Set Up a Firewall with UFW on Ubuntu 16.04

Introduction

UFW, or Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult for beginners to learn how to use it to properly configure a firewall. If you're looking to get started securing your network, and you're not sure which tool to use, UFW may be the right choice for you.

UFW is installed by default on Ubuntu. If it has been uninstalled for some reason, you can install it with sudo apt-get install ufw.

Step 1 — Using IPv6 with UFW (Optional)

sudo vim /etc/default/ufw

Then make sure the value of IPV6 is yes. It should look like this:
... IPV6=yes ...

Step 2 — Setting Up Default Policies

sudo ufw default deny incoming
sudo ufw default allow outgoing

Step 3 — Allowing SSH Connections

If we enabled our UFW firewall now, it would deny all incoming connections. This means that we will need to create rules that explicitly allow legitimate incoming connections — SSH or HTTP connections.

To configure your server to allow incoming SSH connections, you can use this command: sudo ufw allow ssh

This will create firewall rules that will allow all connections on port 22, which is the port that the SSH daemon listens on by default. UFW knows what SSH and a number of other service names mean because they're listed as services in the /etc/services file.

We can actually write the equivalent rule by specifying the port instead of the service name. For example: sudo ufw allow 22

Step 4 — Enabling UFW

sudo ufw enable

The firewall is now active. Feel free to run the sudo ufw status verbose command to see the rules that are set.

Step 5 — Allowing Other Connections

HTTP on port 80, which is what unencrypted web servers use, using sudo ufw allow http or sudo ufw allow 80

HTTPS on port 443, which is what encrypted web servers use, using sudo ufw allow https or sudo ufw allow 443

FTP on port 21, which is used for unencrypted file transfers (which you probably shouldn't use anyway), using sudo ufw allow ftp or sudo ufw allow 21/tcp

Specific Port Ranges

You can specify port ranges with UFW. Some applications use multiple ports, instead of a single port.

For example, to allow X11 connections, which use ports 6000-6007, use these commands:
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp

When specifying port ranges with UFW, you must specify the protocol (tcp or udp) that the rules should apply to. We haven't mentioned this before because not specifying the protocol simply allows both protocols, which is OK in most cases.

Specific IP Addresses

When working with UFW, you can also specify IP addresses. For example, if you want to allow connections from a specific IP address, such as a work or home IP address of 15.15.15.51, you need to specify from, then the IP address: sudo ufw allow from 15.15.15.51

You can also specify a specific port that the IP address is allowed to connect to by adding to any port followed by the port number. For example, If you want to allow 15.15.15.51 to connect to port 22 (SSH), use this command: sudo ufw allow from 15.15.15.51 to any port 22

Step 6 — Denying Connections

sudo ufw deny http

Or if you want to deny all connections from 15.15.15.51 you could use this command: sudo ufw deny from 15.15.15.51

Step 7 — Deleting Rules

By Rule Number

Display numbers next to each rule sudo ufw status numbered
If we decide that we want to delete rule 2, the one that allows port 80 (HTTP) connections, we can specify it in a UFW delete command like this: sudo ufw delete 2

By Actual Rule

sudo ufw delete allow http
You could also specify the rule by allow 80, instead of by service name: sudo ufw delete allow 80

Step 8 — Disabling or Resetting UFW (optional)
sudo ufw disable
sudo ufw reset

What's next?

Check out this Index page