This manual describes how to set up an Iptables Firewall under Ubuntu and Centos with UFW to manage Iptables.
The Uncomplicated Firewall (UFW) is a frontend for Iptables and is particularly suitable for HOST-based Firewalls. UFW offers a management layer for managing your Firewall and strives for an easy-to-use interface for people who are not familiar with the use of Iptables.
- UFW is already installed in Ubuntu 18.04 as standard, but if it's not already installed.
sudo apt-get install ufw
- For use with Centos
yum install ufw
This manual serves as a guide and advice on how to secure your System, but no further support is offered.
Be careful not to lose access to your System with these actions and still have Console access. Or test this first on a test system and not in production.
Basic Operational actions
In order to Configure and Manage UFW properly, there are a number of basic actions that are useful for obtaining prior knowledge.
- To Stop / Start or Restart your Firewall
service ufw stop
service ufw start
service ufw restart
- If you make a change to the configuration of your firewall, you must activate this change. This is an IMPORTANT step because otherwise your firewall is configured but the adjustment is not working.
sudo ufw enable
By default, a Firewall is closed to the outside world for incoming Connections. And completely open for Connections from your system to the outside world. This is a default Policy for your Firewall, which determines how it should handle Traffic that we have not specified in the Firewall Configuration. If an Application is not specified in the Firewall with a RULE, it does not have access to the Server.
- Reject Network traffic from the outside inwards.
sudo ufw default deny incoming
- Allow Network traffic from the inside out.
sudo ufw default allow outgoing
After this you can set RULES that allow connections to the inside for SSH (port22), HTTP / S (port80 / 443), FTP (port 21) etc.
It is advisable to first set up access for the management of your System and to consider whether you want to limit it to a number of management Systems that have access, for example from your office environment or home connection. You can also open SSH without restriction so you have SSH access to your system from anywhere in the world, but this is not recommended.
- To give SSH access from a single IP address, a / 32 network consists of 1 ip address
sudo ufw allow from 184.108.40.206/32 to any port 22
- To give SSH access from a Network range, in this case a / 24 network consisting of 254 ip addresses
sudo ufw allow from 220.127.116.11/24 to any port 22
- To give SSH access without further IP restriction
sudo ufw allow 22
It is always wise to look at how you can better secure access to the management of your system and protect it from the rest of the world. Possibly as extra security you can adjust the SSH configuration so that it listens on an alternative Port. This increases the security of your system.
- Open the SSH configuration for this
- Then search for the next Paramenter
- Uncomment this and adjust it to an alternative Port above 1024
- Then adjust the Firewall to accept Port 8439
sudo ufw allow from 18.104.22.168/32 to any port 8439
- Restart SSH and then log in again with the new Port for SSH
systemctl ssh restart
If necessary, delete old RULES that have been created for SSH access on the old Port 22. This manual describes how you can do this.
Allowing other services
For example, allowing HTTP / HTTPS or another service.
- HTTP en HTTPS
sudo ufw allow http / sudo ufw allow 80
sudo ufw allow https / sudo ufw allow 443
sudo ufw allow ftp / sudo ufw allow 21
- An overview with other Ports and Services
Allowing specific port ranges
You can also set a specific Port range.
In this example we do this for Port range 2000 up to and including 4000, and we can also specify whether it should only be Allowed for TCP traffic or UDP traffic.
- Allowing TCP traffic
sudo ufw allow 2000:4000/tcp
- Allowing UDP traffic
sudo ufw allow 2000:4000/udp
Allowing IP addresses
You can also specify IP addresses and IP ranges (Subnets) for access to your system.
- To give 1 specific IP full access
sudo ufw allow from 22.214.171.124
- To give a subnet / IP range access to your system
sudo ufw allow from 126.96.36.199/24
Specifying services on specific network interfaces
You can specify on which interface which service may be allowed. For example, SSH traffic only on a Network Interface to your internal Network and HTTP traffic only to your public Network Interface.
- To enable SSH traffic on eth0
sudo ufw allow in on eth0 to any port 22
- To enable HTTP traffic on eth1
sudo ufw allow in on eth1 to any port 80
Refusing connections to your system
You can Reject Traffic from the Outside to the Inside and Drop Traffic. This can be useful if you are Attacked by a specific Host or on a specific Service such as HTTP.
- To close a specific service
sudo ufw deny http
- To block a specific IP
sudo ufw deny from 188.8.131.52
Removing RULES from the Firewall
You can also remove RULES from the Firewall again. The example below shows how you can do this.
- Display RULES from the Firewall
sudo ufw status numbered
- Output is as below
Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere [ 3] 22 (v6) ALLOW IN Anywhere (v6) [ 4] 8439 (v6) ALLOW IN Anywhere (v6) [ 5] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 6] 80/tcp (v6) ALLOW IN Anywhere (v6)
- For example, to remove the Firwall RULE for Port 8439
sudo ufw delete 4
By default, the option for IPV6 should be on, it is wise to check this if you want to use IPV6.
- First open the Default UFW configuration
- Enable IPV6 by looking up the configuration setting below
- Adjust this to