Ubuntu by default has UFW application to manage the firewall. UFW stands for Uncomplicated Firewall. And indeed it is uncomplicated, easy to use, and easy to understand. This tutorial can be a cheat sheet for you to set up your firewall in Ubuntu.
Check Prerequisite
- UFW is installed by default in Ubuntu 18.04 or later. So you only need to install the OS to do this tutorial. If the application is not available, you can install it by using
apt install ufw. - Sudo privileges, make sure you have root access in your VM. The firewall must be set by root user. So, before we start, make sure you execute
sudo su.
Enable UFW
By default, ufw is disabled. Before you enable it, make sure you configure the firewall to allow ssh access. If you don’t open the ssh first, you will be disconnected from your server as soon as you enable the ufw and you also cannot access it via ssh later. Default ssh port is 22 and using tcp protocol, run this command to configure it:
ufw allow 22/tcp
Yes, you can configure the firewall using ufw before you enable it. If your server using a different ssh port, just change the port number.
After that, run this command to enable ufw:
ufw enable
if later you want to disable it again, you can run this command:
ufw disable
Check UFW status
To check your firewall status and rules, you can run this command
ufw status
This is the example output if the ufw is enabled/active
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
or if you want complete status and rules, you can run this command:
ufw status verbose
This is the example output:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
If you want to know the rule number, you can run this command:
ufw status numbered
This is the example output
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 443/tcp ALLOW IN Anywhere
[ 3] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 4] 443/tcp (v6) ALLOW IN Anywhere (v6)
This numbered status is very useful when you want to delete some rules. More explanation later in this tutorial.
UFW Default Policy
When you enable UFW, the default policy is deny all incoming requests. This is the safe way. But if you need to change the default policy to allow for any reason, you can run this command
ufw default allow incoming
if you want to config the default policy back to deny, you can run this command
ufw default deny incoming
Don’t forget to reload the firewall tables after creating the rule
ufw reload
Create UFW Rules
There are many kinds of rules that you can create using UFW. These are the most common syntax you need to know to build a good firewall.
Allow/Deny Traffic by IP/Subnet Source
To allow/deny an ip address to access your server, you can use this command
ufw allow from <ip address>
ufw deny from <ip address>
For example:
ufw allow from 10.2.1.10
ufw deny from 10.1.2.20
This ufw rules will allow traffic from 10.2.1.10 but deny traffic from 10.1.2.20
On the other hand, If you want to allow/deny a group of ip addresses, of course, it is a waste of time if you want to add the rule 1 by 1 with ip address. So, you can allow/deny the ip subnet instead
ufw allow from <ip subnet>
ufw deny from <ip subnet>
For example:
ufw allow from 10.0.0./24
ufw deny from 10.1.0.0/24
This ufw rules will allow traffic from 10.0.0.1 - 10.0.0.254 and deny traffic from 10.1.0.1 - 10.1.0.254.
Allow/Deny Traffic by Port and Protocol
To allow/deny traffic to our server on the specific port, you can execute this command
ufw allow <port>
ufw deny <port>
For example:
ufw allow 443
ufw deny 80
These firewall rules will allow traffic on port 443 but deny traffic on port 80.
If you want to specify the protocol, you can also add the protocol name on the rule just like this command:
ufw allow <port>/<protocol>
ufw deny <port>/<protocol>
For Example:
ufw allow 443/tcp
ufw deny 443/udp
These ufw rules will allow TCP traffic on port 443 and deny UDP traffic on the same port
You can also specify the port range on the rule. This is very common if you work a lot with UDP protocol. Use this command to define a range of ports:
ufw allow <port1>:<port2>/<protocol>
ufw deny <port1>:<port2>/<protocol>
For example:
ufw allow 3000-4000/udp
ufw deny 1000-2000/udp
These firewall rules will allow UDP traffic on port 3000-4000 and deny UDP traffic on port 1000-2000.
Allow/Deny Traffic by Interface Name
Besides Allow/Deny by ip address, port, and protocol, we can also allow/deny traffic by interface name. But this is uncommon to use. You can check your server interface name by using ip addr command. After you know the interface name, you can execute this command
ufw allow in on <interface> to any port <port>
ufw deny in on <interface> to any port <port>
For example:
ufw allow in on eth0 to any port 80
ufw deny in on eth1 to any port 80
These firewall rules will allow traffic to go to port 80 on interface eth0, and deny traffic that go to port 80 on interface eth1.
You can also define the protocol to make the firewall more specific like this
ufw allow in on <interface> to any port <port> proto <protocol>
ufw deny in on <interface> to any port <port> proto <protocol>
For example:
ufw allow in on eth0 to any port 443 proto tcp
ufw deny in on eth1 to any port 80 proto tcp
These firewall rules will allow TCP traffic to go to port 443 om interface eth0. and deny TCP traffic that goes to port 80 on interface eth1.
Delete UFW Rules
To delete rules, you can just put the delete before the rules, for example, if you have a rule just like this
ufw allow in on eth0 from 192.168.5.0/24 to any port 443 proto tcp
To delete the rules, add delete before allow like this
ufw delete allow in on eth0 from 192.168.5.0/24 to any port 443 proto tcp
Although it seems easy, it is quite hard because in the real situation you can just see the ufw status and must recreate the firewall rules first (by reading the table) before you can delete them. And this is where ufw status numbered comes to the rescue. To delete the rule, you can mention the rule number.
ufw delete <rule number>
This is an example ufw status numbered output
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 443/tcp ALLOW IN Anywhere
[ 3] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 4] 443/tcp (v6) ALLOW IN Anywhere (v6)
We want to delete rule number 2. We can run this command:
ufw delete 2
This will give us a prompt:
Deleting:
allow 443/tcp
Proceed with operation (y|n)?
press y and Enter.
Reload UFW
After you create some rules, make sure you don’t forget to reload the firewall table to apply them. To reload ufw, you can use this command:
ufw reload
if you don’t reload the firewall table, the rule will be shown in ufw status, but it is not activated.
That’s it! Now you can set up your own Firewall in Ubuntu using UFW.