How to setup a UFW firewall on Ubuntu 18.04 LTS server

last updated in Categories , ,

How do I setup a firewall with UFW (uncomplicated firewall) on an Ubuntu Linux 18.04 LTS server to restrict traffic on my personal Ubuntu web-server that hosts my cat’s blog? How do I set up a firewall with UFW on Ubuntu 18.04 LTS?

Introduction : UFW is an acronym for an uncomplicated firewall. Securing a network with the uncomplicated firewall is super easy. The Ubuntu Linux comes with packet filtering called Netfilter. The iptables frontend command used to manage netfilter. However, ufw provide easy to use frontend for netfilter, and it is one of the most popular among Ubuntu sysadmins and developers. This page shows how to set up and secure your Ubuntu 18.04 LTS server with ufw.

How to setup a UFW firewall on Ubuntu Linux 18.04 LTS

The procedure to set up a firewall with UFW on Ubuntu 18.04:

  1. Make sure ufw installed
  2. Setup a default deny firewall policy with ufw on Ubuntu
  3. Open required ports with sudo ufw allow port syntax on Ubuntu
  4. At least you need to open SSH, HTTP/HTTPS and other TCP/IP ports using ufw.
  5. Enable ufw with sudo ufw enable
  6. Delete ufw rules ufw delete num command
  7. Check the status of netfilter with ufw status
  8. Disable ufw if needed

Let us see all commands to set up and securing your Ubuntu Linux 18.04 LTS server.

Ubuntu setup UFW firewall

By default UFW installed with Ubuntu. If not installed for some reason or removed by the previous sysadmin, type the following apt-get command/apt command to install UFW in Ubuntu:
$ sudo apt update
$ sudo apt install ufw

How do I view status of ufw on Ubuntu?

Type the following:
$ sudo ufw status
Sample outputs:

Status: inactive

Setting up default UFW policy

The default policy firewall works out well for both the servers and laptop/workstation as you only need to open a limited number of incoming ports. It is a good policy as it closes all ports on the server/firewall and you need to open ports one by one. You can run the following commands to set the system to block all incoming connection and only allow outgoing connections from the Ubuntu:
$ sudo ufw default allow outgoing
$ sudo ufw default deny incoming

How to add a new rule to allow SSH access

Type the following command to allow SSH connections to your server:
$ sudo ufw allow ssh
OR
sudo ufw allow 22/tcp
Say if you are running ssh on port 2020, enter:
$ sudo ufw allow 2020/tcp
The following rules allow access to tcp ssh port 22 only on 10.8.0.1 (i.e. your ssh server is listing on 10.8.0.1 port 22) from anywhere:
$ sudo ufw allow proto tcp from any to 10.8.0.1 port 22
The following rules allow access to tcp ssh port 22 only on 10.8.0.1 (i.e. your ssh server is listing on 10.8.0.1 port 22) from 10.8.0.2 IP address only:
$ sudo ufw allow proto tcp from 10.8.0.2 to 10.8.0.1 port 22

How do I add a comment for the ufw rule on Ubuntu?

The syntax is:
$ sudo ufw rule comment 'my comment here about rule'
For example allow only TCP traffic over HTTPS (TCP port 443):
$ sudo ufw allow https/tcp comment 'Open port Apache port 443'
You can view all added rules before enabling or starting the firewall on Ubuntu:
$ sudo ufw show added

How to enable the UFW based firewall

Simply run:
$ sudo ufw enable

Setup a UFW firewall on Ubuntu 18.04 LTS server
We set up a firewall with UFW on Ubuntu 18.04 LTS

Once enabled, the firewall runs after reboots too.

How do I disable the UFW based firewall?

If you need to stop the firewall and disable on system startup, excute:
$ sudo ufw disable
Sample outputs:

Firewall stopped and disabled on system startup

How do I check the status of my fiewall rules?

Use the status command:
$ sudo ufw status
$ sudo ufw status numbered
$ sudo ufw status verbose

How to check the ufw firewall status
How to check the ufw firewall status

How to add more rules (open ports and allow IP address) with ufw

The syntax is as follows to open tcp port 80 and 25:
$ sudo ufw allow 80/tcp
$ sudo ufw allow 25/tcp comment 'accept email'

Open UDP/1194 (OpenVPN) server:
$ sudo ufw allow 1194/udp

How to allow port ranges via ufw

You can allow port ranges too say, tcp and udp 4000 to 6000:
$ sudo ufw allow 4000:6000/tcp
$ sudo ufw allow 4000:6000/udp

Say you want to allow connections from an IP address called 1.2.3.4, enter:
$ sudo ufw allow from 1.2.3.4
Let us allow connections from an IP address called 1.2.3.4 to our port 22, enter:
$ sudo ufw allow from 1.2.3.4 to any port 22 proto tcp
OR (dest 222.222.222.222 port 22)
$ sudo ufw allow from 1.2.3.4 to 222.222.222.222 port 22 proto tcp

How to allow incoming MySQL/MariaDB traffic (open port 3306)

Allow access to MySQL/MariaDB port 3306 from selected subnet only (see MySQL/MariaDB remote access tutorial):
$ sudo ufw allow from 192.168.1.0/24 to any port 3306
Allow access to MySQL/MariaDB port 3306 Apache server only:
$ sudo ufw allow from 202.54.1.1 to any port 3306

Set up and allow PostgreSQL traffic by opening port 5432

Allow access to PostgreSQL port 5432 from selected subnet only (see PostgreSQL remote access tutorial):
$ sudo ufw allow from 192.168.1.0/24 to any port 5432
Allow access to PostgreSQL port 5432 Apache server only:
$ sudo ufw allow from 202.54.1.1 to any port 5432

Open incoming IMAP/IMAPS mail server ports

$ sudo ufw allow 143
$ sudo ufw allow 993

POP3/POP3S port opened with ufw

$ sudo ufw allow 110
$ sudo ufw allow 995

How to denying access to port or connections

Do you want to close ports and block IP address? The syntax is as follows to deny access (i.e. simply ignoring access to port 443):
$ sudo ufw deny 443/tcp
Make sure you deny all connections from an IP address called 1.2.3.4, enter:
$ sudo ufw deny from 1.2.3.4
Deny all connections from an IP/subnet called 123.45.67.89/24, enter:
$ sudo ufw deny from 123.45.67.89/24
Want to deny access to 1.2.3.4 (say hackers IP) on port 22? Try:
$ sudo ufw deny from 1.2.3.4 to any port 22 proto tcp

How to reject access to port or connections (reject and let user know they are blocked by the firewall)

The deny syntax simply ignores traffic. If you want let the sender know when traffic is being denied, rather than simply ignoring it, use reject syntax:
$ sudo ufw reject in smtp
$ sudo ufw reject out smtp
$ sudo sudo ufw reject 1194 comment 'No more vpn traffic'
$ sudo ufw reject 23 comment 'Unencrypted port not allowed'

If somebody try to connect to port 23 they will get reject message as follows:

telnet: Unable to connect to remote host: Connection refused

How to delete the UFW firewall rules

So far you learned how to add, deny, and list the firewall rules. It is time to delete unwanted rules. There are two options to deleting rules. The first syntax is:
$ sudo ufw delete {rule-here}
In this example, delete HTTPS (tcp port 443) traffic rule,
$ sudo ufw delete allow 443
If you no longer wished to allow smptd/email (port 25) traffic, execute:
$ sudo ufw delete allow 25
The second option is to list list all of the current rules in a numbered list format:
$ sudo ufw status numbered
Sample outputs:

Status: active
 
     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 443/tcp                    ALLOW IN    Anywhere                   # Open port Apache port 443
[ 3] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
[ 4] 443/tcp (v6)               ALLOW IN    Anywhere (v6)              # Open port Apache port 443

To delete 2nd and 4th rule (rule that allows TCP/443 access, you type the command:
$ sudo ufw delete 2
$ sudo ufw status numbered
$ sudo ufw delete 3

Deleting rules with ufw command on Ubuntu
Delete ufw rules by specifying their numbers on Ubuntu

How do I reset the ufw based firewall?

Run:
$ sudo ufw reset

How do I reload the ufw based firewall?

You can reload firewall with:
$ sudo ufw reload
When you edit UFW' configuration file, you need to run reload command. For example, you can edit /etc/ufw/before.rules, enter:
$ sudo nano /etc/ufw/before.rules
OR
$ sudo vi /etc/ufw/before.rules
To allow all traffic fro eth0 to eth0 (add after line that read as "# End required lines"), enter:

# allow all on eth0
-A ufw-before-input -i eth0 -j ACCEPT
-A ufw-before-output -o eth0 -j ACCEPT

Save and close the file. Reload the firewall:
$ sudo ufw reload

How do I see the firewall logs?

By default all UFW entries are logged into /var/log/ufw.log file. Use grep command/more command/tail command and other command to view the ufw logs:
$ sudo more /var/log/ufw.log
$ sudo tail -f /var/log/ufw.log

How do I see the ufw reports?

The added report displays the list of rules as they were added on the command-line:
$ sudo ufw show added
$ sudo ufw show listening

Ubuntu ufw firewall reports
Other possible reports are:
$ sudo ufw show raw
$ sudo ufw show builtins
$ sudo ufw show before-rules
$ sudo ufw show user-rules
$ sudo ufw show after-rules
$ sudo ufw show logging-rules

Conclusion

In this guide, you learned how to secure your Ubuntu Linux 18.04 LTS server with the help of ufw. For more info, please see ufw help page here.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Start the discussion at www.nixcraft.com