Advance

Tutorial set up a Firewall with UFW on Ubuntu 20.04

Tutorial set up a Firewall with UFW on Ubuntu 20.04
1
(1)

As an administrator, securing your network is a priority. In this article, you will review the tutorial set up a Firewall with UFW on Ubuntu 20.04. So if you are looking to get started securing your network, and you’re not sure which tool to use, UFW (Uncomplicated Firewall) may be the right choice for you. UFW is a simplified firewall management interface that hides the complexity of lower-level packet filtering technologies such as iptables and nftables.

 

Prerequisites

The tutorial may be more useful if you know:

  • a non-root user with sudo privileges
  • To set up, follow our Initial server setup on Ubuntu 20.04

 

Note: UFW is installed by default on Ubuntu, but if it is uninstalled, you can install it with:

sudo apt install ufw.

 

Recommended Article: Useful Sudoers configurations for setting ‘sudo’ in Linux

Tutorial set up a Firewall with UFW on Ubuntu 20.04

Let’s review 9 steps to learn this setup.

1- Using IPv6 with UFW

As this tutorial hs been written with IPv4 in mind, it will work for IPv6 when you enable it. But if it is enabled on your Ubuntu server, make sure that UFW is configured to support IPv6 and it will manage firewall rules for IPv6 in addition to IPv4. To do this type the below command.

sudo nano /etc/default/ufw  

You need to view as below.

 

/etc/default/ufw excerpt
IPV6=yes  

 

 

2- Setting Up Default Policies

UFW allows all outgoing connections and denies all incoming connections by default. So anyone trying to reach your server would not be able to connect, while any application within the server would be able to reach the outside world.

To continue with this tutorial you need to set your UFW rules back to the defaults. To do this, use the following command.

sudo ufw default deny incoming  sudo ufw default allow outgoing

3- Allowing SSH Connections

When you enable your UFW firewall, it will deny all incoming connections. Tp prevent this, you may have to create rules that explicitly allow legitimate incoming connections — SSH or HTTP connections. In case of using a cloud server, you will probably want to allow incoming SSH connections so you can connect to and manage your server.

Use the following command to configure your server to allow incoming SSH connections.

sudo ufw allow ssh  

By using this, you will create firewall rules that will allow all connections on port 22, which the SSH daemon listens on by default. So you will specify the port instead of the service name.

sudo ufw allow 22  

You will have to specify the appropriate port if you configured your SSH daemon to use a different port. And you can use this command to allow connections on that port if your SSH server is listening on port 2222

sudo ufw allow 2222  

 

4- Enabling UFW

Use this command, to enable UFW

sudo ufw enable  

You may face a warning message which says disrupt existing SSH connections. As the rule of set up firewall, has already been considered, the SSH connection is allowed. Respond to the prompt with y and press ENTER.

To see the rules are set, run the sudo ufw status verbose command, as the firewall is now active.

 

 

5- Allowing Other Connections

It is time to allow all of the other connections that your server needs to respond to. As you know how to write rules to allow connections based on a service name or port. You can also do this such as you did for SSH on port 22.

  • HTTP on port 80, which is what unencrypted web servers use, using sudo ufw allow http or sudo ufw allow 80
  • HTTPS on port 443, which is what encrypted web servers use, using sudo ufw allow https or sudo ufw allow 443

 

Although some applications use multiple ports, instead of a single port, You can specify port ranges with UFW. To allow X11 connections, which use ports 6000-6007, use these commands:

sudo ufw allow 6000:6007/tcp  sudo ufw allow 6000:6007/udp

You need to specify the protocol (tcp or udp) that the rules should apply to, when specifying port ranges with UFW.

You can also specify IP addresses. By the below example you may know more about the specific IP addresses.

sudo ufw allow from 203.0.113.4

Or if you want to connect to by adding to any port followed by the port number, you can specify a specific port that the IP address is allowed. As you see in the below for example we want to allow 203.0.113.4 to connect to port 22 (SSH)

sudo ufw allow from 203.0.113.4 to any port 22  

 

You can use CIDR notation to specify a netmask, when you need to allow a subnet of IP addresses. As you see in the below example, when you need to allow the IP addresses ranging from 203.0.113.1 to 203.0.113.254, you will type this way.

sudo ufw allow from 203.0.113.0/24  

If you want to specify the destination port that the subnet 203.0.113.0/24 connects to, you need to use port 22 (SSH).

sudo ufw allow from 203.0.113.0/24 to any port 22

If you want to look up your network interfaces before continuing, type the following command.

ip addr
Output Excerpt
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state  . . .  3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default  . . .

You can also allow HTTP traffic (port 80) if your server has a public network interface called eth0.

sudo ufw allow in on eth0 to any port 80  

Also, you can use the below command, if you want your MySQL database server (port 3306) to listen for connections on the private network interface eth1.

sudo ufw allow in on eth1 to any port 3306  

 

6- Denying Connections

In case you do not change the default policy for incoming connections, UFW would configure to deny all incoming connections. Or if you want to deny specific connections based on the source IP address or subnet, perhaps because you know that your server is being attacked from there. However, you need to create deny rules for any services or IP addresses that you don’t want to allow connections for if you want to change your default incoming policy to allow.

You can type the below commands described above (to deny HTTP connections), replacing allow with denying, to write deny rules.

sudo ufw deny http

You can also use the below command if you want to deny all connections from 203.0.113.4

sudo ufw deny from 203.0.113.4  

 

 

7- Deleting Rules

You will learn the two different ways to specify which rules to delete now. 1– by rule number. 2– by the actual rule.

The first method is easier, so we would start with it.

While you are using the rule number to delete firewall rules, you should get a list of your firewall rules.

sudo ufw status numbered  
Numbered Output:
Status: active         To                         Action      From       --                         ------      ----  [ 1] 22                         ALLOW IN    15.15.15.0/24  [ 2] 80                         ALLOW IN    Anywhere

 

If you want to delete rule 2, the one that allows port 80 (HTTP) connections, you should specify it in a UFW delete command such as the below.

sudo ufw delete 2  

Now if you want to specify the actual rule to delete, you can remove the allow http rule, you could type as below example.

sudo ufw delete allow http  

Instead of by service name, you could also specify the rule by allow 80

sudo ufw delete allow 80

This method will delete both IPv4 and IPv6 rules if they exist.

 

 

8- Checking UFW Status and Rules

To check the status of UFW, use the below command.

sudo ufw status verbose

you’ll see something like this if UFW is disabled,

Output
Status: inactive

The output will say that it’s active and it will list any rules that are set, if UFW is active, (which it should be if you followed Step 3)

Output
Status: active  Logging: on (low)  Default: deny (incoming), allow (outgoing), disabled (routed)  New profiles: skip    To                         Action      From  --                         ------      ----  22/tcp                     ALLOW IN    Anywhere

When you want to check how UFW has configured the firewall, you should use the status command.

 

 

9- Disabling or Resetting UFW

You can disable it with the below command if you decide you don’t want to use UFW.

sudo ufw disable  

You can always run sudo ufw enable if you need to activate it later. Also, you can use the reset command, if you already have UFW rules configured but you decide that you want to start over.

sudo ufw reset  

The default policies won’t change to their original settings, this will disable UFW and delete any rules that were previously defined.

Recommended Article: Install LAMP stack on Ubuntu 18.04 [quick-start]

Dear user, we hope you would enjoy this tutorial set up a Firewall with UFW on Ubuntu 20.04, you can ask questions about this training in the comments section, or to solve other problems in the field of Eldernode training, refer to the Ask page section and raise your problems in it.

How useful was this post?

Click on a star to rate it!

Average rating 1 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

View More Posts
Tom Veitch
Eldernode Writer
We Are Waiting for your valuable comments and you can be sure that it will be answered in the shortest possible time.

Leave a Reply

Your email address will not be published. Required fields are marked *

We are by your side every step of the way

Think about developing your online business; We will protect it compassionately

We are by your side every step of the way

+8595670151

7 days a week, 24 hours a day