The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled. (Gufw is a GUI that is available as a frontend).

To Set Default Rule
Setting the default mode of ufw is recommended before turning it on. This will deny or allow all incoming connections.

Set Default Deny: 

Set Default Allow:

 

Enable and Disable
You can enable and disabke ufw with these commands.
Unless you have set the default to deny when you initially enable ufw, it is in ALLOW mode and will allow everything incoming and outgoing until you create rulesets.

To turn UFW on:

 

To disable ufw use:

 

Allow and Deny
Allow

Example: To allow incoming tcp and udp packet on port 53

Example: To allow incoming tcp packets on port 53

Example: To allow incoming udp packets on port 53

 

Deny

Example: To deny tcp and udp packets on port 53

Example: To deny incoming tcp packets on port 53

Example: To deny incoming udp packets on port 53

 

Delete Existing Rule
To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:

Use this to delete it:

 

Delete by number
List the rules by number with:

Delete (rule nr 2) with:

 

Services
You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services:

Allow by Service Name

Example: to allow ssh by name

Deny by Service Name

Example: to deny ssh by name

 

Status
Checking the status of ufw will tell you if ufw is enabled or disabled. This will also list the current ufw rules that are applied to your iptables.

To check the status of ufw:

If ufw was not enabled the output would be:

 

Logging
To enable logging use:

To disable logging use:

 

Advanced Syntax
You can also use a fuller syntax, specifying the source and destination addresses and ports.

Allow Access
This section shows how to allow specific access.

Allow by Specific IP:

Example: To allow packets from 123.456.789.123:

 

Allow by Subnet
You may use a net mask :

Allow by specific port and IP address

Example: allow ip address 192.168.0.4 access to port 22 for all protocols

 

Enable PING
Note: Security by obscurity may be of very little actual benefit with modern cracker scripts.
By default, ufw allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.
You need to edit /etc/ufw/before.rules  and remove edit the following lines:

 

Deny Access
Deny by specific IP

Example:To block packets from 123.456.789.123:

Deny by specific port and IP address

Example: deny ip address 192.168.0.1 access to port 22 for all protocols

 

Advanced Blocking Rules
Blocking IP addresses is not so straight forward if you have an existing set of rules as IPTABLES matches in order.
So, if you started with default deny and added in port 80 for a public server :

But then find IP address 123.456.789.123 is hacking your server :
will do nothing (you allowed access with your first rule).
You need to edit /etc/ufw/before.rules  and add a section “Block IP” after “Drop INVALID packets” :
 [/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]