1. Home
  2. Linux
  3. Ubuntu
  4. How to setup a Firewall on an Ubuntu Server
Searching...

How to setup a Firewall on an Ubuntu Server

Ubuntu Firewall
Ubuntu Firewall

Ubuntu Security

Security of servers deployed in every organization have become a very serious issue as new types of malware, viruses, and Trojans are popping up every day.
Although Linux is known as a stable and secure operating system, viruses and malicious things are becoming increasingly common. Deploying software based firewalls on your server can act as your second line of defence after the hardware based security fence (Hardware firewalls, ID&PS) of your network. These software firewalls add an extra layer of protection to the already deployed security of server.
In this tutorial we will teach you how to setup a firewall for your Ubuntu Server.
Though there are many firewalls available for Ubuntu, we have chosen ‘UFW’ which is a free, lightweight, and easy to use firewall.

Getting Started with UFW.

Ubuntu comes pre-installed with UFW. To check whether UFW is installed on your server, use following command.

sudo dpkg -l ufw

If it is installed, you will see something like the below.

Name          Version                        Architecture Description
===================================================================
ufw            0.35-0ubuntu all          program for managing a Netfilter

This is showing you that version 0.35 of UFW is installed on your server
If you do not find that it is installed on your server, you can follow  two simple steps to install UFW on your Ubuntu Server.
Step 1

sudo apt-get update

Step 2

sudo apt-get install ufw

If both of these steps proceed without error, it means you have successfully installed UFW on your Ubuntu server.
Once installed, you can check whether UFW is active by issuing below command.

sudo ufw status
Status: inactive

By default, it is inactive. You can activate it with following command.

sudo ufw enable

Configuring UFW with IPv6.

UFW also supports a 128-bit IPv6 addressing scheme. To configure UFW to work with IPv6, open the UFW configuration file with following command.

sudo gedit /etc/default/ufw

To ensure UFW compliance with IPv6 addresses, make sure you find the following line in the file.

IPV6=yes

If its set as ‘no’ then change it to ‘yes’. Save the file and restart UFW to implement the changes. You can restart UFW with following command.

sudo ufw reload

Configuring UFW.

The basic purpose of a firewall is to filter out all of the traffic that is passing through it based on rules that are set by the network administrator. UFW, by default, will block all incoming connections toward your server and will allow only outgoing connections. This means that applications and services residing inside your server are free to go out but nothing is allowed to come inside. It is the utmost hard rules that can be deployed for securing any machine.
You can see default input and output policy of UFW installed on your server in the file ‘/etc/default/ufw’.
You can find the following two lines that are blocking all incoming connections and allowing all outbound connections. As soon as you enable UFW on your Ubuntu server, these policies are enforced your server.

DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"

If you have changed values in above two lines and want to revert them back to default values, use following two commands.

sudo ufw default deny incoming
sudo ufw default allow outgoing

The first command will block all incoming traffic and the second will allow all outward traffic.

Setting Connections in UFW.

Next in line is configuring UFW to allow or deny connections to various ports and protocols.
Starting with telnet; if you want to enable the telnet facility to your server, issue below command.

sudo ufw allow telnet

Enabling Telnet is not a good idea, especially in a server environment that is hosted online. Always go for the ‘ssh’ option if you want to access your server over insecure media such as the internet. The following command will help you in enabling the ‘ssh’ facility on your server.

sudo ufw allow ssh

Once you are done with both of these commands, issue the below command to view what changes have been done on UFW.

sudo ufw status

 

Status: active
To                         Action     From
--                         ------     ----
23/tcp                     ALLOW     Anywhere                 
22                         ALLOW     Anywhere                 
23/tcp (v6)                ALLOW     Anywhere (v6)            
22 (v6)                    ALLOW     Anywhere (v6)

From the above output it can be clearly seen that both telnet and ssh services on the server are now enabled. Telnet runs on port 23, while ssh utilizes port no 22.
You can also enable the specific TCP/IP ports of your server. The following command will enable port no 23 which is reserved for telnet.

sudo ufw allow 23/tcp

If you are running telnet on TCP/IP port no 3300, then you can enable telnet by following command.

sudo ufw allow 3300/tcp

Servers are meant to host critical application and services. If you are running email services on your server then you will need to enable ‘smtp’ on your server. You can enable smtp port with the following command.

sudo ufw  allow smtp
Rule added
Rule added (v6)

Next, check the status of UFW to see what changes the last command has done.

sudo ufw status

Status: active

To                         Action    From
--                         ------    ----
23/tcp                     ALLOW     Anywhere                 
22                         ALLOW     Anywhere                 
25/tcp                     ALLOW     Anywhere                 
23/tcp (v6)                ALLOW     Anywhere (v6)            
22 (v6)                    ALLOW     Anywhere (v6)            
25/tcp (v6)                ALLOW     Anywhere (v6)

You can also do this with the following command.

sudo ufw allow 25/tcp

Use the below commands to enable http and ftp on your server.

sudo ufw allow http
sudo ufw allow ftp

The below command will open TFTP port.

sudo ufw allow 69/TCP

Enabling Range of Ports

You can also enable an entire range of ports to allow outside traffic for specific TCP/IP ports. The following command will open ports in the range 4000 to 5000.

sudo ufw allow 4000:5000/tcp

If you want to open udp ports, just replace TCP in above command with UDP.

sudo ufw allow 4000:5000/udp

Allowing IP Based Access

You can also configure UFW to allow traffic from a specific IP to pass through UFW. For instance, the following command will allow traffic coming from IP 11.11.25.25 to your Ubuntu server.

sudo ufw allow from 11.11.25.25

Denying access

Until now, we have discussed how to allow access in UFW. To meet scenarios of denying traffic, there are rules in UFW as well. If you want to close port 25, use the below command.

sudo ufw deny 25/tcp

If you want to deny all traffic coming from a specific IP use the below.

sudo ufw deny from 11.11.25.25

If you want to close range of TCP/IP ports, then use the below.

sudo ufw deny 4000:5000/tcp

Deleting Rules.

UFW also gives you the option to delete rules that you have defined previously.
The following are three different commands that will delete the  three rules which were created in previous sections.

sudo ufw delete deny 25/tcp
sudo ufw delete deny from 11.11.25.25
sudo ufw delete deny 4000:5000/tcp

Some Useful Stuff

There are many commands in UFW that allow you to do variety of things.
To reset all values of UFW.

sudo ufw reset

To check UFW version.

sudo ufw version

The UFW is command line tool that allows interaction by only set of commands. You can also use its GUI version which is Gufw. Gufw is great tool to manage UFW if you are not comfortable in playing with commands.

Updated on December 23, 2018
Tagged:

Was this article helpful?

Yes No

Related Articles

Leave a Comment

[apsl-login-lite login_text='Please login with a social account']