How to setup a Firewall on an Ubuntu Server
Security of servers deployed in every organization have become a very serious issue as new types of malware, viruses, and Trojans are popping up every day.
Although Linux is known as a stable and secure operating system, viruses and malicious things are becoming increasingly common. Deploying software based firewalls on your server can act as your second line of defence after the hardware based security fence (Hardware firewalls, ID&PS) of your network. These software firewalls add an extra layer of protection to the already deployed security of server.
In this tutorial we will teach you how to setup a firewall for your Ubuntu Server.
Though there are many firewalls available for Ubuntu, we have chosen ‘UFW’ which is a free, lightweight, and easy to use firewall.
Getting Started with UFW.
Ubuntu comes pre-installed with UFW. To check whether UFW is installed on your server, use following command.
sudo dpkg -l ufw
If it is installed, you will see something like the below.
Name Version Architecture Description =================================================================== ufw 0.35-0ubuntu all program for managing a Netfilter
This is showing you that version 0.35 of UFW is installed on your server
If you do not find that it is installed on your server, you can follow two simple steps to install UFW on your Ubuntu Server.
sudo apt-get update
sudo apt-get install ufw
If both of these steps proceed without error, it means you have successfully installed UFW on your Ubuntu server.
Once installed, you can check whether UFW is active by issuing below command.
sudo ufw status
By default, it is inactive. You can activate it with following command.
sudo ufw enable
Configuring UFW with IPv6.
UFW also supports a 128-bit IPv6 addressing scheme. To configure UFW to work with IPv6, open the UFW configuration file with following command.
sudo gedit /etc/default/ufw
To ensure UFW compliance with IPv6 addresses, make sure you find the following line in the file.
If its set as ‘no’ then change it to ‘yes’. Save the file and restart UFW to implement the changes. You can restart UFW with following command.
sudo ufw reload
The basic purpose of a firewall is to filter out all of the traffic that is passing through it based on rules that are set by the network administrator. UFW, by default, will block all incoming connections toward your server and will allow only outgoing connections. This means that applications and services residing inside your server are free to go out but nothing is allowed to come inside. It is the utmost hard rules that can be deployed for securing any machine.
You can see default input and output policy of UFW installed on your server in the file ‘/etc/default/ufw’.
You can find the following two lines that are blocking all incoming connections and allowing all outbound connections. As soon as you enable UFW on your Ubuntu server, these policies are enforced your server.
If you have changed values in above two lines and want to revert them back to default values, use following two commands.
sudo ufw default deny incoming sudo ufw default allow outgoing
The first command will block all incoming traffic and the second will allow all outward traffic.
Setting Connections in UFW.
Next in line is configuring UFW to allow or deny connections to various ports and protocols.
Starting with telnet; if you want to enable the telnet facility to your server, issue below command.
sudo ufw allow telnet
Enabling Telnet is not a good idea, especially in a server environment that is hosted online. Always go for the ‘ssh’ option if you want to access your server over insecure media such as the internet. The following command will help you in enabling the ‘ssh’ facility on your server.
sudo ufw allow ssh
Once you are done with both of these commands, issue the below command to view what changes have been done on UFW.
sudo ufw status
Status: active To Action From -- ------ ---- 23/tcp ALLOW Anywhere 22 ALLOW Anywhere 23/tcp (v6) ALLOW Anywhere (v6) 22 (v6) ALLOW Anywhere (v6)
From the above output it can be clearly seen that both telnet and ssh services on the server are now enabled. Telnet runs on port 23, while ssh utilizes port no 22.
You can also enable the specific TCP/IP ports of your server. The following command will enable port no 23 which is reserved for telnet.
sudo ufw allow 23/tcp
If you are running telnet on TCP/IP port no 3300, then you can enable telnet by following command.
sudo ufw allow 3300/tcp
Servers are meant to host critical application and services. If you are running email services on your server then you will need to enable ‘smtp’ on your server. You can enable smtp port with the following command.
sudo ufw allow smtp
Rule added Rule added (v6)
Next, check the status of UFW to see what changes the last command has done.
sudo ufw status
To Action From -- ------ ---- 23/tcp ALLOW Anywhere 22 ALLOW Anywhere 25/tcp ALLOW Anywhere 23/tcp (v6) ALLOW Anywhere (v6) 22 (v6) ALLOW Anywhere (v6) 25/tcp (v6) ALLOW Anywhere (v6)
You can also do this with the following command.
sudo ufw allow 25/tcp
Use the below commands to enable http and ftp on your server.
sudo ufw allow http sudo ufw allow ftp
The below command will open TFTP port.
sudo ufw allow 69/TCP
Enabling Range of Ports
You can also enable an entire range of ports to allow outside traffic for specific TCP/IP ports. The following command will open ports in the range 4000 to 5000.
sudo ufw allow 4000:5000/tcp
If you want to open udp ports, just replace TCP in above command with UDP.
sudo ufw allow 4000:5000/udp
Allowing IP Based Access
You can also configure UFW to allow traffic from a specific IP to pass through UFW. For instance, the following command will allow traffic coming from IP 18.104.22.168 to your Ubuntu server.
sudo ufw allow from 22.214.171.124
Until now, we have discussed how to allow access in UFW. To meet scenarios of denying traffic, there are rules in UFW as well. If you want to close port 25, use the below command.
sudo ufw deny 25/tcp
If you want to deny all traffic coming from a specific IP use the below.
sudo ufw deny from 126.96.36.199
If you want to close range of TCP/IP ports, then use the below.
sudo ufw deny 4000:5000/tcp
UFW also gives you the option to delete rules that you have defined previously.
The following are three different commands that will delete the three rules which were created in previous sections.
sudo ufw delete deny 25/tcp sudo ufw delete deny from 188.8.131.52 sudo ufw delete deny 4000:5000/tcp
Some Useful Stuff
There are many commands in UFW that allow you to do variety of things.
To reset all values of UFW.
sudo ufw reset
To check UFW version.
sudo ufw version
The UFW is command line tool that allows interaction by only set of commands. You can also use its GUI version which is Gufw. Gufw is great tool to manage UFW if you are not comfortable in playing with commands.