Grid Guides

Explore How System On Grid Can Work For You

How to Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server


Table of Contents

Introduction

A properly configured firewall is one of the important aspects of overall system security. Ubuntu associated with a firewall configuration tool named UFW i.e Uncomplicated Firewall. Its primary goal is to manage iptables easier.

Prerequisites

Make sure that you have logged into your server with a non-root user account with sudo privileges or with the root user. If you don't have a non-root user account, you can create one by following our guide, How to do Initial Server Setup with Ubuntu 18.04. It’s better to use sudo in place of Root to run Administrative commands.

Install UFW

By default UFW is installed in Ubuntu 18.04, if it is not installed on your system, you can install the UFW package by using below command.

$ sudo apt install ufw

Check UFW Status

Once the installation is completed you can check the status of UFW with the below command.

$ sudo ufw status verbose

By default, UFW is disabled. You have to enable it by using below command.

$ sudo ufw enable

Now it is activated.

Using IPv6 with UFW

If your VPS is configured for IPv6, ensure that UFW is configured to support IPv6 so that will configure both IPv4 and IPv6 firewall rules. To do that, open the UFW configuration with this command:

$ sudo vi /etc/default/ufw

Then you have to set IPv6 to “yes” like this:

IPV6=yes

Save and exit then restart the firewall with below commands:

sudo ufw disable
sudo ufw enable

Now the UFW will configure the firewall for both IPv4 and IPv6.

UFW Default Policies

UFW will lock all incoming connections and allow all outbound connections. This means that anyone trying to access your server will not be able to connect, if not you open the port. This means all incoming connections are restricted and allow all outgoing connections. The default policies can be set by using below commands.

$ sudo ufw default deny incoming

And

$ sudo ufw default allow outgoing

If you want to be more restrictive, you can also deny all outgoing requests as well. This can be done by using below command.

$ sudo ufw default deny outgoing

Allow SSH Connections

Before enabling the firewall we need to add a rule which will allow incoming SSH connections. To configure the UFW firewall, allow all incoming SSH connections by entering the below command.

$ sudo ufw allow ssh

The syntax for adding this service is quite easy. For example, The below command allows a connection on port 22 using TCP protocol.

$ sudo ufw allow 22/tcp

If your SSH server is running on port 2222, we could enable connections with below command.

$ sudo ufw allow 2222/tcp

Enable UFW

So far UFW firewall is configured to allow all incoming SSH connections. Now we can enable it by entering the below command.

$ sudo ufw enable

Allow connections on other ports

Depending on applications that run on your server, you will also allow incoming access to some other ports. How to allow incoming connections to some of the services are given below.

Open port 80-HTTP

By using below commands HTTP connections can be allowed.

$ sudo ufw allow http

You can use port number 80 in place of http:

$  sudo ufw allow 80/tcp   

Also you can use application profile like “Nginx HTTP” :

$ sudo ufw allow 'Nginx HTTP' 

Open port 8080

If you run Tomcat or any other application that listens on port 8080 to allow incoming connections to enter below command.

$ sudo ufw allow 8080/tcp

Allow Port Ranges

Instead of allowing access to single ports UFW allows us to access port ranges. If you allow port ranges with UFW, you must specify the protocol, either tcp or udp. For example, if you want to allow port from 7100 to 7200 on both tcp and udp then run below command.

$ sudo ufw allow 7100:7200/tcp
$ sudo ufw allow 7100:7200/udp

Allow IP Addresses

To allow access on all ports from the home machine with IP Address of 64.63.62.61, Then use the below command.

$ sudo ufw allow from 64.63.62.61

Deny Connections

The default policy for all incoming connections is set to deny and if you haven’t changed it, UFW will block all incoming connection unless you explicitly open the connection.

For example, you have opened the ports 80 and 443 and your server is under attack from the 23.24.25.0/24 network. To deny all connections from that IP addresses you can use the below command.

$ sudo ufw deny from 23.24.25.0/24

If you want to deny access to ports 80 and 443 from that IP Address you can use the below command.

$ sudo ufw deny from 23.24.25.0/24 to any port 80
$ sudo ufw deny from 23.24.25.0/24 to any port 443

Writing allow rules are also same as deny rules, only need to replace allow with deny.

Deleting UFW Rules

There are two ways to delete UFW rules.

By rule number. For example, To delete UFW rule by rule number is as below command.

$ sudo ufw delete 2

By specifying the actual rule. For example, To delete UfW rule by specifying the actual rule is as below

$ sudo ufw delete allow 8069

Disable UFW

If you want to stop UFW and deactivate all rules you can use below command.

$ sudo ufw disable     

If you want to re-enable UFW and activate all rules, You can use below command.

$ sudo ufw enable   

Reset UFW

If you reset UFW, it will disable

and delete all active rules. To reset UFW, Enter the below command.

$ sudo ufw reset

Conclusion

In this guide, we have explained how to install and configure the UFW firewall on Ubuntu 18.04 server. Be sure to allow all incoming connections that are necessary for proper functioning of your system.