Install UFW on Ubuntu 16.04
UFW as a good alternative
In the last article Linux Firewall, I introduced a few tools to you, by which you can manage iptables, the native firewall of Ubuntu. UFW is the one that I would like to show you a bit closer today.
The UFW syntax is the same on every distribution, the only difference is the installation. I will show you the installation using an Ubuntu 16.04 LTS server.
Prepare the server
Create an Ubuntu Server with a cloud provider and connect to it. With gridscale, you can connect directly over the console, so no need of a SSH client. If your provider does not offer this function, you can also install via SSH. Note here, however, that you can easily lock out, if you activate the firewall immediately. Therefore, follow the instructions for the following tutorial to your root account or set sudo before the commands.
Before each installation, it is important to update the server to its current state.
apt -y update && apt -y upgradeInstall UFW and set up for SSH connection
The installation is fairly simple as APT provides the package:
apt -y install ufwAfter installation, UFW is deactivated. If you configure your server via SSH, it is important to release SSH before you enable UFW:
ufw allow sshThis will open the port 22 for both IPv4 and IPv6, and if you enable UFW now, the SSH connection will continue.
UFW control
Basic control:
Turn on:
ufw enableTurn off:
ufw disableRequest status:
ufw statusAllow connections:
To allow connections, you can specify either the protocol you want to share, the port, or even port ranges. In addition, you can specify ports and protocols only for individual IPs that have been listed.
Attention! The following are examples, please use only if you know what you are doing!
Allow protocol:
ufw allow sshAllow port:
ufw allow 22or
ufw allow 22/tcpor
ufw allow 22/udpAllow Port Ranges:
ufw allow 1000:2000In order to release ports only for certain IPs, use the following command (Attention: This function only makes sense with fixed IPs, and not in case of using dynamic IPs):
ufw allow 22 from 123.456.789.789Prohibit connections:
Prohibiting is as easy as permitting. Instead of allow easy deny insert.
Deny protocol:
ufw deny sshDeny port:
ufw deny 22or
ufw allow 22/tcpor
ufw deny 22/udpDeny Port Ranges:
ufw deny 1000:2000or
ufw deny 22 from 123.456.789.789Delete Rule:
Sometimes it can be useful to delete a rule again. The best way to display all the rules is:
ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)In this example, SSH is allowed. To use this rule simply use the following command:
ufw delete allow sshIf you have created long rules, it may be easier to use the following commands:
ufw status numberedAll your rules are now displayed to you by number. With the number associated with the rule you want to delete, you can then use the following command:
ufw delete [Nummer]In the article Linux Firewall, with the overview of the various tools for managing iptables, I have created a table that shows the most important standard ports. If you still do not know which port you need, the command netstat helps you. This shows you information about your network connections, both incoming and outgoing. The -tulpen parameter displays active programs and their ports used. Here you can see, for example, which port your Apache uses.
netstat -tulpenSummary
A server without active firewall is very precarious, so it is important to configure iptables properly. With UFW this is very easy. But always keep in mind that you do not lock yourself.
.
Zurück zur Tutorial Übersicht Back to Tutorial Overview