outputs:
|
Status: active
To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 443/tcp ALLOW IN Anywhere # Open port Apache port 443 [ 3] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 4] 443/tcp (v6) ALLOW IN Anywhere (v6) # Open port Apache port 443 |
To delete 3rd rule (rule that allows TCP/443 access, you type the command:
# ufw status numbered
# ufw delete 3
Delete ufw rules by specifying their numbers on Ubuntu
How do I reset the ufw based firewall?
Run:
# ufw reset
How do I reload the ufw based firewall?
You can reload firewall with:
# ufw reload
When you edit UFW' configuration file, you need to run reload command. For example, you can edit /etc/ufw/before.rules, enter:
# nano /etc/ufw/before.rules
OR
# vim /etc/ufw/before.rules
To allow all traffic fro eth0 to eth0 (add after line that read as "# End required lines"), enter:
# allow all on eth0
-A ufw-before-input -i eth0 -j ACCEPT
-A ufw-before-output -o eth0 -j ACCEPT
Save and close the file. Reload the firewall:
# ufw reload
How do I see the ufw reports?
The added report displays the list of rules as they were added on the command-line:
# ufw show added
# ufw show listening
Other possible reports are:
# ufw show raw
# ufw show builtins
# ufw show before-rules
# ufw show user-rules
# ufw show after-rules
# ufw show logging-rules
Conclusion
In this guide, you learned how to secure your Ubuntu Linux 18.04 LTS server with the help of ufw. For more info, please see ufw help page here.