Official Power Up Hosting Blog

Everything about Linux, Windows, and hosting ;)

Selvakumar
Author

I am an Online Marketer and technology lover. I like to learn new things and share that with people.

Share


Our Newsletter


Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Tags


Twitter


Official Power Up Hosting Blog

How To Set Up a Firewall with UFW on Ubuntu 14.04

SelvakumarSelvakumar

UFW:

If you are familiar with Ubuntu server, you might be familiar with the UFW firewall.

Here, Let us see the UFW in detail.

UFW stands for Uncomplicated Firewall. It is an interface of IP tables.

It is very hard to manage the IP tables to set up the firewall properly.

But:

With the Help of UFW, you can setup the firewall very easily.

When you are considering about improving the security of a server, the first action that you should take is setting up the perfect firewall configuration.

A firewall is a software which monitors the incoming and outgoing traffic.

It has the set of rules to allow or disallow traffic. You can enable or disable any port.

There are lot more things that you can do with the firewall to safeguard your server.

When you configure the firewall in a right way, it can prevent hacking attempts.

The initial configuration for the firewall may seem to be the confusing one for everyone.

People also don't know What all the operations they can do with the firewall are.

Here in this article, I am going to show you how to perform all the required operations to manage the server traffic.

Also, you will understand the basic functionalities of Firewall when you go through the article.

Here in this tutorial you are going to learn

  • How to Install the UFW firewall on Ubuntu
  • Enabling IPv6 in the firewall
  • Checking UFW status
  • Checking UFW rules
  • Default Policy setup
  • Allowing SSH connections
  • Allowing Many Other connections
  • Allowing HTTP traffic
  • Allowing HTTPS traffic
  • Enabling FTP
  • Enabling only the Specific Port Ranges
  • Allowing specific IP address to access the server
  • Allowing Specific subnets
  • Enabling connection with network interfaces
  • Denying connections for unencrypted traffic
  • Denying connections for Specific Subnets
  • Deleting Specific Rules
  • Disabling the UFW
  • Resetting the UFW Rules

Prerequisites

  • You will need Ubuntu 14.04 server with sudo non-root user.

  • UFW installed on your server.

Installing the firewall

If your server does not have the UFW already, you can install the UFW by executing the following command.

$ sudo apt-get install ufw

The above command will install the UFW on Ubuntu server.

Enabling IPv6 in the firewall

If you have the IPv6 address for your Ubuntu machine, you have to enable the firewall to use the IPv6 address.

Nowadays, you can get the IPv6 address for your system and even it is going to increase in the future.

The UFW firewall works with IPv6. To enable that, open the UFW firewall configuration using nano editor.

$ sudo nano /etc/default/ufw

Make sure to set Yes to IPV6 in the firewall configuration.

             /etc/default/ufw excerpt
 ...
 IPV6=yes
 ...

Now, save the configuration file and close it. Once you enable the firewall, it will be able to control the IPv6 rules.

Here in this article, we are going to see, how to use the UFW firewall rules for IPv4.

However, the firewall works for both IP versions.

Checking the UFW status

You can check the status of UFW in Ubuntu server. Execute the below command to check the UFW status.

$ sudo ufw status verbose

We did not enable the UFW so that it will show the output as inactive like below.

Output:
Status: inactive

In case if you already enabled the UFW, it will show the status active.

Also, it will show you the rules which are enabled. For instance, if you have enabled the SSH connection, it will show that the port 22 is active and allows TCP traffic from anywhere.

Output:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere

If you like to see the firewall rules, you can see that anytime by executing the below command.

Before enabling the firewall entirely, you have to check whether the SSH connection is allowed or not.

This check is essential when you are connecting with the remote system.

Don't enable the firewall until you enable the port for SSH connections

Setup the Default policies

When you configure the firewall, the first thing that you have to look at is the policies for handling the traffic which does not match with any other rules in the firewall.

The Default ufw policy rejects all the incoming traffics and only allows outgoing traffic.

If anyone trying to connect to your server, the connection request will be denied.

But:

At the same time, the application inside the server can communicate and its traffic will be allowed on the specific port.

Now, we are going to set the default rules for UFW by executing below command.

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

You might ask me when I deny my incoming traffic, how can I connect with my Ubuntu server?

Here is the answer. These settings are suitable for your personal computer.

But:

For the server which needs to communicate the outside world will require some tweaks in the policies. Let us see that in this article.

Allowing SSH and HTTP connections

Once you enabled the UFW, it won't allow the incoming traffic to the server. But since we are using this server for hosting our website, we have to allow two types of connections.

  • SSH connection
  • HTTP or HTTPS connection

Here, the SSH connection will let us connect to the server from the remote location to make changes in the server.

At the same time, the HTTP or HTTPS connections will be allowed inside the server.

To enable the SSH connection, execute the below command.

$ sudo ufw allow ssh

The UFW know what ssh means. The ssh is defined as a service in the etc/service list where the services which listen to port number 22 are listed.

You can also mention the port number to make the UFW allow the port to receive incoming traffic. The command for allowing the port is

$ sudo ufw allow 22

Most of the people use port number 22 to connect via SSH.

Some people might have configured the SSH to listen on the different port for security reasons.

For instance, if the SSH daemon is made to listen port number 2568, you have to allow the port to listen to SSH connection request.

The command will be

$ sudfo ufw allow 2568

Once you enable the SSH port, now its time to enable the UFW firewall.

Enable UFW

Enabling UFW is an easy task. All you have to do is just execute the below command.

$ sudo ufw enable

You will get a warning message " command may disrupt existing ssh connections"

Since we have enabled the firewall to allow SSH connections, we don't need to worry about that.

Enter y and continue. Thats all.

Now, the UFW will be start running. Also, you can check the UFW status by issuing the below command.

$ sudo ufw enable

Enabling the other connections

Once you enabled the firewall, now its time to allow other connections to the server.

A web server needs to handle traffics from various types of connections.

For that, it requires listening multiple ports.

Here are the list of basic connections that a web server needs to allow.

  • HTTP connection (Port 80)
  • HTTPS connection (Port 443)
  • FTP port (Port 21)

Other than we can do the following

  • Allowing specific range of port connections'
  • Allowing specific range of IP address
  • Allowing specific range of Subnets
  • Allowing Specific network interface

Here let us see how to allow HTTP connection.

Allow HTTP connection

By default the the server is listening to the Port number 80 for HTTP connections.

Here is the command to allow HTTP connections.

$ sudo ufw allow http

Instead, you can directly use the port number in the command.

$ sudo ufw allow 80

Allowing HTTPS (Encrypted connections)

Enabling HTTPS connection is same as allowing HTTP connection. Here is the command for that.

$ sudo ufw allow HTTP

Alternatively, you can use the port number to allow HTTPS connections.

$ sudo ufw allow HTTPS

For some reasons you would like to have FTP access to the server. You can enable or disable the FTP connection using UFW. To enable the FTP connection to use the below command.

$ sudo ufw allow ftp

Here also, you can use the port number instead of the name of the service. The port number for the FTP is 21

$ sudo ufw allow 21/tcp

Allowing Specific Port Ranges

To allow the specific port ranges, you have to mention the range in the command.

Some services will use multiple ports, for those services, we have to allow the multiple ports.

For instance, the X11 service is using port number 6000-6007.

To allow the specific range of port numbers, follow the below command format.

$ sudo ufw allow 6000:6007/tcp
$ sudo ufw allow 6000:6007/udp

== While enabling the port number directly, you can specify the connection protocol to be allowed.==

==If you don't mention, the UFW will allow both TCP and UDP connections.

Allow Specific IP Addresses

Using UFW you can allow specific IP to connect to the server.

You can add any IP address to access the server using the following command format.

For instance, here I am adding my home IP address to the UFW to let the firewall allow my IP to connect to the server.(Not really my home IP address)

You have to use the "from" and IP address on the command line.

$ sudo ufw allow from 192.168.25.11

There is one more option available with the server. In that, you can a specific port which the IP address can access.

Here, I am going to allow My Home IP address to connect to the server SSH port(22).

$ sudo ufw allow from 192.168.25.11 to any port 22

Allowing Range of IP address (Subnet)

You can allow Subnet of IPs. You don't need to create a new rule for each IP address.

Using the CIDR notation in the command will simplify the job.

Here is the command for that.

$ sudo ufw allow from 192.168.10.0/24

You can specify the port number in the same command for those IP address to access.

$ sudo ufw allow from 192.168.10.0/24 to any port 22

Enable Connections to a Specific Network Interface

The UFW lets you enable the specific port for specific Network Interface.

To do this, first, you have to find the network interfaces which your server has been using. To see the available network interface

$ ip addr

You may get the output like this.

ip addr
Output Excerpt:
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 
qdisc pfifo_fast state
...
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop 
state DOWN group default 
...

Here you can see two network interfaces eth0 and etho1. First let us set the port for ethoo.

$ sudo ufw allow in on eth0 to any port 80

Enabling port 80 for etho0 will allow the public HTTP traffic to the server.

Let us enable the MQSQL port of the server for the etho1 interface.

$ sudo ufw allow in on eth1 to any port 3306

This setup can be used for establishing the MySQL connection between the servers.

This is very useful for people who host their website and Database separately.

Deny Connections

When you use the default UFW policy, it will deny all the incoming connections.

After that, We have seen how to allow connections in the above section of articles.

Here let us see how to deny connections for specific IP address or IP ranges.

This is essential when your server is being attacked or some suspicious activities are going on.

Here, we will see how to block specific range of IP address and access to the specific port.

You can entirely deny HTTP connection to your server using the below command.

$ sudo ufw deny HTTP

Or, if you want to block a specific IP address, you can use the below command (Replace with your IP)

$ sudo ufw deny from 192.168.0.1

You can use deny instead of allow in the rules to deny specific connections.

Delete Rules

Deleting the UFW rule is very simple. There are two methods involved in creating and deleting the rules.

The first method is using the Rule number and the second method is deleting the rule by mentioning the rule as same as when you created it.

First, let us see the first method.

To delete the rule by its number, you have to find the rule number. To find that use the below command.

$ sudo ufw status numbered

The output will look like the following

Numbered Output:
Status: active

 To                         Action      From
 --                         ------      ----
[ 1] 22                         ALLOW IN    192.168.15.0/24
[ 2] 80                         ALLOW IN    Anywhere

If you want to delete any specific rule just mention its number as per the output.

For instance, i want to delete the rule number 2. The command to delete the rule number would be

$ sudo ufw delete 2

The rule number 2 allows the HTTP connection to the server. By deleting the rule number 2, the HTTP connection will be denied.

If you delete the rule by number, you have to do the same with IPv6.

Deleting by Actual Rule

To delete the rule by actual rule, just add the 'Delete' in front of the rule. Here is the example

$ sudo ufw delete allow http

You can also delete the rule by mentioning the port number instead of service.

$ sudo ufw delete allow 80

If you delete the rule by actual rule, it wil delete both IPv6 and IPv4 rules.

Disabling the UFW

Sometimes you need to disable the firewall while installing big applications. If you are installing Cpanel in centOS, you have to disable the firewall and then install.

To disable the firewall use the below command.

$ sudo ufw disable

Once you disable the UFW, all the rules will become inactive.

Reset UFW rules

If you want to reset all the rules in the UFW, then the Reset UFW option will let you delete all the rules.

Remember the defualt policies to which you have made changes won't be set back to default.

To reset the rules

$ sudo ufw reset

Once you execute the above command, the UFW will be deactivated and all the rules defined by you will be deleted.

After that, you can start from defining new rules.

Conclusion

Based on the purpose of the server, you have enabled and disable specific types of connections.

Here, we have seen how to enable and disable connections for a server which is accessible to the public.

Now you would have an idea about configuring the firewall with its basic operations.

If you still have doubt in configuring the firewall, let us know that in the comment section, we will help you to resolve the issue.

Selvakumar
Author

Selvakumar

I am an Online Marketer and technology lover. I like to learn new things and share that with people.

Comments