Nowadays, a Firewall is an essential utility and property of any system for security; by default, the Ubuntu Operating system has a firewall configuration tool named UFW (Uncomplicated Firewall). UFW is a user-friendly front-end tool to manage iptables firewall rules. It provides you with more straightforward methods to manage iptables as the name of this tool start from Uncomplicated.
This post describes How to Monitor and Filter Incoming and Outgoing Network Traffic with Firewalls in Ubuntu 20.04 LTS.
1. Install UFW Firewall Utility
UFW is part of the standard Ubuntu 20.04 installation and should be present on your system. If for some reason it is not installed, you can install the package by typing:
sudo apt update
sudo apt install ufw
2. Check UFW Firewall Status
UFW is disabled by default. You can check the status of the UFW service with the following command:
sudo ufw status verbose
Example output:
Status: inactive
3. UFW Default Policies
By default, UFW allows all outbound connections and block all incoming connections to the system. It means your system can access any other system, but others can’t unless you allow access to your system by open the port.
The default policies are defined in the file /etc/default/ufw
, and we can change these policies using the below command:
sudo ufw default
4. Application Profiles
An application profile is a text file in INI format that describes the service and contains firewall rules for the service. Application profiles are created in the /etc/ufw/applications.d
directory during the installation of the package.
You can check all available application profiles in your system by using the following command:
sudo ufw app list
The output of the above command will list out all application profiles in your screen, similar to the below screen:
Available applications:
Apache
Apache Full
Apache Secure
OpenSSH
If you want to check more information about a specific application profile and rules, use the following command:
sudo ufw app info 'Apache Full'
Output:
Profile: Apache Full
Title: Web Server (HTTP,HTTPS)
Description: Apache v2 is the next generation of the omnipresent Apache web
server.
Ports:
80,443/tcp
osboxes@osbox
You can see in the above output, the ‘Apache Full’ profile will open 80 and 443 ports on your system.
5. Enabling UFW
If you’re connecting to your Ubuntu from a remote location, before enabling the UFW firewall, you must explicitly allow incoming SSH connections. Otherwise, you will no longer be able to connect to the machine.
To configure your UFW firewall to allow incoming SSH connections, type the following command:
$ sudo ufw allow ssh
If SSH is running on a non-standard port, you need to open that port.
For example, if your ssh daemon listens on port 4488, enter the following command to allow connections on that port:
$ sudo ufw allow 4488/tcp
Now that the firewall is configured to allow incoming SSH connections, you can enable it by typing:
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
6. Allow connections on other ports
Depending on the applications that run on the system, you may also need to open other ports. The general syntax to open a port is as follows:
ufw allow port_number/protocol
Open HTTP port – 80
You can allow HTTP connection by using the following commands:
sudo ufw allow http
You can also use port 80 to allow HTTP connection, as shown below:
sudo ufw allow 80/tcp
Or you can use the application profile also to open the HTTP connection, in this case, ‘Apache HTTP’.
sudo ufw allow 'Apche HTTP'
Open HTTPS port – 443
You can allow HTTPS connection by using the following commands:
sudo ufw allow https
You can also use port 443 to allow HTTPS connection, as shown below:
sudo ufw allow 443/tcp
Or you can use the application profile also to open the HTTPS connection, in this case, ‘Apache HTTPS’:
sudo ufw allow 'Apache HTTPS'
Allow Port Ranges
UFW also allows you to open port ranges. The start and the end ports are separated by a colon (:
), and you must specify the protocol, either tcp
or udp
.
For example, if you want to allow ports from 4000 to 5000 on both tcp
and udp
, you would run the following command:
sudo ufw allow 4000:5000/tcp
sudo ufw allow 4000:5000/udp
Allow Specific IP address on UFW
You can allow a specific IP for all port to your server, like allowing our home machine to our server for any port. Here we whitelist our IP by allowing it for all port using the below command:
sudo ufw allow from 10.10.10.10
Where 10.10.10.10 is the IP that is allowed for all ports.
Allow Specific IP Address on Specific Port
If you want to allow the given IP address access only to a specific port, use the to any port keyword followed by the port number. For example, to allow access on port 22 from a machine with IP address of 10.10.10.10, enter:
sudo ufw allow from 10.10.10.10 to any port 22
Allow Subnets
You can allow a subnet of IP address instead of a specific IP using the IP address CDIR. For example, we are allowing all local IP to connect to our database server.
For example, here, we allowing IP range from 192.168.0.1 to 192.168.0.254 to port 3306 (MySQL) by using the following command:
sudo ufw allow from 192.168.0.1/24 to any port 3306
Allow connections to a Specific Network Interface
To allow connections on a particular network interface, use the in on keyword followed by the name of the network interface:
sudo ufw allow in on eth2 to any port 3306
Deny Connections
The default policy for all incoming connections is set to deny, and if you haven’t changed it, UFW will block all incoming connections unless you specifically open the connection.
Writing deny rules is the same as writing allow rules; you only need to use the deny keyword instead of allow.
You can deny services for a specific IP address to a specific port. For example, you want to block all access from IP 11.11.11.11, use the following command to do it:
sudo ufw deny from 10.10.10.10
If you want to block http and https service for IP address 10.10.10.10, use the below command:
sudo ufw deny from 10.10.10.10 to any port 80
sudo ufw deny from 10.10.10.10 to any port 443
Deleting UFW Rules
There are two different ways to delete UFW rules by rule number, and by specifying the actual rule.
Deleting rules by rule number is easier, especially when you are new to UFW. To delete a rule by a rule number first, you need to find the number of the rule you want to delete. To get a list of numbered rules, use the ufw status numbered command:
sudo ufw status numbered
Example output:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
[ 4] Anywhere ALLOW IN 10.10.10.10
[ 5] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 7] 443/tcp (v6) ALLOW IN Anywhere (v6)
To delete rule number 3, the one that allows connections to port 443, you would enter:
sudo ufw delete 3
The second method is to delete a rule by specifying the actual rule. For example, if you added a rule to open port 8069 you can delete it with:
sudo ufw delete allow 8069
7. Disabling UFW
sudo ufw disable
When you want again to implement all UFW set up rules, you can do it by enable the UFW, as shown below:
sudo ufw enable
8. Resetting UFW
Resetting UFW will disable UFW, and delete all active rules. This is helpful if you want to revert all of your changes and start fresh.
To reset UFW, type in the following command:
sudo ufw reset
Now, you have learned how to install the UFW firewall utility on your Ubuntu 20.04 server. You also learn to configure any types of incoming rules on your UFW firewall. If you have any doubt or feedback, feel free to comment below.