Firewall is the main gate to restrict the unwanted traffic to the site. It is simple to use.
The expansion of UFW is uncomplicated firewall. UFW is just an layer for the IP tables.
You can directly use IP tables to setup the firewall configuration, only if you are an expert.
If not, you should go with ufw.
Here in this tutorial, let us see how to use UFW to secure the Ubuntu operating system and restrict the access to the applications inside the server.
- You should have an sudo non root user account and if you dont know how to create one, refer here.
- Get 50$ Credit on Vulture Clouds Here and Test the Instruction for free.
After that, you have to install UFW from ubuntu repository. Use the below command to install UFW on Ubuntu.
$ sudo apt-get install ufw
UFW configuration – Enable IPv6 Support
Here, in this tutorial, we will use IPv4 to demonstrate setup. You can also configure UFW to manage IPv6 connection.
For that, you have to edit the UFW configuration file and enable the UFW for IPv6.
First, open UFW configuration file using nano editor.
$ sudo nano /etc/default/ufw
Check the file and you can see the IPv6 there. Make sure to set IPv6=yes.
... IPV6=yes ...
Then, save and close the file.
Here after, the UFW will be able to manage both IPv4 and IPv6. We have not enabled the UFW yet to function. before that, we have to make sure, that UFW configuration allows us to connect with our server through SSH.
Once, i forgot to verify and simply enabled the UFW. After that, i could not connect to the server.
So, make sure to verify the UFW configuration.
Default Policy Setup
This is very important step and we have to define our default policy to handle the traffic which does not comply with any of our firewall defined rules..
By Default, UFW will deny all the incoming connections if they are not complying with existing rules and it allows all the outgoing connections. Any application inside the firewall can send traffic outside.
Here is the command lines to define the default policies.
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
This setup is ok if you are using any Desktop or laptop with Ubuntu. Here, outsider cannot access your server. This also suits for cloud server.
For a cloud server, we have to allow SSH connection to the server, so that we can connect and access the server to do some operations.
Enable the SSH Connection
To enable the SSH connection in the firewall, just use the below command.
$ sudo ufw allow ssh
Most of the command you see in UFW are very simple to use but powerful yet.
If you mistakenly do something, then you will be in trouble.
In the above command, the UFW function will be enabling the port 22 for accepting connections from outside.
This is port used by SSH and UFW knows this by reading the services and their ports listed in /etc/services.
You can also directly mention the port number on UFW to allow just without mentioning the service.
$ sudo ufw allow 22
To secure the server and avoid outside attacks, you can change the service port number. For example you can change SSH port number and enable that on ufw. This less effective, but still prevent a lot of people from trying to access the server.
Once you done with the above step, now you can enable the firewall without any hesitation.
To enable ufw, use this simple command line.
$ sudo ufw enable
When you execute this command, it prompt a warning that it may interrupt the existing SSH connection.
You dont need to worry about it and you can just proceed with the next step by Entering Yes.
Allowing the HTTP traffic.
$ sudo ufw allow http
sudo ufw allow 80
Allowing HTTPS traffic
$ sudo ufw allow https
$ sudo ufw allow 443
Allowing FTP port
$ sudo ufw allow ftp
$ sudo ufw allow 21/tcp
Other than this, if you want to allow traffic to any other port, just mention whether you want to allow TCP or UDP.
Here is the sample command.
$ sudo ufe allow 9867/tcp
Allowing IP address to access the ports.
If you want to allow UFW to access a specific IP, then you can do that by mentioning that IP.
$ sudo ufw allow from 22.214.171.124
If you want to add port to the IP address, use the below command.
$ sudo ufw allow from 126.96.36.199 to any port 22
You can also reverse the changes by adding deny instead of allow.
This will restrict the connection from specific IP address. If you have done this to port, all the connection request to the port will be rejected.
$ sudo ufw deny from 188.8.131.52 to any port 22
Deleting the Rules
Sometimes, you will want to delete the rules. You can do that in two ways.
One is by mentioning the rule number. The other is mentioning the actual rule in the command to delete.
Here is the method for deleting the rule by number.
First, you have to find the rule number of your rule. For that, use the below command.
$ sudo ufw status numbered
You can see the rules listed with numbers like below one.
Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN 184.108.40.206/24 [ 2] 80 ALLOW IN Anywhere
Go through the rule and find the number of the rule which you want to delete and execute command as mentioned below.
$ sudo ufw delete 2
The second thing is directly mention the rule in the command to delete it.
Here is how. I want to delete http rule. So, i will use this one.
$ sudo ufw delete allow http
Check UFW Status
If you want to check your UFW status, use the verbos command. It will return the status of the UFW.
$ sudo ufw status verbose
You will see the output either active or inactive.
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere
If ufw is inactive, you will only see the following output.
Disable Firewall & Reset UFW
You can disable the firewall by just using the below command.
$ sudo ufw disable
You can reset the entire firewall by using the reset command.
$ sudo ufw reset
Make sure, you first disable the ufw and reset the connection.
Today, you have learnt how to configure UFW on Ubuntu 16.04 system. If you have queries or doubts, please leave them in the command.
Make sure to subscribe to the upcoming cloud tutorial. You will be notified once the tutorial goes live.