By far the most popular and easy to setup firewall for Ubuntu is UFW, which stands for the ‘Uncomplicated FireWall’. In this tutorial I’ll provide some examples for setups with UFW. I tested the following lines on a fresh Ubuntu 16.04 installation, but this should all work the same with just about any Ubuntu version of the last few years.
Installation of UFW is fairly simple with apt-get and a few commands. All commands should be prepended with sudo, or run by a user account with root privileges.
apt-get install ufw
This will get the package from the internet and install it. Next we check to see if it really wasnt configured yet by running ufw status.
ufw status Status: inactive
As you see the status is inactive. Before we continue I’ll mention that it’s handy to have physical access (or console access with a VM or VPS), so we don’t get locked out when we do finally make it active. The actual instruction to activate your rules is located at the end of this post. On to the default configuration.
ufw default deny incoming ufw default allow outgoing
This takes care of the default setup, which allows things going out, but not coming back in. To setup an SSH server you’d have to open up that port.
ufw allow ssh
This is a shorthand form for ‘ufw allow 22/tcp’, but it allows for quickly opening things up without having to lookup the appropriate ports again.
Say you check your /var/log/auth.log and see a lot of attempts to break in by somebody with IP (fictitious) 220.127.116.11, you could block ALL that IP’s traffic to your server with:
ufw deny from 18.104.22.168
or just to block incoming ssh traffic
ufw deny ssh from 22.214.171.124
If at a later point you’d like to delete a rule, you can type exactly the same line with delete just after ufw, alike:
ufw delete deny ssh from 126.96.36.199
As last advise, opening up a port range is also possible (for your passive ftp ports or such).
ufw allow 30000:31000/tcp
To actually activate your rules, you’ll have to enable the firewall with
There’s loads of other things possible, but I wanted to keep this nice and short.
Note: Most manuals I’ve read on UFW mention to check if you’re using IPv6, and to make sure it’s enabled in the firewall startup config at /etc/default/ufw. Change the line with ‘IPV6=no’ to ‘IPV6=yes’.