While other solutions exist, I find
ufw to be the most basic and easy solutions to firewalling with iptables.
The ufw ( Uncomplicated Firewall ) is an frontend for most widely used iptables firewall and it is well comfortable for host-based firewalls. ufw gives a framework for managing netfilter , as well as provides a command-line interface for controlling the firewall. It provides user friendly and easy to use interface for Linux newbies who are not much familiar with firewall concepts.
Step 1 Getting Started
On some images, ufw has been installed by default. You can check this by running:
sudo dpkg --get-selections | grep ufw
sudo ufw status
You can install
ufw by running the following command to install from Ubuntu’s Repositories:
sudo apt install ufw
(Optional) Step 2 Use IPv6 with UFW
This tutorial was written with only IPv4 in mind, but IPv6 would work as well if you enable it in the config file.
sudo nano /etc/default/ufw
Step 3 Setup Default Policies
sudo ufw default deny incoming sudo ufw default allow outgoing
By default, UFW will deny any incoming connections and allow all outgoing connections. We can use this base to pop holes in our firewall to allow traffic through.
Step 4 Enabling / Disabling UFW
To enable UFW:
sudo ufw enable
will result in this response:
Firewall is active and enabled on system startup
To disable UFW:
sudo ufw disable
This will not push an output.
Step 5 Creating Pinholes
List Current UFW Rules
sudo ufw status verbose
Block An IP Address
sudo ufw deny from 18.104.22.168
This will deny all packets from the IP 22.214.171.124. If you wish to block a subnet, you can exchange the 51 for a 0/24 as follows:
Allow SSH on Port 22
sudo ufw allow ssh
Changed the port of SSH?
You can use:
sudo ufw allow 42 #Change port 42 to your number
Allow SSH from only your IP?
sudo ufw allow from 126.96.36.199/24 to any port 22
rsync can be used to transfer files between computers. This runs on port 873.
An example of allowing rsync from a IP Subnet would be as follows:
sudo ufw allow from 188.8.131.52/24 to any port 873
Allow HTTP/S Traffic
You can also allow or deny http/s traffic like so:
sudo ufw allow http #or 80 sudo ufw allow https #or 443
The same can be done for deny.
You can also allow both of them from any ip as follows
sudo ufw allow proto tcp from any to any port 80,443
sudo ufw allow from 184.108.40.206/24 to any port 3306
Allow MYSQL from specific interface(like a vpn)
sudo ufw allow in on eth1 to any port 3306
Allow traffic through port ranges
sudo ufw allow 25565:25567/tcp sudo ufw allow 50000:60000/udp
Allow An IP to Bypass All Rules
sudo ufw allow from 220.127.116.11
Delete A Rule
By Rule Number
If you’re using the rule number to delete firewall rules, the first thing you’ll want to do is get a list of your firewall rules. The UFW
status command has the
numbered option, which displays numbers next to each rule:
sudo ufw status numbered
Output Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN 18.104.22.168/24 [ 2] 80 ALLOW IN Anywhere
If we decide that we want to delete rule
2 , which allows HTTP connections on port
80 , we can specify this in the following UFW
sudo ufw delete 2
This will show a confirmation prompt, which you can answer with
y/n . Typing
y will then delete rule
2 . Note that if you have IPv6 enabled, you will want to delete the corresponding IPv6 rule as well.
Need to Reset UFW?
sudo ufw reset
This will disable UFW and delete any rules that you have previously defined. Keep in mind that the default policies won’t change to their original settings if you modified them at any point. This should give you a fresh start with UFW.