Ubuntu UFW Firewall Guide
Introduction
UFW (Uncomplicated Firewall) is a user-friendly interface for managing iptables firewall rules on Ubuntu systems. It simplifies the process of configuring firewall settings, making it accessible for beginners and efficient for advanced users. This guide covers essential UFW commands, practical examples, and tips for securing your Ubuntu server.
What is UFW?
UFW is a front-end for iptables, designed to make firewall configuration straightforward. It allows you to manage inbound and outbound network traffic by defining rules based on ports, protocols, and IP addresses.
Prerequisites
- Ubuntu system with UFW installed (
ufwis included by default in Ubuntu). - Root or sudo privileges.
- Basic understanding of network protocols (TCP/UDP) and ports.
Verify UFW installation:
ufw version
If not installed, install it:
sudo apt update
sudo apt install ufw
Basic UFW Commands
Enabling and Disabling UFW
# Enable UFW (warning: this may block all traffic unless rules are set)
sudo ufw enable
# Disable UFW
sudo ufw disable
# Check UFW status
sudo ufw status
Setting Default Policies
Set default policies to define how to handle unspecified traffic:
# Deny all incoming traffic by default
sudo ufw default deny incoming
# Allow all outgoing traffic by default
sudo ufw default allow outgoing
Managing Rules
# Allow a specific port (e.g., SSH on port 22)
sudo ufw allow 22
# Allow a specific protocol and port (e.g., HTTP on TCP port 80)
sudo ufw allow 80/tcp
# Deny a specific port
sudo ufw deny 23
# Delete a rule
sudo ufw delete allow 80/tcp
# Reset UFW to default (removes all rules)
sudo ufw reset
Common Examples
Example 1: Securing a Web Server
Allow HTTP (port 80), HTTPS (port 443), and SSH (port 22) for a web server:
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
- Explanation:
22/tcp: Allows SSH for remote access.80/tcp: Allows HTTP for web traffic.443/tcp: Allows HTTPS for secure web traffic.
- Verification: Run
sudo ufw statusto confirm the rules.
Example 2: Restricting SSH to a Specific IP
Allow SSH only from a specific IP address (e.g., 192.168.1.100):
sudo ufw allow from 192.168.1.100 to any port 22
sudo ufw enable
- Explanation:
from 192.168.1.100: Restricts SSH access to this IP.to any port 22: Applies the rule to port 22 on the server.
- Usage: Only the specified IP can connect via SSH.
Example 3: Allowing a Range of Ports
Allow a range of ports (e.g., for a custom application on ports 3000–3010):
sudo ufw allow 3000:3010/tcp
sudo ufw enable
- Explanation:
3000:3010/tcp: Allows TCP traffic on ports 3000 to 3010.
- Usage: Useful for applications like Node.js or custom services.
Example 4: Allowing a Service by Name
UFW supports service names defined in /etc/services:
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
- Explanation:
ssh,http,https: Maps to ports 22, 80, and 443, respectively.
- Usage: Simplifies rule creation for common services.
Advanced UFW Commands
Allowing Specific IP Ranges
Allow traffic from a subnet (e.g., 192.168.1.0/24):
sudo ufw allow from 192.168.1.0/24 to any port 80
Rate-Limiting SSH
Prevent brute-force attacks by limiting SSH connections:
sudo ufw limit 22/tcp
- Explanation: Limits connections to 6 per 30 seconds from a single IP.
Logging
Enable logging to monitor firewall activity:
sudo ufw logging on
sudo ufw logging low # Options: off, low, medium, high, full
View logs in /var/log/ufw.log or with:
sudo cat /var/log/ufw.log
Practical Script
Create a script to configure a basic UFW setup for a web server:
#!/bin/bash
# configure_ufw.sh
echo "=== Configuring UFW ==="
echo "Setting default policies..."
sudo ufw default deny incoming
sudo ufw default allow outgoing
echo "Allowing essential services..."
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
echo "Enabling UFW..."
sudo ufw enable
echo "Current UFW status:"
sudo ufw status
Make it executable:
chmod +x configure_ufw.sh
./configure_ufw.sh
Pro Tips
Tip: Always allow SSH (port 22) before enabling UFW on a remote server to avoid locking yourself out.
sudo ufw allow ssh
Essential commands:
sudo ufw enable: Activate the firewall.sudo ufw status verbose: Detailed status output.sudo ufw app list: List available application profiles.sudo ufw reset: Reset to default (use with caution).
Troubleshooting
- Locked Out via SSH: If you lose SSH access, access the server via a console (e.g., cloud provider dashboard) and disable UFW (
sudo ufw disable). - Service Not Accessible: Verify rules with
sudo ufw statusand ensure the correct port/protocol is allowed. - Logs Not Showing: Check if logging is enabled (
sudo ufw logging on) and verify the log file (/var/log/ufw.log). - Application Profiles: Use
sudo ufw app listto check for predefined profiles (e.g., for Nginx or Apache).
Next Steps
In future tutorials, we’ll cover:
- Advanced iptables rules for complex scenarios.
- Configuring UFW with Docker containers.
- Setting up intrusion detection with tools like Fail2Ban.
- Monitoring network traffic with
tcpdump.
Practice Exercises
- Basic Setup: Configure UFW to allow SSH, HTTP, and HTTPS, then verify the rules.
- Restricted Access: Allow SSH only from a specific IP range and test connectivity.
- Rate Limiting: Apply rate-limiting to a custom port and simulate multiple connections.
- Log Analysis: Enable logging and analyze blocked traffic in
/var/log/ufw.log.
Resources
Practice configuring UFW rules to secure your server effectively!