Configure Firewall with UFW on Ubuntu 20.04
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls have been a first line of defense in network security. In this tutorial, you will learn how to configure Firewall with UFW on Ubuntu 20.04 LTS.
UFW is an abbreviated to an Uncomplicated FireWall. UFW is easy to implement and highly recommended to secure a network. The default firewall configuration tool for Ubuntu is ufw. It provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.
Prerequisite
- Ubuntu 20.04/18.04 (Any debian based system)
- User with sudo privileges
- Fast Internet Connection
- Command Line Terminal
Step:1. Default UFW Policies
You can get the status of ufw whether firewall running on not using following commands.
ravi@thecodecloud:~$ sudo ufw statusSample output must be look like below as we told earlier that by default UFW is disabled.
Status: inactiveIt is always a better policy that closes all ports on the server and open only required ports. Let’s block all incoming connection and only allow outgoing connections from our Ubuntu 20.04 LTS box with following commands.
ravi@thecodecloud:~$ sudo ufw default allow outgoing
ravi@thecodecloud:~$ sudo ufw default deny incomingStep:2. Enabling UFW
As told earlier ufw is disabled by default. UFW can be enabled by using below command,
ravi@thecodecloud:~$ sudo ufw enableSample Output:
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startupOnce ufw enabled, it runs across system restarts. We can verify that easily as follows,
ravi@thecodecloud:~$ sudo systemctl status ufw.service- Disabling UFW
If you need to stop the firewall and disable on system startup, then use below commands,
ravi@thecodecloud:~$ sudo ufw disableSample outputs:
Firewall stopped and disabled on system startupStep:3. Open Specific Incoming Connections/Ports
- Open SSH TCP Port 22 Connections
Our next step is to allow incoming SSH ports. We can open SSH TCP port 22 using UFW as follows:
ravi@thecodecloud:~$ sudo ufw allow ssh
Rule added
Rule added (v6)However, we can write the equivalent rule by specifying the port number instead of service name. We can allow ports using below command,
ravi@thecodecloud:~$ sudo ufw allow 22If you are running ssh on other TCP port than default port. for instance, port 2222 then use below command,
ravi@thecodecloud:~$ sudo ufw allow 2222/tcpFew admins have a static IP address at home or office location. In that case, only allow ssh access from that static IP address such as 202.50.7.10 to Ubuntu server IP address such as 172.22.12.40,
ravi@thecodecloud:~$ sudo ufw allow proto tcp from 202.50.7.10 to 172.22.12.40 port 22To check whether the port is open in ufw firewall, then use follows command,
ravi@thecodecloud:~$ sudo ufw statusStatus: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
2222/tcp ALLOW Anywhere
172.22.12.40 22/tcp ALLOW 202.50.7.10
22/tcp (v6) ALLOW Anywhere (v6)
2222/tcp (v6) ALLOW Anywhere (v6)
Step:4. Allowing Other Connections
Here, you should allow other connections that your server needs to respond to. The connections that you should allow totally depends on your specific needs. Let’s add more rules. Say you want to open ports and allow IP address with ufw.
The syntax is as follows to open TCP port 80 and 443 with ufw:
ravi@thecodecloud:~$ sudo ufw allow 80/tcp comment 'accepting Apache2'
ravi@thecodecloud:~$ sudo ufw allow 443/tcp comment 'accepting secure HTTPS connections'Next try to open UDP/1194 (OpenVPN) server:
ravi@thecodecloud:~$ sudo ufw allow 1194/udp comment 'Accepting OpenVPN server'- Allow Port Ranges with UFW
We can allow port ranges too, for instance, tcp and udp 2000 to 3000:
ravi@thecodecloud:~$ sudo ufw allow 2000:3000/tcp
ravi@thecodecloud:~$ sudo ufw allow 2000:3000/udp- Allowing Specific IP Addresses
Suppose, you need to allow ALL connections from an specific IP address called 106.22.10.210, please use below commands,
ravi@thecodecloud:~$ sudo ufw allow from 106.22.10.210Let’s allow connections from an IP address called 104.22.11.215 to port 25, then use below commands,
ravi@thecodecloud:~$ sudo ufw allow from 104.22.11.215 to any port 25 proto tcpYou can set destination IP Addr 224.224.224.224 for port 25 too using as follows,
ravi@thecodecloud:~$ sudo ufw allow from 104.22.11.215 to 224.224.224.224 port 25 proto tcp- Connections to Specific Network Interface
You should look up your network interfaces before continuing. To do so, use below command,
ravi@thecodecloud:~$ ip addr2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000
…
3: enp1s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000
…
If your server has a public network interface called ens33, you could allow HTTP traffic (port 80) to it with follows command,
ravi@thecodecloud:~$ sudo ufw allow in on ens33 to any port 80If you want your MySQL database server (port 3306) to listen for connections on the private network interface eth1, for instance, you could use below command,
ravi@thecodecloud:~$ sudo ufw allow in on enp1s0 to any port 3306Step:5. Block or Deny Incoming Connections/Ports
If you want to close ports and block certain IP addresses. The syntax is to deny access as below.
ravi@thecodecloud:~$ sudo ufw deny 25/tcpLet’s suppose, you want to deny all connections from an IP address called 204.10.1.45, then use below commands,
ravi@thecodecloud:~$ sudo ufw deny from 204.10.1.45Denying all connections from an IP/subnet called 104.13.40.15/29, use follows command,
ravi@thecodecloud:~$ sudo ufw deny from 104.13.40.15/29Generally, it happens someone trying to intrude your infra. Then you can block that particular IP Addr (let’s say Hacker’s IP 4.1.1.2 on port 22) then go with below commands,
ravi@thecodecloud:~$ sudo ufw deny from 4.1.1.2 to any port 22 proto tcpStep:6. Verifying the Status of UFW
You can see the status of UFW using below command,
ravi@thecodecloud:~$ sudo ufw status
- UFW Delete Rules
As you already learned how to add, deny, and list the firewall rules. It is time to delete unwanted rules.
The syntax is to list all of the current rules in a numbered format using follows command,
ravi@thecodecloud:~$ sudo ufw status numbered
To delete 5th rule type the command,
ravi@thecodecloud:~$ sudo ufw delete 5Deleting:
allow 443/tcp comment 'accepting secure HTTPS connections'
Proceed with operation (y|n)? y
Rule deleted
Deleting By Actual Rule using below command,
ravi@thecodecloud:~$ sudo ufw delete allow http
ravi@thecodecloud:~$ sudo ufw delete allow 80
ravi@thecodecloud:~$ sudo ufw status numbered
Step:7. More Commands related to UFW
Let’s learn more commands related to UFW.
- Reload the ufw
ravi@thecodecloud:~$ sudo ufw reload- Reset the ufw
ravi@thecodecloud:~$ sudo ufw reset- View the Firewall Logs
By default all UFW entries are logged into /var/log/ufw.log file. Use the NA command/more command/tail command and other commands to view the ufw logs:
ravi@thecodecloud:~$ sudo more /var/log/ufw.log or
ravi@thecodecloud:~$ sudo tail -f /var/log/ufw.log- Show the list of rules
ravi@thecodecloud:~$ sudo ufw show added
ravi@thecodecloud:~$ sudo ufw show listeningConclusion
Hence, you learned how To configure Firewall with UFW on Ubuntu. I hope you learned all aspects of UFW.
Read Also : How to Install Zabbix Server 5.0 on Ubuntu 20.04