How to Configure a Firewall with UFW on Ubuntu 18.04
In this article, we will show you how to install and configure UFW on an Ubuntu 18.04 VPS. First, we will take a moment to introduce and explain what firewalls are, and then we’ll show you how to use UFW and how to make the appropriate UFW configuration.
A firewall is a software program that monitors the network traffic and prevents unauthorized access to or from a private network. In regards to the Linux kernel, a Netfilter subsystem is implemented, which is used to manipulate the network traffic. Almost all modern Linux firewall solutions use this system to filter network packets. Additionally ‘iptables’ – a firewall utility accessible from the command line – is also part of the Netfilter framework. To simplify the process of creating firewall rules, Canonical (the creators of Ubuntu) developed an iptables interface called Uncomplicated Firewall (UFW).
If you are using Ubuntu 18.04 and want to secure your network without having to deal with learning how to use iptables, then UFW may be the appropriate solution you are looking for.
To follow this tutorial, you will need a server with Ubuntu 18.04 and SSH access with the root user (or a user with sudo privileges). Let’s begin with the tutorial.
Step 1: Connect to Your Server
Before we begin, you’ll need to connect to your server via SSH as root or user with sudo privileges. To do this, use the following command:
ssh root@IP_Address -p Port_Number
of course, you will need to replace IP_Address and Port_Number with your actual server IP address and SSH port number.
Once logged in, make sure that your server is up-to-date by running the following commands:
sudo apt update sudo apt upgrade
Step 2: Install UFW
UFW should be already installed by default on Ubuntu 18.04 – but if for some reason is is not installed, you can install it with this command:
sudo apt install ufw
Once the installation is complete, you can check the UFW status with the command:
sudo ufw status verbose
UFW by default is initially disabled, and if you never activated before you will get the output:
Output Status: inactive
If you already have UFW activated on your server, the output will look quite different and will look similar to the following:
Output: Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 443/tcp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 80/tcp (v6) ALLOW IN Anywhere (v6) 443/tcp (v6) ALLOW IN Anywhere (v6) ....
Step 3: UFW Default Policies
The first thing you need to know is the default policies. By default, UFW is configured to deny all incoming connections and allow all outgoing connections. In other words, all of the connections that will try to access your server will be refused and all of your applications and services that are locally found on your server will be able to reach the outside world and access other servers.
If you want to check or change the default policies, you can find them in the /etc/default/ufw configuration file.
To set these UFW rules to the default, you can run the following commands:
sudo ufw default deny incoming sudo ufw default allow outgoing
Keep in mind that servers usually need to respond to an incoming request from Internet users. So, in most cases, you cannot set your firewall to block all incoming connections. In the next step, we’ll learn how to allow specific connections.
Step 4: Allow SSH Connections
Before you enable UFW, you need to allow SSH access on your server by adding a rule that will allow incoming SSH connections. Otherwise, you will get locked and you will not be able to connect to your Ubuntu server.
You can use the following command to configure the UFW firewall to allow all incoming SSH connections:
sudo ufw allow ssh
Then you will receive the following output:
Rules updated Rules updated (v6)
Please note that this command is only if your server listens to the standardized SSH port: 22. If the SSH service uses a custom non-standard port, you will need to open that port. If the SSH service on your server uses a unique port, for example port 900, then you can use the following command:
sudo ufw allow 900
Note that you’ll need to know what port number your service currently uses.
Step 5: Enable UFW
Now your firewall is configured to allow SSH connections and you are sure that your current SSH connection will not be affected, you can continue with enabling the UFW firewall.
sudo ufw enable
After which you will receive the following output:
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
You will get a warning that tells you that you need to have configured allowing SSH rules, otherwise the existing SSH connection will be closed. Since you already have, type [y] and continue with [Enter].
Step 6: Allow Connections on Specific Ports
The applications and services that you use may need to have their ports opened for incoming and outgoing connections, depending on the application’s purpose. The most common ports you’ll need to unblock are ports 80 & 443, which are used by the web server, and 25, 110, 143, 587 and 993, which are used by the mail server.
We’ll show you through a few examples of how to allow incoming connections for some common services.
To allow all HTTP (port 80) connections, run this command:
sudo ufw allow http
Also, if you want to specify the port, you can apply what is essentially the same rule but with a different syntax:
sudo ufw allow 80
To allow all HTTPS (port 443) connections, run the command:
sudo ufw allow https
Additionally, if you want to specify the HTTPS port, you can apply the rule with a different syntax:
sudo ufw allow 443
If you are using a mail server, some of the next rules could be useful.
To allow all incoming SMTP you can run the command:
sudo ufw allow 25
To allow all incoming IMAP connections, run the command:
sudo ufw allow 143
And to allow all incoming IMAPS requests, you can use the command:
sudo ufw allow 993
If you are using POP3 instead, this command below will allow all incoming connections:
sudo ufw allow 110
And for all incoming POP3S requests, use this next command:
sudo ufw allow 995
Finally, if you are running a specific program that requires web access, you will need to enable to port specific to that program as well. For example, if you run Tomcat on your server, you will need port 8080. You can allow all incoming connections to this port with the command:
sudo ufw allow <port number>
You can do this for all specific ports that you may need.
Step 7: Allow Port Ranges
UFW also can allow access to port ranges instead of allowing access to a single port. When you want to allow port ranges at the UFW port, you need to specify the range of the port and the protocol, either TCP or UDP.
For example, if you want to allow the ports from 8069 to 8080 for both TCP and UDP, you can use the following commands:
sudo ufw allow 8069:8080/tcp sudo ufw allow 8069:8080/udp
Step 8: Allow Specific IP Addresses
If you want to allow only one IP address (for example a trusted machine found on your local network) to be able to access all ports, you can use the command:
sudo ufw allow from 18.104.22.168
On top of this, you can also allow a specific IP address to a particular port! Let’s say you want to allow a specific IP address to use the MySQL port (MySQL uses port 3306), then you can simply use this command:
sudo ufw allow from 22.214.171.124 to any port 3306
Step 9: Deny Connections
As mentioned earlier in Step 3, the default policy for incoming connections is set to ‘deny’. However, sometimes you may need to deny specific connections based on the source IP address or specific port.
The deny rule is very useful if you have an attack on your server from a specific IP address and your ports 80 and 443 are open. In this case, you can block that IP address using the following example. Of course, don’t forget to change the IP address 126.96.36.199 with the actual IP address that you want to block:
sudo ufw deny from 188.8.131.52
This will block the IP address from accessing all of your open ports. However, if you want to block the IP address from being able to access a particular port, you can use the next example:
sudo ufw deny from 184.108.40.206 to any port 80 sudo ufw deny from 220.127.116.11 to any port 443
As you can notice, creating deny rules is similar to the rules for allowing.
Step 10: Delete UFW Rules
The importance of deleting UFW rules is as important as creating them. There are two different ways to remove a UFW rule. The first method is by using the rule number, and the second is by specifying the actual rule.
If you want to delete the UFW rule with numbers, you will need to know the rule’s number. To list the rule numbers, you can use the command:
sudo ufw status numbered
Output: Status: active To Action From -- ------ ---- [ 1] 80 ALLOW IN Anywhere [ 2] 443 ALLOW IN Anywhere [ 3] 22 ALLOW IN Anywhere [ 4] Anywhere ALLOW IN 18.104.22.168 [ 5] 7022 ALLOW IN Anywhere [ 6] 8069 ALLOW IN Anywhere ...
To remove the rule that is labeled as rule number 4, which allows connections from IP address 22.214.171.124, you can use the command:
sudo ufw delete 4
If you want to use the second method, which is to remove a rule by specifying the actual rule. Let’s say you want to close the port 8069 for example – in that case you would use the following command:
sudo ufw delete allow 8069
Step 11: Disable or Reset UFW
If for any reason you need to stop all UFW rules on your server, you can disable it by using the command:
sudo ufw disable
This will stop all rules that were currently active on your server. However, if you need to reactivate the firewall rules, you can simply enable it again.
sudo ufw enable
If for some reason you want to delete all of the rules and start with a fresh UFW, then you can use the following command:
sudo ufw reset
Please note that default policies will not change to their original settings if they have already been modified.
In this article, we showed you how to install UFW and then use it to configure a firewall on Ubuntu 18.04. Now you can use the knowledge of this guide to start creating your own UFW firewall rules and protect your server.