Grid Guides

Explore How System On Grid Can Work For You

Grid Guide Topics

How to Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server

Table Of Contents


    ## Table of Contents

    – [Introduction](#introduction
    – [Prerequisites](#prerequisites
    – [Install UFW](#install-ufw
    – [Check UFW Status](#check-ufw-status
    – [Using IPv6 with UFW](#using-ipv6-with-ufw
    – [UFW Default Policies](#ufw-default-policies
    – [Allow SSH Connections](#allow-ssh-connections
    – [Enable UFW](#enable-ufw
    – [Allow Connections on Other Ports](#allow-connections-on-other-ports
    – [Deny Connections](#deny-connections
    – [Deleting UFW Rules](#deleting-ufw-rules
    – [Disable UFW](#disable-ufw
    – [Reset UFW](#reset-ufw
    – [Conclusion](#conclusion

    ## Introduction

    A properly configured firewall is one of the important aspects of overall system security. Ubuntu associated with a firewall configuration tool named UFW i.e Uncomplicated Firewall. Its primary goal is to manage iptables easier.

    ## Prerequisites

    Make sure that you have logged into your server with a non-root user account with sudo privileges or with the root user. If you don’t have a non-root user account, you can create one by following our guide, [How to do Initial Server Setup with Ubuntu 18.04](https://systemongrid.com/guides/how-to-do-initial-server-setup-with-ubuntu-18.04. It’s better to use sudo in place of Root to run Administrative commands.

    ## Install UFW

    By default UFW is installed in Ubuntu 18.04, if it is not installed on your system, you can install the UFW package by using below command.
    “`
    $ sudo apt install ufw
    “`
    ## Check UFW Status

    Once the installation is completed you can check the status of UFW with the below command.
    “`
    $ sudo ufw status verbose
    “`
    By default, UFW is disabled. You have to enable it by using below command.
    “`
    $ sudo ufw enable

    “`
    Now it is activated.

    ## Using IPv6 with UFW

    If your VPS is configured for IPv6, ensure that UFW is configured to support IPv6 so that will configure both IPv4 and IPv6 firewall rules. To do that, open the UFW configuration with this command:
    “`
    $ sudo vi /etc/default/ufw
    “`
    Then you have to set IPv6 to “yes” like this:
    “`
    IPV6=yes
    “`
    Save and exit then restart the firewall with below commands:
    “`
    sudo ufw disable
    sudo ufw enable
    “`
    Now the UFW will configure the firewall for both IPv4 and IPv6.

    ## UFW Default Policies

    UFW will lock all incoming connections and allow all outbound connections. This means that anyone trying to access your server will not be able to connect, if not you open the port. This means all incoming connections are restricted and allow all outgoing connections.
    The default policies can be set by using below commands.
    “`
    $ sudo ufw default deny incoming
    “`
    And
    “`
    $ sudo ufw default allow outgoing
    “`
    If you want to be more restrictive, you can also deny all outgoing requests as well. This can be done by using below command.
    “`
    $ sudo ufw default deny outgoing
    “`
    ## Allow SSH Connections

    Before enabling the firewall we need to add a rule which will allow incoming SSH connections. To configure the UFW firewall, allow all incoming SSH connections by entering the below command.
    “`
    $ sudo ufw allow ssh
    “`
    The syntax for adding this service is quite easy. For example, The below command allows a connection on port 22 using TCP protocol.
    “`
    $ sudo ufw allow 22/tcp
    “`
    If your SSH server is running on port 2222, we could enable connections with below command.
    “`
    $ sudo ufw allow 2222/tcp
    “`
    ## Enable UFW

    So far UFW firewall is configured to allow all incoming SSH connections. Now we can enable it by entering the below command.
    “`
    $ sudo ufw enable
    “`
    ## Allow connections on other ports

    Depending on applications that run on your server, you will also allow incoming access to some other ports. How to allow incoming connections to some of the services are given below.

    ## Open port 80-HTTP

    By using below commands HTTP connections can be allowed.
    “`
    $ sudo ufw allow http
    “`
    You can use port number 80 in place of http:
    “`
    $ sudo ufw allow 80/tcp
    “`
    Also you can use application profile like “Nginx HTTP” :
    “`
    $ sudo ufw allow ‘Nginx HTTP’
    “`
    ## Open port 8080

    If you run Tomcat or any other application that listens on port 8080 to allow incoming connections to enter below command.
    “`
    $ sudo ufw allow 8080/tcp
    “`
    ## Allow Port Ranges

    Instead of allowing access to single ports UFW allows us to access port ranges.
    If you allow port ranges with UFW, you must specify the protocol, either tcp or udp.
    For example, if you want to allow port from 7100 to 7200 on both tcp and udp then run below command.
    “`
    $ sudo ufw allow 7100:7200/tcp
    $ sudo ufw allow 7100:7200/udp
    “`
    ## Allow IP Addresses

    To allow access on all ports from the home machine with IP Address of 64.63.62.61, Then use the below command.
    “`
    $ sudo ufw allow from 64.63.62.61
    “`

    ## Deny Connections

    The default policy for all incoming connections is set to deny and if you haven’t changed it, UFW will block all incoming connection unless you explicitly open the connection.

    For example, you have opened the ports 80 and 443 and your server is under attack from the 23.24.25.0/24 network. To deny all connections from that IP addresses you can use the below command.
    “`
    $ sudo ufw deny from 23.24.25.0/24
    “`
    If you want to deny access to ports 80 and 443 from that IP Address you can use the below command.

    “`
    $ sudo ufw deny from 23.24.25.0/24 to any port 80
    $ sudo ufw deny from 23.24.25.0/24 to any port 443
    “`
    Writing allow rules are also same as deny rules, only need to replace allow with deny.

    ## Deleting UFW Rules

    There are two ways to delete UFW rules.

    By rule number.
    For example, To delete UFW rule by rule number is as below command.
    “`
    $ sudo ufw delete 2
    “`
    By specifying the actual rule.
    For example, To delete UfW rule by specifying the actual rule is as below

    “`
    $ sudo ufw delete allow 8069
    “`

    ## Disable UFW

    If you want to stop UFW and deactivate all rules you can use below command.
    “`
    $ sudo ufw disable
    “`
    If you want to re-enable UFW and activate all rules, You can use below command.
    “`
    $ sudo ufw enable
    “`
    ## Reset UFW

    If you reset UFW, it will disable

    and delete all active rules. To reset UFW, Enter the below command.
    “`
    $ sudo ufw reset
    “`

    ## Conclusion

    In this guide, we have explained how to install and configure the UFW firewall on Ubuntu 18.04 server. Be sure to allow all incoming connections that are necessary for proper functioning of your system.