Configure UFW Firewall in Linux
Created: Tue 12 Dec 2023 Updated: 7 months, 2 weeks ago
Firewalls in Linux play an important role in controlling the incoming and outgoing network traffic, hence securing the system. It acts as a frontline soldier that protects the system from attacks and unauthorized access.
Introduction
In almost all Linux distributions, iptables or nftables is the primary tool that filter the network traffic and responsible for system security. Nowadays in modern Linux operating systems, iptables has been replaced by nftables that offers more consistency, improved performance, and multiple protocol support. These are managed by creating rules that specifically restrict or allow access to a particular resource.
You can create a rule in nftables to manage network traffic but making direct changes in nftables required more skills and knowledge. And if you are reading this article, It's safe to assume that you are a beginner and should not interact with nftables directly even though doing this will give you more control, flexibility, and the ability to customize. This is where Firewall management tools comes handy.
UFW rules management
Almost all debian based distributions comes with ufw as default firewall management tool. A firewall management tool act as frontend for nftables in Linux system. Instead of directly working with the complexities of nftables syntax, these tools provide a more user-friendly interface to manage network traffic flow. These tools work with rules that defines the resource's access or restrictions.
Although ufw originally designed for iptables but newer version also work with nftables as well. It's a command-line tool that enables users to easily interact with nftables using firewall rules.
To get started with it, first make sure ufw is installed in your system. Run the below command:
sudo apt list ufw
Same output in your terminal is the confirmation that ufw is installed in your system. If not installed, sudo apt -y install ufw command to install it.
Usually, the systemd services are enabled already, but if you have to do it manually, using
sudo systemctl enable --now ufw will enable and
start the ufw systemd service.
It provides pre-defined configurations for most of the tasks that simplifies the firewall management. When the goal is basic configurations and common tasks, these tools are the better choice.
Check UFW status
You probably using ufw for the first time, which is why It'll be in inactive state. Use below commands to check Its status and enable the firewall:
sudo ufw status
$
sudo ufw enable
As the names define, the first command will output the status of the firewall and the other command will enable the firewall. Now ufw will start automatically after every system reboot.
To check the current firewall rules, use below command:sudo ufw status verbose
As in the image above, all incoming traffic is denied and all outgoing traffic is allowed from the system. It's the default rule which simply means that network connection can be established from the system but not to the system. There is no custom rule yet but we'll be adding some allow or deny rules in the next section.
Allow rule for port
Adding a allow rule in ufw will make the particular resource accessible over the network. Just remember that when we create any rule in ufw, we are indirectly interacting with nftables. Let's suppose we want to allow TCP port 22, which is the port used for SSH connection, we'll use the following command to add appropriate rule in ufw:
sudo ufw allow 22/tcp
After adding the rule, now run again sudo ufw status verbose to check the rules:
As shown in the image above, first command adds a new allow rule in ufw firewall and second command list all available rules to verify the current rule. In the list, first rule refers to IPv4 addresses, and second rule refer to IPv6 addresses (here mentioned by v6). Now this system can be accessed over SSH connection.
Remove rule for port
There are two primary methods to remove a rule from ufw firewall. One is verbose and other is numbered. Rules can be removed either based on verbosity or by their index number from the status list. However, when it comes to removing a port or service rule, verbose method is more efficient.
To remove the allow rule in ufw firewall using verbose methods, you can use the below command:
sudo ufw delete allow 22/tcp
In the command above, allow 22/tcp specifying to remove the allow rule for tcp 22 port. Now the rule has been removed from ufw firewall and SSH connection is no longer allowed to the system.
Allow rule for IP Address
UFW syntax for adding a port and an IP Address is a bit different. To allow the network connection originating from a specific IP Address, add rule in ufw like this:
sudo ufw allow from 192.168.1.47
Now run the below command to list and verify that the rule has been added:
sudo ufw status numbered
Now all connection requests originating from 192.168.1.47 IP Address are allowed in the firewall. In other words, this IP Address is whitelisted.
Allow rule for subnet
Not just a single IP address, you can create a rule to allow the entire subnet. Use below command:
sudo ufw allow in on ens33 from 192.168.1.0/24
Instead of allowing a single IP Address from the network, we created a rule to allow the entire subnet of ens33 interface. In the command, allow in directive used to specify the rule action which is allowing the incoming traffic. on ens33 specifies the interface name and from 192.168.1.0/24 is to specify the subnet itself. Now run the below command to list and verify that the rule has been added:
sudo ufw status numbered
The 192.168.1.0/24 subnet from ens33 interface is now whitelisted in ufw firewall. Any IP Address belonging to this subnet can now establish a connection to the system and access Its resources.
To simply allow incoming traffic from the 192.168.1.0/24 subnet on any interface:sudo ufw allow from 192.168.1.0/24
Instead of explicitly defining an interface, you can also use this command that applies to traffic coming from or going to that subnet regardless of the interface.
Deny rule for IP Address
You can also create the rule to deny network access for a specific IP Address in the ufw firewall. Use following commands to create the rule:
sudo ufw deny from 192.168.1.10
IP Address 192.168.1.10 is denied in the ufw firewall. All the other IP Addresses in 192.168.1.0/24 subnet are allowed to establish a connection to the system (rule added previously to allow the entire subnet) except 192.168.1.10 IP address.
Deny rule for subnet
Just like allowing a subnet, you can also deny the network traffic to the entire subnet. Use following command:
sudo ufw deny in on ens33 from 10.0.1.0/24
All the incoming and outgoing network traffic for subnet 10.0.1.0/24 is now restricted according to this rule in ufw firewall now. Keep in mind that this rule only applies to the specified interface.
Allow SSH from specific IP Address
To allow remote access to the system, you must have SSH port opened. But sometimes exposing the system might cause security risk. One way to secure SSH access is by limiting access to a specific IP Address. Create ufw rule for this:
sudo ufw allow from 10.0.1.5 proto tcp to any port 22
With this rule added in ufw firewall, 10.0.1.5 IP Address can now access the system remotely while SSH is denied for all other IP Addresses.
Allow rule of HTTP & HTTPS
Instead of using IP Addresses, subnets, and port numbers, you can also use service names to create rules in ufw firewall. HTTP is used by web servers to serve Its content on tcp port 80 (default port) while HTTPS is a secure method for the same purpose that uses tcp port 443. To allow HTTP and HTTPS services in firewall, create a rule using below commands:
sudo ufw allow http
$
sudo ufw allow https
As shown in the image above, HTTP port 80 and HTTPS port 443 is now allowed to receive incoming requests from both IPv4 and IPv6 addresses. sudo ufw allow 80 and sudo ufw allow 443 can also be used to allow traffic for HTTP and HTTPS respectively.
Allow rule of MySQL
By default, ufw deny all the incoming traffic that includes MySQL server as well. To allow MySQL in firewall, use the following command:
sudo ufw allow mysql
MySQL uses 3306 tcp port by default. Using the above command, we've added an allow rule for mysql service that will allow the traffic.
Remove a rule
To remove an existing deny or allow rule from ufw firewall, we need to know the index number of that rule first. To find the index number, use below command:
sudo ufw status numbered
Above command produced the list of all available rules in ufw firewall. Let's suppose you want to remove 80/tcp (v6) rule that allows the HTTP traffic for IPv6 addresses. As can be seen in the image, Its index number is 4. Use the below command to remove this rule:
sudo ufw delete 4
You will be prompted to confirm the removal of the rule. Press y to confirm and the system will no longer allow IPv6 addresses to access web server content. This way, you can delete any rule by just specifying Its index number.
Endnote
This article was a simple overview of ufw firewall. Just remember that by default, all incoming traffic is denied and all outgoing traffic is allowed. We create rules to allow or deny a specific resource such as port, IP Address, or subnet. You can use sudo ufw reset command to reset the firewall cleanly. ufw is not limited to the commands we used in this article. You can use ufw --help for more options that can be used with the firewall tool.
