Using ufw on Ubuntu

Geoff Stratton Networking, Security, Systems Administration

ufw, or the Uncomplicated Firewall, is a convenient front end for managing iptables on your Ubuntu server. This article provides a brief tutorial on some of the most commonly used commands. ufw is available in Ubuntu from the 8.04 release onward, and the commands here should apply to any current version.

Viewing the ufw Status

To view your firewall status and current rules:

 
root@ubuntu# ufw status
Status: active

To                         Action      From
--                         ------      ----         
22                         ALLOW       Anywhere                  
80                         ALLOW       Anywhere

To check full status, including defaults, use verbose:

 
root@ubuntu# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    192.168.0.1            
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere

To see a numbered list of your firewall rules, use the numbered directive:

 
root@ubuntu# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere       
[ 2] 80                         ALLOW IN    Anywhere

The numbering here is important: rules will be processed in the listed order. An attacker with a DENY directive won’t be blocked if a previous rule let them in, so put your block rules first.

root@ubuntu# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] Anywhere                   DENY IN     54.238.154.7              
[ 2] Anywhere                   DENY IN     192.157.227.154           
[ 3] Anywhere                   DENY IN     191.96.249.80             
[ 4] 22                         ALLOW IN    Anywhere                  
[ 5] 80                         ALLOW IN    Anywhere

Set the Defaults

root@ubuntu#ufw default deny incoming
root@ubuntu#ufw default allow outgoing

Allowing Connections

Allowing a connection from a single IP address to a specified port and protocol:

root@ubuntu# ufw allow from 192.168.0.1 to any port 22 proto tcp

Allowing connections from a range of IP addresses to a specified port and protocol:

root@ubuntu# ufw allow from 192.168.0.1/24 to any port 22 proto tcp

Allowing all incoming connections to a known service:

root@ubuntu# ufw allow sshd

Blocking Connections

To block all incoming connections from the specified IP address, placing the new rule first:

root@ubuntu# ufw insert 1 deny from 54.238.154.7

To deny all incoming connections from a specified IP address to a specific port or protocol:

root@ubuntu# ufw insert 1 deny from 192.168.0.1 to any port 22 proto tcp

Delete a Rule

root@ubuntu# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere       
[ 2] 80                         ALLOW IN    Anywhere

root@ubuntu# ufw delete 2

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *