How to Set Up a Firewall with UFW on Ubuntu 20.04 - MS TV Life.COM

How to Set Up a Firewall with UFW on Ubuntu 20.04

How to Set Up a Firewall with UFW on Ubuntu 20.04

We hope this post helped you to find out  How to Set Up a Firewall with UFW on Ubuntu 20.04

A firewall is a software for monitoring and filtering incoming and outgoing community visitors. It really works by defining a set of safety guidelines that decide whether or not to permit or block particular visitors.

Ubuntu ships with a firewall configuration software referred to as UFW (Uncomplicated Firewall). UFW is a user-friendly front-end for managing iptables firewall guidelines. Its primary aim is to make managing firewall simpler or, because the title says, uncomplicated.

This text describes how one can use the UFW software to configure and handle a firewall on Ubuntu 20.04. A correctly configured firewall is among the most vital features of general system safety.

Conditions #

Solely root or customers with sudo privileges can handle the system firewall. The perfect observe is to run administrative duties as sudo person.

Set up UFW #

UFW is a part of the usual Ubuntu 20.04 set up and must be current in your system. If for some cause it isn’t put in, you possibly can set up the bundle by typing:

sudo apt update
sudo apt install ufw

Check UFW Status #

UFW is disabled by default. You can check the status of the UFW service with the following command:

sudo ufw status verbose

The output will show that the firewall status is inactive:

Status: inactive

If UFW is activated, the output will look one thing to the next:

UFW Default Insurance policies #

The default habits of the UFW Firewall is to dam all incoming and forwarding visitors and permit all outbound visitors. Which means anybody attempting to entry your server will be unable to attach until you particularly open the port. Purposes and providers working in your server will be capable of entry the skin world.

The default polices are outlined within the /etc/ufw file and could be modified both by manually modifying the file or with the sudo ufw default <coverage> <chain> command.

Firewall insurance policies are the inspiration for constructing extra advanced and user-defined guidelines. Usually, the preliminary UFW Default Insurance policies are start line.

Utility Profiles #

An utility profile is a textual content file in INI format that describes the service and incorporates firewall guidelines for the service. Utility profiles are created within the /etc/ufw/purposes.d listing in the course of the set up of the bundle.

You may checklist all utility profiles obtainable in your server by typing:

sudo ufw app list

Depending on the packages installed on your system, the output will look similar to the following:

Available applications:
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH

To find more information about a specific profile and included rules, use the following command:

sudo ufw app info 'Nginx Full'

The output shows that the ‘Nginx Full’ profile opens ports 80 and 443.

Profile: Nginx Full
Title: Web Server (Nginx, HTTP + HTTPS)
Description: Small, but very powerful and efficient web server

Ports:
  80,443/tcp

You may as well create customized profiles to your purposes.

Enabling UFW #

In the event you’re connecting to your Ubuntu from a distant location, earlier than enabling the UFW firewall, you will need to explicitly enable incoming SSH connections. In any other case, you’ll not be capable of connect with the machine.

To configure your UFW firewall to permit incoming SSH connections, sort the next command:

sudo ufw allow ssh
Rules updated
Rules updated (v6)

If SSH is running on a non-standard port, you need to open that port.

For example, if your ssh daemon listens on port 7722, enter the following command to allow connections on that port:

sudo ufw allow 7722/tcp

Now that the firewall is configured to allow incoming SSH connections, you can enable it by typing:

sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

You can be warned that enabling the firewall could disrupt current ssh connections, simply sort y and hit Enter.

Opening Ports #

Relying on the purposes that run on the system, you might also must open different ports. The overall syntax to open a port is as follows:

ufw allow port_number/protocol

Below are few ways on how to allow HTTP connections.

The first option is to use the service name. UFW checks the /etc/services file for the port and protocol of the specified service:

sudo ufw allow http

You can also specify the port number, and the protocol:

sudo ufw allow 80/tcp

When no protocol is given, UFW creates rules for both tcp and udp.

Another option is to use the application profile; in this case, ‘Nginx HTTP’:

sudo ufw allow 'Nginx HTTP'

UFW also support another syntax for specifying the protocol using the proto keyword:

sudo ufw allow proto tcp to any port 80

Port Ranges #

UFW additionally lets you open port ranges. The beginning and the top ports are separated by a colon (:), and you will need to specify the protocol, both tcp or udp.

For instance, if you wish to enable ports from 7100 to 7200 on each tcp and udp, you’d run the next command:

sudo ufw allow 7100:7200/tcp
sudo ufw allow 7100:7200/udp

Specific IP Address and port #

To allow connections on all ports from a given source IP, use the from keyword followed by the source address.

Here is an example of whitelisting an IP address:

sudo ufw allow from 64.63.62.61

If you wish to enable the given IP handle entry solely to a particular port, use the to any port key phrase adopted by the port quantity.

For instance to permit entry on port 22 from a machine with IP handle of 64.63.62.61, enter:

sudo ufw allow from 64.63.62.61 to any port 22

Subnets #

The syntax for permitting connections to a subnet of IP addresses is similar as when utilizing a single IP handle. The one distinction is that it’s essential to specify the netmask.

Beneath is an instance, displaying how one can enable entry for IP addresses starting from 192.168.1.1 to 192.168.1.254 to port 3360 (MySQL):

sudo ufw allow from 192.168.1.0/24 to any port 3306

Specific Network Interface #

To allow connections on a particular network interface use the in on keyword followed by the name of the network interface:

sudo ufw allow in on eth2 to any port 3306

Denying connections #

The default coverage for all incoming connections is ready to deny, and should you haven’t modified it, UFW will block all incoming connections until you particularly open the connection.

Writing deny guidelines is similar as writing enable guidelines; you solely want to make use of the deny key phrase as an alternative of enable.

Let’s say you opened the ports 80 and 443, and your server is underneath assault from the 23.24.25.0/24 community. To disclaim all connections from 23.24.25.0/24 you’d run the next command:

sudo ufw deny from 23.24.25.0/24

Here is an example of denying access only to ports 80 and 443 from 23.24.25.0/24 you can use the following command:

sudo ufw deny proto tcp from 23.24.25.0/24 to any port 80,443

Deleting UFW Rules #

There are two alternative ways to delete UFW guidelines by rule quantity and by specifying the precise rule.

Deleting guidelines by rule quantity is less complicated, particularly when you find yourself new to UFW. To delete a rule by a rule quantity first, it’s essential to discover the variety of the rule you wish to delete. To get a listing of numbered guidelines, use the ufw standing numbered command:

sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 8080/tcp                   ALLOW IN    Anywhere

To delete the rule number 3, the one that allows connections to port 8080, you would enter:

sudo ufw delete 3

The second method is to delete a rule by specifying the actual rule. For example if you added a rule to open port 8069 you can delete it with:

sudo ufw delete allow 8069

Disabling UFW #

If for any reason you want to stop UFW and deactivate all the rules you can use:

sudo ufw disable

Later if you want to re-enable UTF and activate all rules just type:

sudo ufw enable

Resetting UFW #

Resetting UFW will disable UFW, and delete all active rules. This is helpful if you want to revert all of your changes and start fresh.

To reset UFW, type in the following command:

sudo ufw reset

IP Masquerading #

IP Masquerading is a variant of NAT (community handle translation) within the Linux kernel that interprets the community visitors by re-writing the supply and vacation spot IP addresses and ports. With IP Masquerading, you possibly can enable a number of machines in a personal community to speak with the Web utilizing one Linux machine that acts as a gateway.

Configuring IP Masquerading with UFW includes a number of steps.

First, you need to enable IP forwarding. To do that, open the /etc/ufw/sysctl.conf file:

sudo nano /etc/ufw/sysctl.conf

Find and uncomment the line which reads net.ipv4.ip_forward = 0:

/etc/ufw/sysctl.conf

Next, you need to configure UFW to allow forwarded packets. Open the UFW configuration file:

sudo nano /etc/default/ufw

Locate the DEFAULT_FORWARD_POLICY key, and change the value from DROP to ACCEPT:

/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

Now you need to set the default policy for the POSTROUTING chain in the nat table and the masquerade rule. To do so, open the /etc/ufw/before.rules file and append the lines highlighted in yellow, as shown below:

sudo nano /etc/ufw/before.rules

Append the following lines:

/etc/ufw/before.rules
#NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to public network interface
-A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

Don’t forget to replace eth0 in the -A POSTROUTING line to match the name of the public network interface:

When you are done, save and close the file.

Finally, reload the UFW rules by disabling and re-enabling UFW:

sudo ufw disable
sudo ufw enable

Conclusion #

We’ve proven you how one can set up and configure UFW firewall in your Ubuntu 20.04 server. You’ll want to enable all incoming connections which are mandatory for the right functioning of your system, whereas limiting all pointless connections.

For extra data on this matter, go to the UFW man page.

We hope the How to Set Up a Firewall with UFW on Ubuntu 20.04  help you. If you have any query regarding How to Set Up a Firewall with UFW on Ubuntu 20.04  drop a comment below and we will get back to you at the earliest.

We hope this post helped you to find out  How to Set Up a Firewall with UFW on Ubuntu 20.04  . You may also want to see – How to Install Python Pip on Ubuntu 20.04

Copy link
Powered by Social Snap