Cloud VPS [Ubuntu]: Manage Firewall Rules with ufw (Uncomplicated Firewall)

This article will explain the process of how to manage your firewall rules with ufw (Uncomplicated Firewall).

The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a way to create an IPv4 or IPv6 host-based firewall. By default, ufw is disabled.

To Set Default Rule
Setting the default mode of ufw is recommended before turning it on. This will deny or allow all incoming connections.

Set Default Deny:     

sudo ufw default deny

Set Default Allow:

sudo ufw default allow

Enable and Disable
You can enable and disabke ufw with these commands. Unless you have set the default to deny when you initially enable ufw, it is in ALLOW mode and will allow everything incoming and outgoing until you create rulesets. 

To turn UFW on:

sudo ufw enable

To disable ufw use:

sudo ufw disable

Allow and Deny

Allow

sudo ufw allow <port>/<optional: protocol>

Example: To allow incoming tcp and udp packet on port 53

sudo ufw allow 53

Example: To allow incoming tcp packets on port 53

sudo ufw allow 53/tcp

Example: To allow incoming udp packets on port 53

sudo ufw allow 53/udp

Deny

sudo ufw deny <port>/<optional: protocol>

Example: To deny tcp and udp packets on port 53

sudo ufw deny 53

Example: To deny incoming tcp packets on port 53

sudo ufw deny 53/tcp

Example: To deny incoming udp packets on port 53

sudo ufw deny 53/udp

 

Delete Existing Rule
To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:

ufw deny 80/tcp

Use this to delete it:

sudo ufw delete deny 80/tcp

 

Services
You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services:

less /etc/services

Allow by Service Name

sudo ufw allow <service name>

Example: to allow ssh by name

sudo ufw allow ssh

Deny by Service Name

sudo ufw deny <service name>

Example: to deny ssh by name

sudo ufw deny ssh

 

Status
Checking the status of ufw will tell you if ufw is enabled or disabled. This will also list the current ufw rules that are applied to your iptables.

To check the status of ufw:

sudo ufw status

Firewall loaded

To         Action    From

--         ------    ---- 
22:tcp     DENY     192.168.0.1

22:udp     DENY     192.168.0.1

22:tcp     DENY     192.168.0.7

22:udp     DENY     192.168.0.7

22:tcp     ALLOW    192.168.0.0/24

22:udp     ALLOW    192.168.0.0/24

If ufw was not enabled the output would be:

sudo ufw status

Status: inactive

 

Logging
To enable logging use:

sudo ufw logging on

To disable logging use:

sudo ufw logging off

 

Advanced Syntax
You can also use a fuller syntax, specifying the source and destination addresses and ports.

Allow Access
This section shows how to allow specific access.

Allow by Specific IP:

sudo ufw allow from <ip address>

Example: To allow packets from 207.46.232.182:

sudo ufw allow from 207.46.232.182

 

Allow by Subnet
You may use a net mask :

sudo ufw allow from 192.168.1.0/24

Allow by specific port and IP address

sudo ufw allow from <ip address> to <protocol> port <port number>

Example: allow ip address 192.168.0.4 access to port 22 for all protocols

sudo ufw allow from 192.168.0.4 to any port 22

 

Enable PING
Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, ufw allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.

You need to edit /etc/ufw/before.rules and remove edit the following lines:

 # ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT

 -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT

-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT

-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT

-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Change the "ACCEPT" to "DROP" or

# ok icmp codes

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP

-A ufw-before-input -p icmp --icmp-type source-quench -j DROP

-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP

-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP

-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

 

Deny Access
Deny by specific IP

sudo ufw deny from <ip address>

Example:To block packets from 207.46.232.182:

sudo ufw deny from 207.46.232.182

Deny by specific port and IP address

sudo ufw deny from <ip address> to <protocol> port <port number>

Example: deny ip address 192.168.0.1 access to port 22 for all protocols

sudo ufw deny from 192.168.0.1 to any port 22

 

Advanced Blocking Rules
Blocking IP addresses is not so straight forward if you have an existing set of rules as IPTABLES matches in order.

So, if you started with default deny and added in port 80 for a public server :

sudo ufw allow 80

But then find IP address 111.222.3.44 is hacking your server :

sudo ufw deny 111.222.3.44

will do nothing (you allowed access with your first rule).

You need to edit /etc/ufw/before.rules and add a section "Block IP" after "Drop INVALID packets" :

-A ufw-before-input -s 111.222.3.44 -j DROP #Assuming no loging is desired of course)

# drop INVALID packets

# uncomment to log INVALID packets

#-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW B$

-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# Block IP

# This it is efective :)

-A ufw-before-input -s 111.222.3.44 -j DROP


Advanced Example
Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22

sudo ufw deny from 192.168.0.1 to any port 22

sudo ufw deny from 192.168.0.7 to any port 22

sudo ufw allow from 192.168.0.0/24 to any port 22

This puts the specific rules first and the generic second. Once a rule is matched the others will not be evaluated (see manual below), so you must put the specific rules first. As rules change, you may need to delete old rules to ensure that new rules are put in the proper order.

To check your rules orders, you can check the status. For this scenario, the output below is the desired output for the rules to work properly:

 

sudo ufw status

Firewall loaded

To          Action     From

--          ------     ----
22:tcp      DENY       192.168.0.1

22:udp      DENY       192.168.0.1

22:tcp      DENY       192.168.0.7

22:udp      DENY       192.168.0.7

22:tcp      ALLOW      192.168.0.0/24

22:udp      ALLOW      192.168.0.0/24

 

Scenario change: You want to block access to port 22 to 192.168.0.3 as well as 192.168.0.1 and 192.168.0.7.

sudo ufw delete allow from 192.168.0.0/24 to any port 22

sudo ufw status


Firewall loaded

To           Action      From

--           ------      ----
22:tcp       DENY        192.168.0.1

22:udp       DENY        192.168.0.1

22:tcp       DENY        192.168.0.7

22:udp       DENY        192.168.0.7

 

 

sudo ufw deny 192.168.0.3 to any port 22

sudo ufw allow 192.168.0.0/24 to any port 22

sudo ufw status



Firewall loaded


To           Action         From

--           ------         ----

22:tcp       DENY           192.168.0.1

22:udp       DENY           192.168.0.1

22:tcp       DENY           192.168.0.7

22:udp       DENY           192.168.0.7

22:tcp       DENY           192.168.0.3

22:udp       DENY           192.168.0.3

22:tcp       ALLOW          192.168.0.0/24

22:udp       ALLOW          192.168.0.0/24


If you simply add the deny rule, the allow would have been above it and been applied instead of the deny.

 

 



 

Add Feedback