Linux

How to Set Up a Firewall with UFW on Ubuntu 20.04

How to Set Up a Firewall with UFW on Ubuntu 20.04

A firewall is a tool to monitor and filter incoming and outgoing network traffic. It works by defining a set of security rules that determine whether to allow or block certain traffic.

Ubuntu is shipped with a firewall configuration tool called UFW (Uncomplicated Firewall). UFW is an easy-to-use front-end for managing iptables firewall rules. The main goal is to make managing a firewall easier or, as the name suggests, uncomplicated.

This article explains how to use the UFW tool to configure and manage firewalls in Ubuntu 20.04. A properly configured firewall is one of the most important aspects of overall system security.

Precondition

Only root or users with sudo rights can manage the system firewall. The best practice is to run administrative tasks as a sudo user.

Install UFW

UFW is part of the standard Ubuntu 20.04 installation and must be on your system. If for some reason it’s not installed, you can install the package by typing:

$ sudo apt update $ sudo apt install ufw

Check UFW Status

UFW is disabled by default. You can check the UFW service status with the following command:

$ sudo ufw status verbose

The output will indicate that the firewall status is not active:

Status: inactive

If UFW is activated, the output will look like this:

1

UFW Default Policy

The default behavior of the UFW Firewall is to block all incoming traffic and forward and allow all outgoing traffic. This means that anyone who tries to access your server will not be able to connect unless you specifically open the port. Applications and services running on your server will be able to access the outside world.

The default policy is defined in the / etc / default / ufw file and can be changed either by modifying the file manually or with the sudo ufw default <policy> <chain> command.

Firewall policies are the basis for building more complex and user-defined rules. In general, the default UFW starting policy is a good starting point.

Application Profile

Application profiles are text files in INI format that describe services and contain firewall rules for services. Application profiles are created in the /etc/ufw/applications.d directory during package installation.

You can register all available application profiles on your server by typing:

$ sudo ufw app list

Depending on the package installed on your system, the output will look similar to the following:

Output :

Available applications:
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH

To find more information about specific profiles and the rules that are included, use the following command:

$ sudo ufw app info 'Nginx Full'

The output shows that the ‘Nginx Full’ profile opens ports 80 and 443.

Output :

Profile: Nginx Full
Title: Web Server (Nginx, HTTP + HTTPS)
Description: Small, but very powerful and efficient web server

Ports:
  80,443/tcp

You can also create a profile specifically for your application.

Activating UFW

If you are connecting to your Ubuntu from a remote location, before activating the UFW firewall, you must explicitly allow incoming SSH connections. If not, you can no longer connect to the machine.

To configure your UFW firewall to allow incoming SSH connections, type the following command:

$ sudo ufw allow ssh

Output :

Rules updated
Rules updated (v6)

If SSH runs on a non-standard port, you need to open that port.

For example, if your ssh daemon is listening on port 7722, enter the following command to allow connections on that port:

$ sudo ufw allow 7722/tcp

Now that the firewall is configured to allow incoming SSH connections, you can activate it by typing:

$ sudo ufw enable

Output :

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

You will be warned that activating the firewall can disable existing ssh connections, just type y and press Enter.

Open Ports

Depending on the application running on the system, you might also need to open another port. The general syntax for opening a port is as follows:

$ ufw allow port_number/protocol

Here are some ways on how to allow HTTP connections.

The first option is to use the name of the service. UFW checks the file / etc / services for the specified port and service protocol:

$ sudo ufw allow http

You can also specify the port number, and protocol:

$ sudo ufw allow 80/tcp

When no protocol is given, UFW creates rules for TCP and UDP.

Another option is to use application profiles; in this case, ‘Nginx HTTP’:

$ sudo ufw allow 'Nginx HTTP'

UFW also supports other syntaxes for determining protocols using the proto keyword:

$ sudo ufw allow proto tcp to any port 80

Port Ranges

UFW also allows you to open a range of ports. The starting and ending ports are separated by colons (:), and you must specify the protocol, either tcp or udp.

For example, if you want to allow ports from 7100 to 7200 on TCP and UDP, you will run the following command:

sudo ufw allow 7100:7200/tcp sudo ufw allow 7100:7200/udp

Custom IP address and port

To allow connections on all ports of a given source IP, use the keyword from followed by the source address.

Following is an example of IP address whitelist:

$ sudo ufw allow from 64.63.62.61

If you want to allow access to an IP address that is given only to a specific port, use any port password followed by the port number.

For example to allow access on port 22 of a machine with IP address 64.63.62.61, enter:

$ sudo ufw allow from 64.63.62.61 to any port 22

Subnet

The syntax for allowing connections to subnets from an IP address is the same as when using one IP address. The only difference is you need to specify netmask.

Below is an example, showing how to allow access for IP addresses from 192.168.1.1 to 192.168.1.254 to port 3360 (MySQL):

$ sudo ufw allow from 192.168.1.0/24 to any port 3306

Specific Network Interfaces

To allow connections on certain network interfaces, use these keywords followed by the name of the network interface:

$ sudo ufw allow in on eth2 to any port 3306

Reject connection

The default policy for all incoming connections is set to reject, and if you haven’t changed it, UFW will block all incoming connections unless you specifically open the connection.

Writing deny rules is the same as writing permitting rules; You only need to use reject keywords instead of allowing.

Let’s say you open ports 80 and 443, and your server is under attack from network 23.24.25.0/24. To reject all connections from 23.24.25.0/24 you will run the following command:

$ sudo ufw deny from 23.24.25.0/24

Following is an example of denying access only to ports 80 and 443 of 23.24.25.0/24 You can use the following command:

$ sudo ufw deny proto tcp from 23.24.25.0/24 to any port 80,443

Remove UFW Rules

There are two different ways to delete UFW rules by rule number and by determining the actual rules.

Deleting rules with rule numbers is easier, especially when you are new to UFW. To delete a rule with a rule number first, you must find the number of rules that you want to delete. To get a list of numbered rules, use the ufw status number command:

$ sudo ufw status numbered

Output :

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 8080/tcp                   ALLOW IN    Anywhere

To remove rule number 3, the rule that allows connection to port 8080, you will enter:

$ sudo ufw delete 3

The second method is to delete the rules by determining the actual rules. For example if you add a rule to open port 8069 you can delete it by:

$ sudo ufw delete allow 8069

Disabling UFW

If for any reason you want to stop UFW and deactivate all the rules that you can use:

$ sudo ufw disable

Later if you want to reactivate UTF and activate all the rules just type:

$ sudo ufw enable

Resetting UFW

Resetting UFW will disable UFW, and delete all active rules. This is useful if you want to revert all changes and start with a new one.

To reset UFW, type the following command:

$ sudo ufw reset

IP Masquerading

IP Masquerading is a NAT (network address translation) variant in the Linux kernel that translates network traffic by rewriting the source and destination IP addresses and ports. With IP Masquerading, you can allow one or more machines on a private network to communicate with the Internet using one Linux machine that acts as a gateway.

Configuring IP Masquerading with UFW involves several steps.

First, you need to enable IP forwarding. To do this, open the /etc/ufw/sysctl.conf file:

$ sudo nano /etc/ufw/sysctl.conf

Find and cancel comments on the line that reads net.ipv4.ip_forward = 0:

/etc/ufw/sysctl.conf
net/ipv4/ip_forward=1

Next, you need to configure UFW to allow packets to be forwarded. Open UFW configuration file:

$ sudo nano /etc/default/ufw

Find the DEFAULT_FORWARD_POLICY key, and change the value from DROP to ACCEPT:

/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

Now you need to set a default policy for POSTROUTING chains in the nat table and masquerade rules. To do this, open the /etc/ufw/before.rules file and add the highlighted lines in yellow, as shown below:

$ sudo nano /etc/ufw/before.rules

Add the following lines:

/etc/ufw/before.rules
#NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to public network interface
-A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

Don’t forget to change eth0 on the -A POSTROUTING line to match the name of the public network interface:

When finished, save and close the file.

Finally, reload the UFW rules by deactivating and reactivating UFW:

$ sudo ufw disable $ sudo ufw enable

.
Conclusion

We have shown you how to install and configure a UFW firewall on your Ubuntu 20.04 server. Be sure to allow all incoming connections needed to function your system, while limiting all unnecessary connections.

For more information on this topic, visit the UFW man page.

If you have questions, feel free to leave a comment below.

Related posts

How to install Steam and activate Proton on Fedora

Linux

How to Install Nagios on Ubuntu 20.04

Linux

How to Install and Configure Fail2ban on Ubuntu 20.04

Linux

How to Install Microsoft TrueType Fonts on Fedora

Linux

How to Activate Dark Mode on Ubuntu 20.04 LTS

Howto

How to Make a Minecraft Server on Ubuntu 20.04

Linux

How to Install the NoSQL Apache CouchDB Database on CentOS 8

Linux

How to Install and Use PHP Composer on Ubuntu 20.04

Linux

How to Install Joomla with Apache2 and Let’s Encrypt on Ubuntu 20.04

Linux