UFW or Simple Firewall is an interface of iptables designed to simplify the process of configuring the firewall. Although iptables is a reliable and flexible tool, it is difficult for beginners to learn how to use it to properly configure the firewall. If you want to start protecting the network and you are not sure which tool to use, UFW may be the right choice for you.
This tutorial will show you how to set up a firewall using UFW on Ubuntu 14.04.
Before you start using this tutorial, you should have a separate non-root super user account-a user with sudo privileges set up on the Ubuntu server. You can learn how to perform this operation in Add sudo permissions to non-root users under Linux. Students who don’t have a server can buy it from here, but I personally recommend you to use the free Tencent Cloud Developer Lab for experimentation, and then buy server.
UFW is installed on Ubuntu by default. If it has been uninstalled for some reason, you can install it using the apt-get command:
sudo apt-get install ufw
If your Ubuntu server has IPv6 enabled, make sure to configure UFW to support IPv6 so that in addition to IPv4, you can also manage IPv6 firewall rules. To do this, open the UFW configuration with your favorite editor. We will use nano:
sudo nano /etc/default/ufw
Then make sure that the value of "IPV6" is "yes". It should look like this:
...
IPV6=yes
...
Save and exit. Click Ctrl-X to exit the file, then Y to save the changes you made, and then ENTER to confirm the file name.
After UFW is enabled, it will be configured to write both IPv4 and IPv6 firewall rules.
This tutorial is written in IPv4, but as long as you enable it, you can use IPv6 normally.
You can check the status of UFW at any time using the following command:
sudo ufw status verbose
By default, UFW is disabled, so you should see something like this:
Status: inactive
If UFW is active, the output will indicate that it is active, and it will list all the rules that have been set. For example, if the firewall is set to allow SSH (port 22) connections from anywhere, the output might look like this:
Status: active
Logging:on(low)
Default:deny(incoming),allow(outgoing),disabled(routed)
New profiles: skip
To Action From
- - - - - - - - - - - - 22 /tcp ALLOW IN Anywhere
Therefore, if you need to check how UFW configures the firewall, please use the status command.
Before enabling UFW, we need to make sure that the firewall is configured to allow you to connect via SSH. Let's start by setting the default policy.
If you are just starting to use a firewall, the first rule to define is your default policy. These rules control how to handle traffic that does not explicitly match any other rules. By default, UFW is set to reject all incoming connections and allow all outgoing connections. This means that anyone trying to access your [cloud server] (https://cloud.tencent.com/product/cvm?from=10680) cannot connect, and any application in the server can access the outside world.
Let's set your UFW rules back to default values so that we can make sure you can follow this tutorial. To set the default value used by UFW, use the following command:
sudo ufw default deny incoming
sudo ufw default allow outgoing
As you might have guessed, these commands set the default value to deny incoming and allow outgoing connections. These firewall defaults may be sufficient by themselves to meet the requirements of personal computers, but servers usually need to respond to incoming requests from external users. We will investigate next.
If we now enable our UFW firewall, it will reject all incoming connections. This means that we need to create rules that explicitly allow legitimate incoming connections-such as SSH or HTTP connections-if we want the server to respond to these types of requests. If you are using a cloud server, you may need to allow incoming SSH connections in order to connect and manage the server.
To configure the server to allow incoming SSH connections, you can use this UFW command:
sudo ufw allow ssh
This will create a firewall rule that allows all connections on port 22, which is the port the SSH daemon listens on. UFW knows what "ssh" is, and a bunch of other service names, meaning because it is listed as a service using port 22 in the /etc/services file.
We can actually write equivalent rules by specifying port instead of service name. For example, this command is the same as the above command:
sudo ufw allow 22
If you configure the SSH daemon to use a different port, you must specify the corresponding port. For example, if the SSH server is listening on port 2222, you can use this command to allow connections on that port:
sudo ufw allow 2222
Now that your firewall is configured to allow incoming SSH connections, we can enable it.
To enable UFW, use the following command:
sudo ufw enable
You will receive a warning stating that "the command may break an existing ssh connection". We have set up firewall rules that allow SSH connections, so we can continue to use it. Reply to the prompt y.
The firewall is now active. Feel free to run the sudo ufw status verbose command to see the rules that have been set.
Now you should allow all other connections that the server needs to respond to. The connections you should allow depend on your specific needs. Fortunately, you already know how to write rules that allow connections based on service name or port-we have done this for SSH on port 22.
We will show some very common examples of services that you may need to allow. If you have any other services that you want to allow all incoming connections, please follow the format below.
Use this command to allow HTTP connections, which are connections used by unencrypted web servers:
sudo ufw allow http
If you prefer to use port number 80, use the following command:
sudo ufw allow 80
You can use the following command to allow HTTPS connections (connections used by encrypted web servers):
sudo ufw allow https
If you prefer to use port number 443, use the following command:
sudo ufw allow 443
FTP connection, for unencrypted file transfer (you probably shouldn't use it), you can use this command:
sudo ufw allow ftp
If you prefer to use port number 21, use the following command:
sudo ufw allow 21/tcp
You can use UFW to specify the port range. Some applications use multiple ports instead of a single port.
For example, to allow X11 connections using port 6000-6007, use the following command:
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp
When using UFW to specify a port range, you must specify the protocol (tcp or udp) to which the rule should apply. We didn't mention this before because there is no specified protocol and only two protocols are allowed, which is fine in most cases.
When using UFW, you can also specify an IP address. For example, if you want to allow connections from a specific IP address, such as work or home IP address 15.15.15.51, you need to specify "from" and then the IP address:
sudo ufw allow from15.15.15.51
You can also specify specific ports that allow IP addresses to connect by adding "to any port" followed by the port number. For example, if you want to allow 15.15.15.51 to connect to port 22 (SSH), use the following command:
sudo ufw allow from15.15.15.51 to any port 22
If you want to allow IP address subnets, you can use CIDR notation to specify the netmask. For example, if you want to allow all IP address ranges from 15.15.15.1 to 15.15.15.254, you can use this command:
sudo ufw allow from15.15.15.0/24
Similarly, you can also specify the target port for 15.15.15.0/24 to allow subnet connections. Similarly, we will use port 22 (SSH) as an example:
sudo ufw allow from15.15.15.0/24 to any port 22
If you want to create a firewall rule that only applies to a specific network interface, you can do this by specifying "Allow Connection" and then specifying the name of the network interface.
You may want to find the network interface before continuing. To do this, use the following command:
ip addr
The output is as follows:
2: eth0:<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
...3: eth1:<BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default...
The network interface name is usually named "eth0" or "eth1".
Therefore, if your server calls the public network interface eth0, you can use the following command to allow HTTP traffic (port 80):
sudo ufw allow in on eth0 to any port 80
Doing so will allow your server to receive HTTP requests from the public Internet.
Or, if you want the MySQL database server (port 3306) to listen for connections on the private network interface eth1, for example, you can use this command:
sudo ufw allow in on eth1 to any port 3306
This will allow other servers on the private network to connect to the MySQL database.
If the default policy for incoming connections has not been changed, UFW is configured to reject all incoming connections. Generally, this will simplify the process of creating a secure firewall policy by requiring you to create rules that explicitly allow specific ports and IP addresses. However, sometimes you will want to deny specific connections based on the source IP address or subnet, possibly because you know your server is under attack. In addition, if you want to change the default incoming policy to Allow (this is not recommended for security reasons), you need to create a Deny rule for any service or IP address that you don't want to allow connections.
To write a deny rule, you can use the command we described above, unless you need to replace "allow" with "deny".
For example, to reject HTTP connections, you can use the following command:
sudo ufw deny http
Or, if you want to reject all your connections from 15.15.15.51, you can use the following command:
sudo ufw deny from15.15.15.51
If you need help writing any other deny rules, please review the previous allow rules and update them accordingly.
Now let us see how to delete a rule.
Knowing how to delete firewall rules is just as important as knowing how to create firewall rules. There are two different ways to specify the rule to be deleted: by the rule number or the actual rule (similar to the rule specified when creating the rule). We will start with the rule number method delete because it is easier if you are new to UFW compared to writing the actual rules to be deleted.
If you use the rule number to delete a firewall rule, the first thing you need to do is to get a list of firewall rules. The UFW status command can optionally display the number next to each rule, as shown below:
sudo ufw status numbered
Numbered Output:Status: active
To Action From
- - - - - - - - - - - - [1]22 ALLOW IN 15.15.15.0/24[2]80 ALLOW IN Anywhere
If we decide to delete rule 2 that allows port 80 (HTTP) connections, we can specify it in the UFW delete command as follows:
sudo ufw delete2
This will display a confirmation prompt and then delete rule 2 to allow HTTP connections. Please note that if IPv6 is enabled, you also need to delete the corresponding IPv6 rules.
An alternative to the rule number is to specify the actual rule to delete. For example, if you want to delete the "allow http" rule, you can write:
sudo ufw delete allow http
You can also specify rules by "Allow 80" instead of the service name:
sudo ufw delete allow 80
This method will delete IPv4 and IPv6 rules (if they exist).
If you decide that you don't want to use UFW for any reason, you can disable it with the following command:
sudo ufw disable
Any rules you create using UFW will no longer be active. If you need to activate later, you can run sudo ufw enable at any time.
If you have configured UFW rules but you decide to start over, you can use the reset command:
sudo ufw reset
This will disable UFW and delete any previously defined rules. Please note that if you modify the default policy at any time, the default policy will not be changed to the original setting. This should allow you to start using UFW again.
Your firewall should now be configured to allow (at least) SSH connections. Make sure to allow any other incoming connections to the server while restricting any unnecessary connections to make your server functionally safe.
To learn more about the Ubuntu open source information tutorial, please go to [Tencent Cloud + Community] (https://cloud.tencent.com/developer?from=10680) to learn more.
Reference: "How To Set Up a Firewall with UFW on Ubuntu 14.04"
Recommended Posts