How To

How To Setup a Firewall using UFW on Ubuntu 18.04

Ubuntu comes with a firewall configuration tool called UFW (Uncomplicated Firewall). UFW is a user-friendly front-end for managing iptables firewall rules. Its goal is make managing iptables easier.

UFW: Check Firewall Status

sudo ufw status

UFW: Default Policies

By default, UFW will block all of the incoming connections and allow all outbound connections. Protocols such as HTTP/S or SSH must be explicitly whitelisted.

UFW: Application Profiles

apt may add an UFW application profile. Those profiles are stored in the /etc/ufw/applications.d/ directory. Each profile contains UFW settings for that particular application

List all UFW application profiles:

sudo ufw app list

Display more information about each UFW application profile and its rules:

sudo ufw app info 'Nginx Full'

UFW: Allow Incoming Connections

Allow incoming SSH connections:

sudo ufw allow ssh

If the ssh daemon listens on a different port e.g. 5522:

sudo ufw allow 5522/tcp

UFW: Active/Enable Firewall

Activate (or Enable) the firewall:

sudo ufw enable

UFW: Allow Port Ranges

Allow access to port ranges:

sudo ufw allow 7100:7200/udp

UFW: Allow Specific IPs

sudo ufw allow from 1.1.1.1

UFW: Allow Specific IPs with Specific Ports

sudo ufw allow from 1.1.1.1 to any port 1234

UFW: Allow Subnets

Allow connections from a range of IPs addresses by specifying a subnet:

sudo ufw allow from 192.168.1.1/24 to any port 5432

UFW: Allow Specific Network Interfaces

sudo ufw allow in on eth1 to any port 5432

UFW: Deny Specific IPs

sudo ufw deny from 1.1.1.1

UFW: Deny Specific IPs with Specific Ports

sudo ufw deny from 1.1.1.1 to any port 80

UFW: Insert Rules with Higher Priority

The order in which the rules are added is the order that UFW will use when processing an incoming connections. A general rule to allow SSH access on port 22 will pass through everyone, even if (later on) a specific IP address is blocked from the incoming connections.

Add a rule at the top of the rule chain (the highest priority):

sudo ufw insert 1 <rule> comment 'block specific person'