Set Up a Firewall with UFW on Ubuntu 16.04
Introduction
UFW, or Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult for beginners to learn how to use it to properly configure a firewall. If you're looking to get started securing your network, and you're not sure which tool to use, UFW may be the right choice for you.
UFW is installed by default on Ubuntu. If it has been uninstalled for some reason, you can install it with sudo apt-get install ufw
.
Step 1 — Using IPv6 with UFW (Optional)
sudo vim /etc/default/ufw
Then make sure the value of IPV6 is yes. It should look like this:
... IPV6=yes ...
Step 2 — Setting Up Default Policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
Step 3 — Allowing SSH Connections
If we enabled our UFW firewall now, it would deny all incoming connections. This means that we will need to create rules that explicitly allow legitimate incoming connections — SSH or HTTP connections.
To configure your server to allow incoming SSH connections, you can use this command: sudo ufw allow ssh
This will create firewall rules that will allow all connections on port 22, which is the port that the SSH daemon listens on by default. UFW knows what SSH and a number of other service names mean because they're listed as services in the /etc/services
file.
We can actually write the equivalent rule by specifying the port instead of the service name. For example: sudo ufw allow 22
Step 4 — Enabling UFW
sudo ufw enable
The firewall is now active. Feel free to run the sudo ufw status verbose
command to see the rules that are set.
Step 5 — Allowing Other Connections
HTTP on port 80, which is what unencrypted web servers use, using sudo ufw allow http
or sudo ufw allow 80
HTTPS on port 443, which is what encrypted web servers use, using sudo ufw allow https
or sudo ufw allow 443
FTP on port 21, which is used for unencrypted file transfers (which you probably shouldn't use anyway), using sudo ufw allow ftp
or sudo ufw allow 21/tcp
Specific Port Ranges
You can specify port ranges with UFW. Some applications use multiple ports, instead of a single port.
For example, to allow X11 connections, which use ports 6000-6007, use these commands:
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp
When specifying port ranges with UFW, you must specify the protocol (tcp or udp) that the rules should apply to. We haven't mentioned this before because not specifying the protocol simply allows both protocols, which is OK in most cases.
Specific IP Addresses
When working with UFW, you can also specify IP addresses. For example, if you want to allow connections from a specific IP address, such as a work or home IP address of 15.15.15.51, you need to specify from, then the IP address: sudo ufw allow from 15.15.15.51
You can also specify a specific port that the IP address is allowed to connect to by adding to any port followed by the port number. For example, If you want to allow 15.15.15.51 to connect to port 22 (SSH), use this command: sudo ufw allow from 15.15.15.51 to any port 22
Step 6 — Denying Connections
sudo ufw deny http
Or if you want to deny all connections from 15.15.15.51 you could use this command: sudo ufw deny from 15.15.15.51
Step 7 — Deleting Rules
By Rule Number
Display numbers next to each rule sudo ufw status numbered
If we decide that we want to delete rule 2, the one that allows port 80 (HTTP) connections, we can specify it in a UFW delete command like this: sudo ufw delete 2
By Actual Rule
sudo ufw delete allow http
You could also specify the rule by allow 80, instead of by service name: sudo ufw delete allow 80
Step 8 — Disabling or Resetting UFW (optional)
sudo ufw disable
sudo ufw reset
What's next?
Check out this Index page