Introduction
Uncomplicated Firewall (UFW) is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community - even installed by default in many distros. As such, it’s a great way to get started securing your server.
1. Updating the system
First of all, we recommend updating and upgrading your server:
sudo apt-get update
sudo apt-get upgrade
2. Installing UFW firewall:
You can install the package using the following command:
sudo apt install ufw
The tutorial is written with IPv4, but it will work for IPv6 as long as you enable it. If your Ubuntu server has IPv6 enabled, please make sure that UFW is configured to support IPv6 so that it will manage firewall rules for IPv6 in addition to IPv4. Open /etc/default/ufw:
sudo nano /etc/default/ufw
Make sure the value for IPV6 is "yes":
Let's set your UFW rules back to the defaults so you can follow along with this tutorial. To set the defaults used by UFW, use these commands:
sudo ufw default deny incoming
Output:
sudo ufw default allow outgoing
Output:
3. Allowing SSH connection to the server
You change the firewall rules by issuing commands in the terminal. If the firewall is turned on, it will deny all incoming connections. If you’re connected over SSH to your server, that would be a problem because you would be locked out of your server. Let’s enable SSH connections to our server to prevent that from happening:
sudo ufw app list
Output:
Another way to allow incoming SSH connections is:
sudo ufw allow ssh
Alternatively, we can enable connection by port, instead of the service:
sudo ufw allow 22
4. Enabling UFW firewall:
If you made the steps above, the firewall should allow SSH access:
sudo ufw show added
Output:
Now, we can enable the firewall:
sudo ufw enable
Output:
5. Allowing other connections:
HTTP connection on port 80:
sudo ufw allow http
or
sudo ufw allow 80
HTTPS connection on port 443:
sudo ufw allow https
or
sudo ufw allow 443
Apache with both HTTP and HTTPS:
sudo ufw allow ‘Apache Full’
Nginx with both HTTP and HTTPS:
sudo ufw allow ‘Nginx Full’
Allowing a specific port range:
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp
Allowing a particular IP address:
sudo ufw allow from ip_address
Allowing a particular IP address onto a specific port:
udo ufw allow from ip_address to any port 22
Allowing specific subnets:
sudo ufw allow from ip_address/24
Allowing a particular subnet onto a specific port:
sudo ufw allow from ip_address/24 to any port 22
6. Denying connections
Deny HTTP connection:
sudo ufw deny http
Deny connection from a particular IP address:
sudo ufw deny from ip_address
Deny connection to specific port:
sudo ufw deny out 25
7. Deleting rules
We can delete a UFW rule by its number.
The UFW status command has an option to display the number of each rule:
sudo ufw status numbered
A number is shown in the brackets, e.g., [ 1]:
sudo ufw delete 1
Deleting the UFW rule by name:
sudo ufw delete allow "Apache Full"
8. Disabling or resetting the firewall:
sudo ufw disable
Output:
sudo ufw reset
Output:
