The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled. (Gufw is a GUI that is available as a frontend).
To Set Default Rule
Setting the default mode of ufw is recommended before turning it on. This will deny or allow all incoming connections.
Set Default Deny:
sudo ufw default deny
Set Default Allow:
sudo ufw default allow
Enable and Disable
You can enable and disabke ufw with these commands.
Unless you have set the default to deny when you initially enable ufw, it is in ALLOW mode and will allow everything incoming and outgoing until you create rulesets.
To turn UFW on:
sudo ufw enable
To disable ufw use:
sudo ufw disable
Allow and Deny
Allow
sudo ufw allow /
Example: To allow incoming tcp and udp packet on port 53
sudo ufw allow 53
Example: To allow incoming tcp packets on port 53
sudo ufw allow 53/tcp
Example: To allow incoming udp packets on port 53
sudo ufw allow 53/udp
Deny
sudo ufw deny /
Example: To deny tcp and udp packets on port 53
sudo ufw deny 53
Example: To deny incoming tcp packets on port 53
sudo ufw deny 53/tcp
Example: To deny incoming udp packets on port 53
sudo ufw deny 53/udp
Delete Existing Rule
To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:
ufw deny 80/tcp
Use this to delete it:
sudo ufw delete deny 80/tcp
Delete by number
List the rules by number with:
sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Apache ALLOW IN Anywhere
[ 2] 53/tcp ALLOW IN Anywhere
[ 3] 53/udp ALLOW IN AnywhereDelete (rule nr 2) with:
sudo ufw delete 2
Services
You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services:
less /etc/services
Allow by Service Name
sudo ufw allow
Example: to allow ssh by name
sudo ufw allow ssh
Deny by Service Name
sudo ufw deny
Example: to deny ssh by name
sudo ufw deny ssh
Status
Checking the status of ufw will tell you if ufw is enabled or disabled. This will also list the current ufw rules that are applied to your iptables.
To check the status of ufw:
sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 22:tcp ALLOW 192.168.0.0/24 22:udp ALLOW 192.168.0.0/24
If ufw was not enabled the output would be:
sudo ufw status Status: inactive
Logging
To enable logging use:
sudo ufw logging on
To disable logging use:
sudo ufw logging off
Advanced Syntax
You can also use a fuller syntax, specifying the source and destination addresses and ports.
Allow Access
This section shows how to allow specific access.
Allow by Specific IP:
sudo ufw allow from
Example: To allow packets from 123.456.789.123:
sudo ufw allow from 123.456.789.123
Allow by Subnet
You may use a net mask :
sudo ufw allow from 192.168.1.0/24
Allow by specific port and IP address
sudo ufw allow from to port
Example: allow ip address 192.168.0.4 access to port 22 for all protocols
sudo ufw allow from 192.168.0.4 to any port 22
Enable PING
Note: Security by obscurity may be of very little actual benefit with modern cracker scripts.
By default, ufw allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.
You need to edit
/etc/ufw/before.rules
and remove edit the following lines:
# ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT Change the "ACCEPT" to "DROP" or # ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP -A ufw-before-input -p icmp --icmp-type source-quench -j DROP -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP -A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Deny Access
Deny by specific IP
sudo ufw deny from
Example:
To block packets from 123.456.789.123:
sudo ufw deny from 123.456.789.123
Deny by specific port and IP address
sudo ufw deny from to port
Example: deny ip address 192.168.0.1 access to port 22 for all protocols
sudo ufw deny from 192.168.0.1 to any port 22
Advanced Blocking Rules
Blocking IP addresses is not so straight forward if you have an existing set of rules as IPTABLES matches in order.
So, if you started with default deny and added in port 80 for a public server :
sudo ufw allow 80
But then find IP address 123.456.789.123 is hacking your server :
sudo ufw deny 123.456.789.123
will do nothing (you allowed access with your first rule).
You need to edit
/etc/ufw/before.rules
and add a section “Block IP” after “Drop INVALID packets” :
-A ufw-before-input -s 123.456.789.123 -j DROP #Assuming no loging is desired of course) # drop INVALID packets # uncomment to log INVALID packets #-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW B$ -A ufw-before-input -m conntrack --ctstate INVALID -j DROP # Block IP -A ufw-before-input -s 123.456.789.123 -j DROP
