UFW Firewall Setup on Ubuntu 20.04

0 Comments

The Purpose of this article is to go thought the setup process of UFW Firewall as well as to learn some essential commands for managing your firewall rules

Requirements

  1. Ubuntu 20.04
  2. Sudo non-root user

Please note that most of the commands apply also to previous versions of ubuntu. In this tutorial we are concentrating on IPv4 rules. Should you be using IPv6 on your server make sure to also enable IPv6 in UFW

UFW installation

In order to install the fire wall run this command

$ sudo apt update
$ sudo apt install ufw

Now let us enable IPv6 (if needed) by editing the default configuration file

$ sudo nano /etc/default/ufw

please make sure that the value of IPv6 is set to yes

IPV6=yes

Setting up default UFW policies

When freshly installing an UFW firewall all of the policies are default and set to allow outgoing traffic but block incoming traffic. If you have had already an UFW running and wish to set all the default rules to default settings you can execute this command.

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

we can prove the current state of the firewall with the next command

$ sudo ufw status verbose

we receive a return showing us that the ufw is active allowing outgoing connections and denying incoming. Should you receive a status message as inactive you can enable the firewall with the following command.

$ sudo ufw enable

analogically should you wish to disable the firewall just type

$ sudo ufw disable

and further more a restart can be done by combining the two

sudo ufw disable && ufw enable

or

sudo systemctl restart ufw

Since by default there are no individual rules set let us add a rule for SSH so that we could manage our server form another Client via the ssh protocol which uses port 22 as default. The command “enable” switches the firewall permanently on, also after a system reboot.

Allowing SSH connection through UFW

As mentioned before we can allow the application directly or allow the specific port. First option will automatically open the necessary port therefore:

sudo ufw allow ssh
sudo ufw allow 22

both will allow communication on port 22 for us.

Please note that if you have specified a different port for ssh to listen on make sure to manually allow that port on ufw. For example if you set ssh on port 6666, analogically the command would be like this:

$ sudo ufw allow 6666

Allowing Specific Connections

You have seen by now how to allow a specific port. We can additionally configure our UFW to allow or block specific:

  1. ip addresses
  2. range of ports
  3. subnets
  4. network interfaces

Let us have a look at the first one. Imagine we would like to join our home server from work so that you could manage it any time you desire. Presuming you know what the external IP of your work is , which in our example would be 185.234.123.45 then we could add a rule allowing connection to our server for this IP only over the SSH port. Our command in this case looks like this.

$ sudo ufw allow from 185.234.123.45 to any port 22

should you wish to allow the specific IP to enter the whole network just leave the port out.

$ sudo ufw allow from 185.234.123.45

A word of advice:
It is always best to have as few ports open as possible. Lowering the number of open ports lowers the risk of security breach. Try accessing your local network through a secure connection such as VPN. The process of setting up such a connection is quite straight forward. If interested follow this link.

Subnet

Should you want to allow or deny a whole range of IP addresses, we could do it by specifying a netmask. For example we wish to block a whole IP range from 192.168.1.1 to 192.168.1.254. In order to do so we would write:

$ sudo ufw deny from 192.168.1.0/24

analogically we can also allow this subnet to connect to specific port.

$ sudo ufw allow from 192.168.1.0/24 to any port 6666

We also have the possibility to narrow the allow/deny rule to a specific protocol. For example we would like to only allow UDP traffic on port 6666. We just replace have to replace “any” with “allow”

$ sudo ufw allow from 192.168.1.0/24 to UDP port 6666

Range of Ports

What if instead of a IP range we would like to add a rule for a port range. Let’s presume an app requires ports 5000 to 5005 over UDP. The syntax looks as follows:

$ sudo ufw allow 5000:5005 /udp

analogically you can allow or deny any range of ports as desired.

Network Interface

But what if we would like to add rules for specific netwrok interfece. Let’s presume we have multiple NICs on our server. We would like to allow external traffic to our server only via NIC 1. First we need to find out the interface name on ubuntu. We do it by running ‘ifconfig’ command.

$ sudo ifconfig

in my case the desired interface has a name of enp0s3. We are going to use this interface to allow external http traffic to our server.

$ sudo ufw allow in on enp0s3 to any port 80 

Deleting Rules

Having added rules we might want to also delete them too. The best way to do it, is to first get a listing of all the applied rules in a numbered way. We achieve this by typing:

$ sudo ufw status numbered

In my case there are two available rules numbered as 1 and 2. I would like to get rid of the rule for IPv6 connections. To do so we just type:

$ sudo ufw delete 2

Resetting or Disabling UFW

Let’s summaries the few commands that we had previously used for disabling/restarting or resetting of the ufw process.

In order to disable UFW use:

$ sudo ufw disable

In order to enable UFW use:

$ sudo ufw enable

In order to reset UFW use:

$ sudo ufw reset

In order to restart USW use:

$ sudo systemctl restart ufw
Categories:

Leave a Reply

Your email address will not be published. Required fields are marked *