As an administrator, securing your network is a priority. In this article, you will review the tutorial set up a Firewall with UFW on Ubuntu 20.04. So if you are looking to get started securing your network, and you’re not sure which tool to use, UFW (Uncomplicated Firewall) may be the right choice for you. UFW is a simplified firewall management interface that hides the complexity of lower-level packet filtering technologies such as iptables and nftables.
The tutorial may be more useful if you know:
- a non-root user with sudo privileges
- To set up, follow our Initial server setup on Ubuntu 20.04
Note: UFW is installed by default on Ubuntu, but if it is uninstalled, you can install it with:
sudo apt install ufw.
Tutorial set up a Firewall with UFW on Ubuntu 20.04
Let’s review 9 steps to learn this setup.
1- Using IPv6 with UFW
As this tutorial hs been written with IPv4 in mind, it will work for IPv6 when you enable it. But if it is enabled on your Ubuntu server, make sure that UFW is configured to support IPv6 and it will manage firewall rules for IPv6 in addition to IPv4. To do this type the below command.
sudo nano /etc/default/ufw
You need to view as below.
2- Setting Up Default Policies
UFW allows all outgoing connections and denies all incoming connections by default. So anyone trying to reach your server would not be able to connect, while any application within the server would be able to reach the outside world.
To continue with this tutorial you need to set your UFW rules back to the defaults. To do this, use the following command.
sudo ufw default deny incoming sudo ufw default allow outgoing
3- Allowing SSH Connections
When you enable your UFW firewall, it will deny all incoming connections. Tp prevent this, you may have to create rules that explicitly allow legitimate incoming connections — SSH or HTTP connections. In case of using a cloud server, you will probably want to allow incoming SSH connections so you can connect to and manage your server.
Use the following command to configure your server to allow incoming SSH connections.
sudo ufw allow ssh
By using this, you will create firewall rules that will allow all connections on port 22, which the SSH daemon listens on by default. So you will specify the port instead of the service name.
sudo ufw allow 22
You will have to specify the appropriate port if you configured your SSH daemon to use a different port. And you can use this command to allow connections on that port if your SSH server is listening on port 2222
sudo ufw allow 2222
4- Enabling UFW
Use this command, to enable UFW
sudo ufw enable
You may face a warning message which says disrupt existing SSH connections. As the rule of set up firewall, has already been considered, the SSH connection is allowed. Respond to the prompt with y and press ENTER.
To see the rules are set, run the sudo ufw status verbose command, as the firewall is now active.
5- Allowing Other Connections
It is time to allow all of the other connections that your server needs to respond to. As you know how to write rules to allow connections based on a service name or port. You can also do this such as you did for SSH on port 22.
- HTTP on port 80, which is what unencrypted web servers use, using sudo ufw allow http or sudo ufw allow 80
- HTTPS on port 443, which is what encrypted web servers use, using sudo ufw allow https or sudo ufw allow 443
Although some applications use multiple ports, instead of a single port, You can specify port ranges with UFW. To allow X11 connections, which use ports 6000-6007, use these commands:
sudo ufw allow 6000:6007/tcp sudo ufw allow 6000:6007/udp
You need to specify the protocol (tcp or udp) that the rules should apply to, when specifying port ranges with UFW.
You can also specify IP addresses. By the below example you may know more about the specific IP addresses.
sudo ufw allow from 203.0.113.4
Or if you want to connect to by adding to any port followed by the port number, you can specify a specific port that the IP address is allowed. As you see in the below for example we want to allow 203.0.113.4 to connect to port 22 (SSH)
sudo ufw allow from 203.0.113.4 to any port 22
You can use CIDR notation to specify a netmask, when you need to allow a subnet of IP addresses. As you see in the below example, when you need to allow the IP addresses ranging from 203.0.113.1 to 203.0.113.254, you will type this way.
sudo ufw allow from 203.0.113.0/24
If you want to specify the destination port that the subnet 203.0.113.0/24 connects to, you need to use port 22 (SSH).
sudo ufw allow from 203.0.113.0/24 to any port 22
If you want to look up your network interfaces before continuing, type the following command.
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state . . . 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default . . .
You can also allow HTTP traffic (port 80) if your server has a public network interface called eth0.
sudo ufw allow in on eth0 to any port 80
Also, you can use the below command, if you want your MySQL database server (port 3306) to listen for connections on the private network interface eth1.
sudo ufw allow in on eth1 to any port 3306
6- Denying Connections
In case you do not change the default policy for incoming connections, UFW would configure to deny all incoming connections. Or if you want to deny specific connections based on the source IP address or subnet, perhaps because you know that your server is being attacked from there. However, you need to create deny rules for any services or IP addresses that you don’t want to allow connections for if you want to change your default incoming policy to allow.
You can type the below commands described above (to deny HTTP connections), replacing allow with denying, to write deny rules.
sudo ufw deny http
You can also use the below command if you want to deny all connections from 203.0.113.4
sudo ufw deny from 203.0.113.4
7- Deleting Rules
You will learn the two different ways to specify which rules to delete now. 1– by rule number. 2– by the actual rule.
The first method is easier, so we would start with it.
While you are using the rule number to delete firewall rules, you should get a list of your firewall rules.
sudo ufw status numbered
Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN 220.127.116.11/24 [ 2] 80 ALLOW IN Anywhere
If you want to delete rule 2, the one that allows port 80 (HTTP) connections, you should specify it in a UFW delete command such as the below.
sudo ufw delete 2
Now if you want to specify the actual rule to delete, you can remove the allow http rule, you could type as below example.
sudo ufw delete allow http
Instead of by service name, you could also specify the rule by allow 80
sudo ufw delete allow 80
This method will delete both IPv4 and IPv6 rules if they exist.
8- Checking UFW Status and Rules
To check the status of UFW, use the below command.
sudo ufw status verbose
you’ll see something like this if UFW is disabled,
The output will say that it’s active and it will list any rules that are set, if UFW is active, (which it should be if you followed Step 3)
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere
When you want to check how UFW has configured the firewall, you should use the status command.
9- Disabling or Resetting UFW
You can disable it with the below command if you decide you don’t want to use UFW.
sudo ufw disable
You can always run sudo ufw enable if you need to activate it later. Also, you can use the reset command, if you already have UFW rules configured but you decide that you want to start over.
sudo ufw reset
The default policies won’t change to their original settings, this will disable UFW and delete any rules that were previously defined.
Dear user, we hope you would enjoy this tutorial set up a Firewall with UFW on Ubuntu 20.04, you can ask questions about this training in the comments section, or to solve other problems in the field of Eldernode training, refer to the Ask page section and raise your problems in it.