Article overview

/ Howto configure Iptables with UGW

 

This manual describes how to set up an Iptables Firewall under Ubuntu and Centos with UFW to manage Iptables.

The Uncomplicated Firewall (UFW) is a frontend for Iptables and is particularly suitable for HOST-based Firewalls. UFW offers a management layer for managing your Firewall and strives for an easy-to-use interface for people who are not familiar with the use of Iptables.

Prerequisites

  • UFW is already installed in Ubuntu 18.04 as standard, but if it's not already installed.
sudo apt-get install ufw
  • For use with Centos
yum install ufw

 

This manual serves as a guide and advice on how to secure your System, but no further support is offered.

Be careful not to lose access to your System with these actions and still have Console access. Or test this first on a test system and not in production.

 

Basic Operational actions

In order to Configure and Manage UFW properly, there are a number of basic actions that are useful for obtaining prior knowledge.

  • To Stop / Start or Restart your Firewall
service ufw stop
service ufw start
service ufw restart

 

  • If you make a change to the configuration of your firewall, you must activate this change. This is an IMPORTANT step because otherwise your firewall is configured but the adjustment is not working.
sudo ufw enable

 

Basic settings

By default, a Firewall is closed to the outside world for incoming Connections. And completely open for Connections from your system to the outside world. This is a default Policy for your Firewall, which determines how it should handle Traffic that we have not specified in the Firewall Configuration. If an Application is not specified in the Firewall with a RULE, it does not have access to the Server.

  • Reject Network traffic from the outside inwards.
sudo ufw default deny incoming
  • Allow Network traffic from the inside out.
sudo ufw default allow outgoing

After this you can set RULES that allow connections to the inside for SSH (port22), HTTP / S (port80 / 443), FTP (port 21) etc.

 

Allowing SSH

It is advisable to first set up access for the management of your System and to consider whether you want to limit it to a number of management Systems that have access, for example from your office environment or home connection. You can also open SSH without restriction so you have SSH access to your system from anywhere in the world, but this is not recommended.

  • To give SSH access from a single IP address, a / 32 network consists of 1 ip address
sudo ufw allow from 1.2.3.4/32 to any port 22
  • To give SSH access from a Network range, in this case a / 24 network consisting of 254 ip addresses
sudo ufw allow from 1.2.3.4/24 to any port 22
  • To give SSH access without further IP restriction
sudo ufw allow 22

 

It is always wise to look at how you can better secure access to the management of your system and protect it from the rest of the world. Possibly as extra security you can adjust the SSH configuration so that it listens on an alternative Port. This increases the security of your system.

  • Open the SSH configuration for this
nano /etc/ssh/sshd_config
  • Then search for the next Paramenter
#Port 22
  • Uncomment this and adjust it to an alternative Port above 1024
Port 8439
  • Then adjust the Firewall to accept Port 8439
sudo ufw allow from 1.2.3.4/32 to any port 8439
  • Restart SSH and then log in again with the new Port for SSH
systemctl ssh restart

 

If necessary, delete old RULES that have been created for SSH access on the old Port 22. This manual describes how you can do this.

 

    Allowing other services

    For example, allowing HTTP / HTTPS or another service.

    • HTTP en HTTPS
    sudo ufw allow http     /   sudo ufw allow 80
    sudo ufw allow https    /   sudo ufw allow 443
    • FTP
    sudo ufw allow ftp      /   sudo ufw allow 21
    • An overview with other Ports and Services

    https://nl.wikipedia.org/wiki/TCP-_en_UDP-poorten

     

    Allowing specific port ranges

    You can also set a specific Port range.

    In this example we do this for Port range 2000 up to and including 4000, and we can also specify whether it should only be Allowed for TCP traffic or UDP traffic.

    • Allowing TCP traffic
    sudo ufw allow 2000:4000/tcp
    • Allowing UDP traffic
    sudo ufw allow 2000:4000/udp

     

    Allowing IP addresses

    You can also specify IP addresses and IP ranges (Subnets) for access to your system.

    • To give 1 specific IP full access
    sudo ufw allow from 1.2.3.4
    • To give a subnet / IP range access to your system
    sudo ufw allow from 1.2.3.4/24

     

    Specifying services on specific network interfaces

    You can specify on which interface which service may be allowed. For example, SSH traffic only on a Network Interface to your internal Network and HTTP traffic only to your public Network Interface.

    • To enable SSH traffic on eth0
    sudo ufw allow in on eth0 to any port 22
    • To enable HTTP traffic on eth1
    sudo ufw allow in on eth1 to any port 80

     

    Refusing connections to your system

    You can Reject Traffic from the Outside to the Inside and Drop Traffic. This can be useful if you are Attacked by a specific Host or on a specific Service such as HTTP.

    • To close a specific service
    sudo ufw deny http
    • To block a specific IP
    sudo ufw deny from 1.2.3.4

     

    Removing RULES from the Firewall

    You can also remove RULES from the Firewall again. The example below shows how you can do this.

    • Display RULES from the Firewall
    sudo ufw status numbered
    • Output is as below
    Status: active
    
         To                         Action      From
         --                         ------      ----
    [ 1] 22                         ALLOW IN    Anywhere                  
    [ 2] 80/tcp                     ALLOW IN    Anywhere                  
    [ 3] 22 (v6)                    ALLOW IN    Anywhere (v6)             
    [ 4] 8439 (v6)                  ALLOW IN    Anywhere (v6)             
    [ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
    [ 6] 80/tcp (v6)                ALLOW IN    Anywhere (v6)         
    • For example, to remove the Firwall RULE for Port 8439
    sudo ufw delete 4

     

    IPV6

    By default, the option for IPV6 should be on, it is wise to check this if you want to use IPV6.

    • First open the Default UFW configuration
    nano /etc/default/ufw
    • Enable IPV6 by looking up the configuration setting below
    IPV6=no
    • Adjust this to
    IPV6=yes

    Share this article