How to Configure a Firewall with UFW on Ubuntu 18.04

In this article, we will show you how to install and configure UFW on an Ubuntu 18.04 VPS. First, we will take a moment to introduce and explain what firewalls are, and then we’ll show you how to use UFW and how to make the appropriate UFW configuration.

A firewall is a software program that monitors the network traffic and prevents unauthorized access to or from a private network. In regards to the Linux kernel, a Netfilter subsystem is implemented, which is used to manipulate the network traffic. Almost all modern Linux firewall solutions use this system to filter network packets. Additionally ‘iptables’ – a firewall utility accessible from the command line – is also part of the Netfilter framework. To simplify the process of creating firewall rules, Canonical (the creators of Ubuntu) developed an iptables interface called Uncomplicated Firewall (UFW).

If you are using Ubuntu 18.04 and want to secure your network without having to deal with learning how to use iptables, then UFW may be the appropriate solution you are looking for.

Prerequisites

To follow this tutorial, you will need a server with Ubuntu 18.04 and SSH access with the root user (or a user with sudo privileges). Let’s begin with the tutorial.

Step 1: Connect to Your Server

Before we begin, you’ll need to connect to your server via SSH as root or user with sudo privileges. To do this, use the following command:

ssh root@IP_Address -p Port_Number

of course, you will need to replace IP_Address and Port_Number with your actual server IP address and SSH port number.

Once logged in, make sure that your server is up-to-date by running the following commands:

sudo apt update
sudo apt upgrade

Step 2: Install UFW

UFW should be already installed by default on Ubuntu 18.04 – but if for some reason is is not installed, you can install it with this command:

sudo apt install ufw

Once the installation is complete, you can check the UFW status with the command:

sudo ufw status verbose

UFW by default is initially disabled, and if you never activated before you will get the output:

Output
Status: inactive

If you already have UFW activated on your server, the output will look quite different and will look similar to the following:

Output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)
....

Step 3: UFW Default Policies

The first thing you need to know is the default policies. By default, UFW is configured to deny all incoming connections and allow all outgoing connections. In other words, all of the connections that will try to access your server will be refused and all of your applications and services that are locally found on your server will be able to reach the outside world and access other servers.

If you want to check or change the default policies, you can find them in the /etc/default/ufw configuration file.

To set these UFW rules to the default, you can run the following commands:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Keep in mind that servers usually need to respond to an incoming request from Internet users. So, in most cases, you cannot set your firewall to block all incoming connections. In the next step, we’ll learn how to allow specific connections.

Step 4: Allow SSH Connections

Before you enable UFW, you need to allow SSH access on your server by adding a rule that will allow incoming SSH connections. Otherwise, you will get locked and you will not be able to connect to your Ubuntu server.

You can use the following command to configure the UFW firewall to allow all incoming SSH connections:

sudo ufw allow ssh

Then you will receive the following output:

Rules updated
Rules updated (v6)

Please note that this command is only if your server listens to the standardized SSH port: 22. If the SSH service uses a custom non-standard port, you will need to open that port. If the SSH service on your server uses a unique port, for example port 900, then you can use the following command:

sudo ufw allow 900

Note that you’ll need to know what port number your service currently uses.

Step 5: Enable UFW

Now your firewall is configured to allow SSH connections and you are sure that your current SSH connection will not be affected, you can continue with enabling the UFW firewall.

sudo ufw enable

After which you will receive the following output:

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

You will get a warning that tells you that you need to have configured allowing SSH rules, otherwise the existing SSH connection will be closed. Since you already have, type [y] and continue with [Enter].

Step 6: Allow Connections on Specific Ports

The applications and services that you use may need to have their ports opened for incoming and outgoing connections, depending on the application’s purpose. The most common ports you’ll need to unblock are ports 80 & 443, which are used by the web server, and 25, 110, 143, 587 and 993, which are used by the mail server.

We’ll show you through a few examples of how to allow incoming connections for some common services.

To allow all HTTP (port 80) connections, run this command:

sudo ufw allow http

Also, if you want to specify the port, you can apply what is essentially the same rule but with a different syntax:

sudo ufw allow 80

To allow all HTTPS (port 443) connections, run the command:

sudo ufw allow https

Additionally, if you want to specify the HTTPS port, you can apply the rule with a different syntax:

sudo ufw allow 443

If you are using a mail server, some of the next rules could be useful.

To allow all incoming SMTP you can run the command:

sudo ufw allow 25

To allow all incoming IMAP connections, run the command:

sudo ufw allow 143

And to allow all incoming IMAPS requests, you can use the command:

sudo ufw allow 993

If you are using POP3 instead, this command below will allow all incoming connections:

sudo ufw allow 110

And for all incoming POP3S requests, use this next command:

sudo ufw allow 995

Finally, if you are running a specific program that requires web access, you will need to enable to port specific to that program as well. For example, if you run Tomcat on your server, you will need port 8080. You can allow all incoming connections to this port with the command:

sudo ufw allow <port number>

You can do this for all specific ports that you may need.

Step 7: Allow Port Ranges

UFW also can allow access to port ranges instead of allowing access to a single port. When you want to allow port ranges at the UFW port, you need to specify the range of the port and the protocol, either TCP or UDP.

For example, if you want to allow the ports from 8069 to 8080 for both TCP and UDP, you can use the following commands:

sudo ufw allow 8069:8080/tcp
sudo ufw allow 8069:8080/udp

Step 8: Allow Specific IP Addresses

If you want to allow only one IP address (for example a trusted machine found on your local network) to be able to access all ports, you can use the command:

sudo ufw allow from 206.207.208.209

On top of this, you can also allow a specific IP address to a particular port! Let’s say you want to allow a specific IP address to use the MySQL port (MySQL uses port 3306), then you can simply use this command:

sudo ufw allow from 206.207.208.209 to any port 3306

Step 9: Deny Connections

As mentioned earlier in Step 3, the default policy for incoming connections is set to ‘deny’. However, sometimes you may need to deny specific connections based on the source IP address or specific port.

The deny rule is very useful if you have an attack on your server from a specific IP address and your ports 80 and 443 are open. In this case, you can block that IP address using the following example. Of course, don’t forget to change the IP address 24.25.26.27 with the actual IP address that you want to block:

sudo ufw deny from 24.25.26.27

This will block the IP address from accessing all of your open ports. However, if you want to block the IP address from being able to access a particular port, you can use the next example:

sudo ufw deny from 24.25.26.27 to any port 80
sudo ufw deny from 24.25.26.27 to any port 443

As you can notice, creating deny rules is similar to the rules for allowing.

Step 10: Delete UFW Rules

The importance of deleting UFW rules is as important as creating them. There are two different ways to remove a UFW rule. The first method is by using the rule number, and the second is by specifying the actual rule.

If you want to delete the UFW rule with numbers, you will need to know the rule’s number. To list the rule numbers, you can use the command:

sudo ufw status numbered
Output:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 80                         ALLOW IN    Anywhere
[ 2] 443                        ALLOW IN    Anywhere
[ 3] 22                         ALLOW IN    Anywhere
[ 4] Anywhere                   ALLOW IN    206.207.208.209
[ 5] 7022                       ALLOW IN    Anywhere
[ 6] 8069                       ALLOW IN    Anywhere
...

To remove the rule that is labeled as rule number 4, which allows connections from IP address 206.207.208.209, you can use the command:

sudo ufw delete 4

If you want to use the second method, which is to remove a rule by specifying the actual rule. Let’s say you want to close the port 8069 for example – in that case you would use the following command:

sudo ufw delete allow 8069

Step 11: Disable or Reset UFW

If for any reason you need to stop all UFW rules on your server, you can disable it by using the command:

sudo ufw disable

This will stop all rules that were currently active on your server. However, if you need to reactivate the firewall rules, you can simply enable it again.

sudo ufw enable

If for some reason you want to delete all of the rules and start with a fresh UFW, then you can use the following command:

sudo ufw reset

Please note that default policies will not change to their original settings if they have already been modified.

In this article, we showed you how to install UFW and then use it to configure a firewall on Ubuntu 18.04. Now you can use the knowledge of this guide to start creating your own UFW firewall rules and protect your server.


Of course, if you are one of our Managed Ubuntu Hosting customers, you don’t have to configure your firewall with UFW on your server – simply ask our admins, sit back, and relax. Our admins will configure the firewall rules on your server for you immediately.

PS. If you liked this post on how to configure a firewall with UFW on Ubuntu 18.04, please share it with your friends on the social networks using the share buttons below, or simply leave a comment in the comments section. Thanks.

Leave a Comment