Setting up a firewall in Ubuntu

      Comments Off on Setting up a firewall in Ubuntu

By far the most popular and easy to setup firewall for Ubuntu is UFW, which stands for the ‘Uncomplicated FireWall’. In this tutorial I’ll provide some examples for setups with UFW. I tested the following lines on a fresh Ubuntu 16.04 installation, but this should all work the same with just about any Ubuntu version of the last few years.

Installation

Installation of UFW is fairly simple with apt-get and a few commands. All commands should be prepended with sudo, or run by a user account with root privileges.

apt-get install ufw

This will get the package from the internet and install it. Next we check to see if it really wasnt configured yet by running ufw status.

ufw status
Status: inactive

As you see the status is inactive. Before we continue I’ll mention that it’s handy to have physical access (or console access with a VM or VPS), so we don’t get locked out when we do finally make it active. The actual instruction to activate your rules is located at the end of this post. On to the default configuration.

ufw default deny incoming
ufw default allow outgoing

This takes care of the default setup, which allows things going out, but not coming back in. To setup an SSH server you’d have to open up that port.

ufw allow ssh

This is a shorthand form for ‘ufw allow 22/tcp’, but it allows for quickly opening things up without having to lookup the appropriate ports again.

Say you check your /var/log/auth.log and see a lot of attempts to break in by somebody with IP (fictitious) 200.1.1.0, you could block ALL that IP’s traffic to your server with:

ufw deny from 200.1.1.0

or just to block incoming ssh traffic

ufw deny ssh from 200.1.1.0

If at a later point you’d like to delete a rule, you can type exactly the same line with delete just after ufw, alike:

ufw delete deny ssh from 200.1.1.0

As last advise, opening up a port range is also possible (for your passive ftp ports or such).

ufw allow 30000:31000/tcp

To actually activate your rules, you’ll have to enable the firewall with

ufw enable

There’s loads of other things possible, but I wanted to keep this nice and short.

Note: Most manuals I’ve read on UFW mention to check if you’re using IPv6, and to make sure it’s enabled in the firewall startup config at /etc/default/ufw. Change the line with ‘IPV6=no’ to ‘IPV6=yes’.