Install UFW on Ubuntu 16.04
UFW as a good alternative
In the last article Linux Firewall, I introduced a few tools to you, by which you can manage iptables, the native firewall of Ubuntu. UFW is the one that I would like to show you a bit closer today.
The UFW syntax is the same on every distribution, the only difference is the installation. I will show you the installation using an Ubuntu 16.04 LTS server.
Prepare the server
Create an Ubuntu Server with a cloud provider and connect to it. With gridscale, you can connect directly over the console, so no need of a SSH client. If your provider does not offer this function, you can also install via SSH. Note here, however, that you can easily lock out, if you activate the firewall immediately. Therefore, follow the instructions for the following tutorial to your root account or set sudo before the commands.
Before each installation, it is important to update the server to its current state.
apt -y update && apt -y upgrade
Install UFW and set up for SSH connection
The installation is fairly simple as APT provides the package:
apt -y install ufw
After installation, UFW is deactivated. If you configure your server via SSH, it is important to release SSH before you enable UFW:
ufw allow ssh
This will open the port 22 for both IPv4 and IPv6, and if you enable UFW now, the SSH connection will continue.
UFW control
Basic control:
Turn on:
ufw enable
Turn off:
ufw disable
Request status:
ufw status
Allow connections:
To allow connections, you can specify either the protocol you want to share, the port, or even port ranges. In addition, you can specify ports and protocols only for individual IPs that have been listed.
Attention! The following are examples, please use only if you know what you are doing!
Allow protocol:
ufw allow ssh
Allow port:
ufw allow 22
or
ufw allow 22/tcp
or
ufw allow 22/udp
Allow Port Ranges:
ufw allow 1000:2000
In order to release ports only for certain IPs, use the following command (Attention: This function only makes sense with fixed IPs, and not in case of using dynamic IPs):
ufw allow 22 from 123.456.789.789
Prohibit connections:
Prohibiting is as easy as permitting. Instead of allow easy deny insert.
Deny protocol:
ufw deny ssh
Deny port:
ufw deny 22
or
ufw allow 22/tcp
or
ufw deny 22/udp
Deny Port Ranges:
ufw deny 1000:2000
or
ufw deny 22 from 123.456.789.789
Delete Rule:
Sometimes it can be useful to delete a rule again. The best way to display all the rules is:
ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6)
In this example, SSH is allowed. To use this rule simply use the following command:
ufw delete allow ssh
If you have created long rules, it may be easier to use the following commands:
ufw status numbered
All your rules are now displayed to you by number. With the number associated with the rule you want to delete, you can then use the following command:
ufw delete [Nummer]
In the article Linux Firewall, with the overview of the various tools for managing iptables, I have created a table that shows the most important standard ports. If you still do not know which port you need, the command netstat helps you. This shows you information about your network connections, both incoming and outgoing. The -tulpen parameter displays active programs and their ports used. Here you can see, for example, which port your Apache uses.
netstat -tulpen
Summary
A server without active firewall is very precarious, so it is important to configure iptables properly. With UFW this is very easy. But always keep in mind that you do not lock yourself.
.