How to Set Up a Firewall with UFW on Ubuntu 20.04
We hope this post helped you to find out How to Set Up a Firewall with UFW on Ubuntu 20.04
A firewall is a software for monitoring and filtering incoming and outgoing community visitors. It really works by defining a set of safety guidelines that decide whether or not to permit or block particular visitors.
Ubuntu ships with a firewall configuration software referred to as UFW (Uncomplicated Firewall). UFW is a user-friendly front-end for managing iptables firewall guidelines. Its primary aim is to make managing firewall simpler or, because the title says, uncomplicated.
This text describes how one can use the UFW software to configure and handle a firewall on Ubuntu 20.04. A correctly configured firewall is among the most vital features of general system safety.
Solely root or customers with sudo privileges can handle the system firewall. The perfect observe is to run administrative duties as sudo person.
Set up UFW #
UFW is a part of the usual Ubuntu 20.04 set up and must be current in your system. If for some cause it isn’t put in, you possibly can set up the bundle by typing:
sudo apt update
sudo apt install ufw
Check UFW Status #
UFW is disabled by default. You can check the status of the UFW service with the following command:
sudo ufw status verbose
The output will show that the firewall status is inactive:
If UFW is activated, the output will look one thing to the next:
UFW Default Insurance policies #
The default habits of the UFW Firewall is to dam all incoming and forwarding visitors and permit all outbound visitors. Which means anybody attempting to entry your server will be unable to attach until you particularly open the port. Purposes and providers working in your server will be capable of entry the skin world.
The default polices are outlined within the
/etc/ufw file and could be modified both by manually modifying the file or with the
sudo ufw default <coverage> <chain> command.
Firewall insurance policies are the inspiration for constructing extra advanced and user-defined guidelines. Usually, the preliminary UFW Default Insurance policies are start line.
Utility Profiles #
An utility profile is a textual content file in INI format that describes the service and incorporates firewall guidelines for the service. Utility profiles are created within the
/etc/ufw/purposes.d listing in the course of the set up of the bundle.
You may checklist all utility profiles obtainable in your server by typing:
sudo ufw app list
Depending on the packages installed on your system, the output will look similar to the following:
Available applications: Nginx Full Nginx HTTP Nginx HTTPS OpenSSH
To find more information about a specific profile and included rules, use the following command:
sudo ufw app info 'Nginx Full'
The output shows that the ‘Nginx Full’ profile opens ports
Profile: Nginx Full Title: Web Server (Nginx, HTTP + HTTPS) Description: Small, but very powerful and efficient web server Ports: 80,443/tcp
You may as well create customized profiles to your purposes.
Enabling UFW #
In the event you’re connecting to your Ubuntu from a distant location, earlier than enabling the UFW firewall, you will need to explicitly enable incoming SSH connections. In any other case, you’ll not be capable of connect with the machine.
To configure your UFW firewall to permit incoming SSH connections, sort the next command:
sudo ufw allow ssh
Rules updated Rules updated (v6)
If SSH is running on a non-standard port, you need to open that port.
For example, if your ssh daemon listens on port
7722, enter the following command to allow connections on that port:
sudo ufw allow 7722/tcp
Now that the firewall is configured to allow incoming SSH connections, you can enable it by typing:
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
You can be warned that enabling the firewall could disrupt current ssh connections, simply sort
y and hit
Opening Ports #
Relying on the purposes that run on the system, you might also must open different ports. The overall syntax to open a port is as follows:
ufw allow port_number/protocol
Below are few ways on how to allow HTTP connections.
The first option is to use the service name. UFW checks the
/etc/services file for the port and protocol of the specified service:
sudo ufw allow http
You can also specify the port number, and the protocol:
sudo ufw allow 80/tcp
When no protocol is given, UFW creates rules for both
Another option is to use the application profile; in this case, ‘Nginx HTTP’:
sudo ufw allow 'Nginx HTTP'
UFW also support another syntax for specifying the protocol using the
sudo ufw allow proto tcp to any port 80
Port Ranges #
UFW additionally lets you open port ranges. The beginning and the top ports are separated by a colon (
:), and you will need to specify the protocol, both
For instance, if you wish to enable ports from
7200 on each
udp, you’d run the next command:
sudo ufw allow 7100:7200/tcp
sudo ufw allow 7100:7200/udp
Specific IP Address and port #
To allow connections on all ports from a given source IP, use the
from keyword followed by the source address.
Here is an example of whitelisting an IP address:
sudo ufw allow from 18.104.22.168
If you wish to enable the given IP handle entry solely to a particular port, use the
to any port key phrase adopted by the port quantity.
For instance to permit entry on port
22 from a machine with IP handle of
sudo ufw allow from 22.214.171.124 to any port 22
The syntax for permitting connections to a subnet of IP addresses is similar as when utilizing a single IP handle. The one distinction is that it’s essential to specify the netmask.
Beneath is an instance, displaying how one can enable entry for IP addresses starting from
192.168.1.254 to port
sudo ufw allow from 192.168.1.0/24 to any port 3306
Specific Network Interface #
To allow connections on a particular network interface use the
in on keyword followed by the name of the network interface:
sudo ufw allow in on eth2 to any port 3306
Denying connections #
The default coverage for all incoming connections is ready to
deny, and should you haven’t modified it, UFW will block all incoming connections until you particularly open the connection.
Writing deny guidelines is similar as writing enable guidelines; you solely want to make use of the
deny key phrase as an alternative of
Let’s say you opened the ports
443, and your server is underneath assault from the
126.96.36.199/24 community. To disclaim all connections from
188.8.131.52/24 you’d run the next command:
sudo ufw deny from 184.108.40.206/24
Here is an example of denying access only to ports
220.127.116.11/24 you can use the following command:
sudo ufw deny proto tcp from 18.104.22.168/24 to any port 80,443
Deleting UFW Rules #
There are two alternative ways to delete UFW guidelines by rule quantity and by specifying the precise rule.
Deleting guidelines by rule quantity is less complicated, particularly when you find yourself new to UFW. To delete a rule by a rule quantity first, it’s essential to discover the variety of the rule you wish to delete. To get a listing of numbered guidelines, use the
ufw standing numbered command:
sudo ufw status numbered
Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere [ 3] 8080/tcp ALLOW IN Anywhere
To delete the rule number
3, the one that allows connections to port
8080, you would enter:
sudo ufw delete 3
The second method is to delete a rule by specifying the actual rule. For example if you added a rule to open port
8069 you can delete it with:
sudo ufw delete allow 8069
Disabling UFW #
If for any reason you want to stop UFW and deactivate all the rules you can use:
sudo ufw disable
Later if you want to re-enable UTF and activate all rules just type:
sudo ufw enable
Resetting UFW #
Resetting UFW will disable UFW, and delete all active rules. This is helpful if you want to revert all of your changes and start fresh.
To reset UFW, type in the following command:
sudo ufw reset
IP Masquerading #
IP Masquerading is a variant of NAT (community handle translation) within the Linux kernel that interprets the community visitors by re-writing the supply and vacation spot IP addresses and ports. With IP Masquerading, you possibly can enable a number of machines in a personal community to speak with the Web utilizing one Linux machine that acts as a gateway.
Configuring IP Masquerading with UFW includes a number of steps.
First, you need to enable IP forwarding. To do that, open the
sudo nano /etc/ufw/sysctl.conf
Find and uncomment the line which reads
net.ipv4.ip_forward = 0:
Next, you need to configure UFW to allow forwarded packets. Open the UFW configuration file:
sudo nano /etc/default/ufw
DEFAULT_FORWARD_POLICY key, and change the value from
Now you need to set the default policy for the
POSTROUTING chain in the
nat table and the masquerade rule. To do so, open the
/etc/ufw/before.rules file and append the lines highlighted in yellow, as shown below:
sudo nano /etc/ufw/before.rules
Append the following lines:
#NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through eth0 - Change to public network interface -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these rules won't be processed COMMIT
Don’t forget to replace
eth0 in the
-A POSTROUTING line to match the name of the public network interface:
When you are done, save and close the file.
Finally, reload the UFW rules by disabling and re-enabling UFW:
sudo ufw disable
sudo ufw enable
We’ve proven you how one can set up and configure UFW firewall in your Ubuntu 20.04 server. You’ll want to enable all incoming connections which are mandatory for the right functioning of your system, whereas limiting all pointless connections.
For extra data on this matter, go to the UFW man page.
We hope the How to Set Up a Firewall with UFW on Ubuntu 20.04 help you. If you have any query regarding How to Set Up a Firewall with UFW on Ubuntu 20.04 drop a comment below and we will get back to you at the earliest.
We hope this post helped you to find out How to Set Up a Firewall with UFW on Ubuntu 20.04 . You may also want to see – How to Install Python Pip on Ubuntu 20.04