Firewalls are an important part of configuring basic security for your server.
Firewalls are network appliances that monitor and filter traffic to and from your instance and decides what traffic is allowed to reach your server, and what traffic should be dropped.
At its core, UFW or Uncomplicated Firewall acts as a front end for managing iptables/nftables, which actually do the heavy lifting of filtering packets.
In this article, we’re going to make it even less complicated to configure a firewall based on your specific needs using UFW!
Install UFW on Ubuntu
You can run the following command to install UFW on Ubuntu using the apt package management tool:
# apt-get install ufw
Follow the prompts as appropriate to ensure you have the latest version of UFW installed.
UFW is very straight forward in that you build a list of rules. You can build this list using a specific IP address, a subnet, an interface, a service or a port number.
First lets allow traffic over port 22 (or whatever port you’re using for SSH)
# ufw allow 22
This will allow traffic in on port 22. Alternatively, you could issue the following command for the same effect
# ufw allow ssh
Now lets make the firewall active by issuing the following
# ufw enable
Now lets check to ensure its running
# ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6)
Nice! We see that not only is UFW running, but our rule regarding port 22 was also honored.
We can issue the following command and see a full list of applications we have installed, elligble to be used with ufw:
# ufw app list Available applications: Apache Apache Full Apache Secure OpenSSH
In a brand new install, all that would appear here is OpenSSH, for the sake of the example, I installed Apache2.
so lets say we want to block and IP address. We can use the following method.
# ufw deny from 184.108.40.206
This will drop all incoming connections from the IP address 220.127.116.11 . We can also block an entire subnet, on a specific interface:
# ufw deny in on eth0 from 18.104.22.168/24
Next, we can allow access to only a certain port, if we so choose, for a given subnet.
# ufw allow from 22.214.171.124/24 to any port 21
Further we can open access to a port range, and even specify wether we want to allow TCP or UDP traffic.
# ufw allow 5000:5005/tcp
If we want to allow both types, not just TCP like we mentioned above, we’d simply omit the ‘/’ and everthing after.
We’ve got quite a few rules in place at this point, if you’ve been following along.
# ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere Anywhere DENY 126.96.36.199 Anywhere on eth0 DENY 188.8.131.52/24 21 ALLOW 184.108.40.206/24 5000:5005/tcp ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 5000:5005/tcp (v6) ALLOW Anywhere (v6)
What if we want to remove a rule? Lets get a numbered list of them so that we can specify which rule we might want to modify or delete.
# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN Anywhere [ 2] Anywhere DENY IN 220.127.116.11 [ 3] Anywhere on eth0 DENY IN 18.104.22.168/24 [ 4] 21 ALLOW IN 22.214.171.124/24 [ 5] 5000:5005/tcp ALLOW IN Anywhere [ 6] 22 (v6) ALLOW IN Anywhere (v6) [ 7] 5000:5005/tcp (v6) ALLOW IN Anywhere (v6) # ufw delete 2
This makes removing a rule straightforward and easy to understand. If we’ve completely mangled our setup and want reset, we can use just that command!
# ufw reset
You’ll get a prompt asking you to confirm, and if you issue a # ufw status again you’ll see your rules are gone and UFW will be listed as inactive.
Thanks for reading!