If you are familiar with Ubuntu server, you might be familiar with the UFW firewall.
Here, Let us see the UFW in detail.
UFW stands for Uncomplicated Firewall. It is an interface of IP tables.
It is very hard to manage the IP tables to set up the firewall properly.
With the Help of UFW, you can setup the firewall very easily.
When you are considering about improving the security of a server, the first action that you should take is setting up the perfect firewall configuration.
A firewall is a software which monitors the incoming and outgoing traffic.
It has the set of rules to allow or disallow traffic. You can enable or disable any port.
There are lot more things that you can do with the firewall to safeguard your server.
When you configure the firewall in a right way, it can prevent hacking attempts.
The initial configuration for the firewall may seem to be the confusing one for everyone.
People also don't know What all the operations they can do with the firewall are.
Here in this article, I am going to show you how to perform all the required operations to manage the server traffic.
Also, you will understand the basic functionalities of Firewall when you go through the article.
Here in this tutorial you are going to learn
- How to Install the UFW firewall on Ubuntu
- Enabling IPv6 in the firewall
- Checking UFW status
- Checking UFW rules
- Default Policy setup
- Allowing SSH connections
- Allowing Many Other connections
- Allowing HTTP traffic
- Allowing HTTPS traffic
- Enabling FTP
- Enabling only the Specific Port Ranges
- Allowing specific IP address to access the server
- Allowing Specific subnets
- Enabling connection with network interfaces
- Denying connections for unencrypted traffic
- Denying connections for Specific Subnets
- Deleting Specific Rules
- Disabling the UFW
- Resetting the UFW Rules
You will need Ubuntu 14.04 server with sudo non-root user.
UFW installed on your server.
Installing the firewall
If your server does not have the UFW already, you can install the UFW by executing the following command.
$ sudo apt-get install ufw
The above command will install the UFW on Ubuntu server.
Enabling IPv6 in the firewall
If you have the IPv6 address for your Ubuntu machine, you have to enable the firewall to use the IPv6 address.
Nowadays, you can get the IPv6 address for your system and even it is going to increase in the future.
The UFW firewall works with IPv6. To enable that, open the UFW firewall configuration using nano editor.
$ sudo nano /etc/default/ufw
Make sure to set Yes to IPV6 in the firewall configuration.
/etc/default/ufw excerpt ... IPV6=yes ...
Now, save the configuration file and close it. Once you enable the firewall, it will be able to control the IPv6 rules.
Here in this article, we are going to see, how to use the UFW firewall rules for IPv4.
However, the firewall works for both IP versions.
Checking the UFW status
You can check the status of UFW in Ubuntu server. Execute the below command to check the UFW status.
$ sudo ufw status verbose
We did not enable the UFW so that it will show the output as inactive like below.
Output: Status: inactive
In case if you already enabled the UFW, it will show the status active.
Also, it will show you the rules which are enabled. For instance, if you have enabled the SSH connection, it will show that the port 22 is active and allows TCP traffic from anywhere.
Output: Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere
If you like to see the firewall rules, you can see that anytime by executing the below command.
Before enabling the firewall entirely, you have to check whether the SSH connection is allowed or not.
This check is essential when you are connecting with the remote system.
Don't enable the firewall until you enable the port for SSH connections
Setup the Default policies
When you configure the firewall, the first thing that you have to look at is the policies for handling the traffic which does not match with any other rules in the firewall.
The Default ufw policy rejects all the incoming traffics and only allows outgoing traffic.
If anyone trying to connect to your server, the connection request will be denied.
At the same time, the application inside the server can communicate and its traffic will be allowed on the specific port.
Now, we are going to set the default rules for UFW by executing below command.
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
You might ask me when I deny my incoming traffic, how can I connect with my Ubuntu server?
Here is the answer. These settings are suitable for your personal computer.
For the server which needs to communicate the outside world will require some tweaks in the policies. Let us see that in this article.
Allowing SSH and HTTP connections
Once you enabled the UFW, it won't allow the incoming traffic to the server. But since we are using this server for hosting our website, we have to allow two types of connections.
- SSH connection
- HTTP or HTTPS connection
Here, the SSH connection will let us connect to the server from the remote location to make changes in the server.
At the same time, the HTTP or HTTPS connections will be allowed inside the server.
To enable the SSH connection, execute the below command.
$ sudo ufw allow ssh
The UFW know what ssh means. The ssh is defined as a service in the etc/service list where the services which listen to port number 22 are listed.
You can also mention the port number to make the UFW allow the port to receive incoming traffic. The command for allowing the port is
$ sudo ufw allow 22
Most of the people use port number 22 to connect via SSH.
Some people might have configured the SSH to listen on the different port for security reasons.
For instance, if the SSH daemon is made to listen port number 2568, you have to allow the port to listen to SSH connection request.
The command will be
$ sudfo ufw allow 2568
Once you enable the SSH port, now its time to enable the UFW firewall.
Enabling UFW is an easy task. All you have to do is just execute the below command.
$ sudo ufw enable
You will get a warning message " command may disrupt existing ssh connections"
Since we have enabled the firewall to allow SSH connections, we don't need to worry about that.
Enter y and continue. Thats all.
Now, the UFW will be start running. Also, you can check the UFW status by issuing the below command.
$ sudo ufw enable
Enabling the other connections
Once you enabled the firewall, now its time to allow other connections to the server.
A web server needs to handle traffics from various types of connections.
For that, it requires listening multiple ports.
Here are the list of basic connections that a web server needs to allow.
- HTTP connection (Port 80)
- HTTPS connection (Port 443)
- FTP port (Port 21)
Other than we can do the following
- Allowing specific range of port connections'
- Allowing specific range of IP address
- Allowing specific range of Subnets
- Allowing Specific network interface
Here let us see how to allow HTTP connection.
Allow HTTP connection
By default the the server is listening to the Port number 80 for HTTP connections.
Here is the command to allow HTTP connections.
$ sudo ufw allow http
Instead, you can directly use the port number in the command.
$ sudo ufw allow 80
Allowing HTTPS (Encrypted connections)
Enabling HTTPS connection is same as allowing HTTP connection. Here is the command for that.
$ sudo ufw allow HTTP
Alternatively, you can use the port number to allow HTTPS connections.
$ sudo ufw allow HTTPS
For some reasons you would like to have FTP access to the server. You can enable or disable the FTP connection using UFW. To enable the FTP connection to use the below command.
$ sudo ufw allow ftp
Here also, you can use the port number instead of the name of the service. The port number for the FTP is 21
$ sudo ufw allow 21/tcp
Allowing Specific Port Ranges
To allow the specific port ranges, you have to mention the range in the command.
Some services will use multiple ports, for those services, we have to allow the multiple ports.
For instance, the X11 service is using port number 6000-6007.
To allow the specific range of port numbers, follow the below command format.
$ sudo ufw allow 6000:6007/tcp $ sudo ufw allow 6000:6007/udp
== While enabling the port number directly, you can specify the connection protocol to be allowed.==
==If you don't mention, the UFW will allow both TCP and UDP connections.
Allow Specific IP Addresses
Using UFW you can allow specific IP to connect to the server.
You can add any IP address to access the server using the following command format.
For instance, here I am adding my home IP address to the UFW to let the firewall allow my IP to connect to the server.(Not really my home IP address)
You have to use the "from" and IP address on the command line.
$ sudo ufw allow from 192.168.25.11
There is one more option available with the server. In that, you can a specific port which the IP address can access.
Here, I am going to allow My Home IP address to connect to the server SSH port(22).
$ sudo ufw allow from 192.168.25.11 to any port 22
Allowing Range of IP address (Subnet)
You can allow Subnet of IPs. You don't need to create a new rule for each IP address.
Using the CIDR notation in the command will simplify the job.
Here is the command for that.
$ sudo ufw allow from 192.168.10.0/24
You can specify the port number in the same command for those IP address to access.
$ sudo ufw allow from 192.168.10.0/24 to any port 22
Enable Connections to a Specific Network Interface
The UFW lets you enable the specific port for specific Network Interface.
To do this, first, you have to find the network interfaces which your server has been using. To see the available network interface
$ ip addr
You may get the output like this.
ip addr Output Excerpt: ... 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state ... 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default ...
Here you can see two network interfaces eth0 and etho1. First let us set the port for ethoo.
$ sudo ufw allow in on eth0 to any port 80
Enabling port 80 for etho0 will allow the public HTTP traffic to the server.
Let us enable the MQSQL port of the server for the etho1 interface.
$ sudo ufw allow in on eth1 to any port 3306
This setup can be used for establishing the MySQL connection between the servers.
This is very useful for people who host their website and Database separately.
When you use the default UFW policy, it will deny all the incoming connections.
After that, We have seen how to allow connections in the above section of articles.
Here let us see how to deny connections for specific IP address or IP ranges.
This is essential when your server is being attacked or some suspicious activities are going on.
Here, we will see how to block specific range of IP address and access to the specific port.
You can entirely deny HTTP connection to your server using the below command.
$ sudo ufw deny HTTP
Or, if you want to block a specific IP address, you can use the below command (Replace with your IP)
$ sudo ufw deny from 192.168.0.1
You can use deny instead of allow in the rules to deny specific connections.
Deleting the UFW rule is very simple. There are two methods involved in creating and deleting the rules.
The first method is using the Rule number and the second method is deleting the rule by mentioning the rule as same as when you created it.
First, let us see the first method.
To delete the rule by its number, you have to find the rule number. To find that use the below command.
$ sudo ufw status numbered
The output will look like the following
Numbered Output: Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN 192.168.15.0/24 [ 2] 80 ALLOW IN Anywhere
If you want to delete any specific rule just mention its number as per the output.
For instance, i want to delete the rule number 2. The command to delete the rule number would be
$ sudo ufw delete 2
The rule number 2 allows the HTTP connection to the server. By deleting the rule number 2, the HTTP connection will be denied.
If you delete the rule by number, you have to do the same with IPv6.
Deleting by Actual Rule
To delete the rule by actual rule, just add the 'Delete' in front of the rule. Here is the example
$ sudo ufw delete allow http
You can also delete the rule by mentioning the port number instead of service.
$ sudo ufw delete allow 80
If you delete the rule by actual rule, it wil delete both IPv6 and IPv4 rules.
Disabling the UFW
Sometimes you need to disable the firewall while installing big applications. If you are installing Cpanel in centOS, you have to disable the firewall and then install.
To disable the firewall use the below command.
$ sudo ufw disable
Once you disable the UFW, all the rules will become inactive.
Reset UFW rules
If you want to reset all the rules in the UFW, then the Reset UFW option will let you delete all the rules.
Remember the defualt policies to which you have made changes won't be set back to default.
To reset the rules
$ sudo ufw reset
Once you execute the above command, the UFW will be deactivated and all the rules defined by you will be deleted.
After that, you can start from defining new rules.
Based on the purpose of the server, you have enabled and disable specific types of connections.
Here, we have seen how to enable and disable connections for a server which is accessible to the public.
Now you would have an idea about configuring the firewall with its basic operations.
If you still have doubt in configuring the firewall, let us know that in the comment section, we will help you to resolve the issue.