Ubuntu22: Set Up UFW Firewall in 5 Minutes
The steps are as follows for setting up UFW:
1.Set Up default UFW policies
Let us view the current status:
1 |
sudo ufw status |
The default policy firewall works excellent for servers and the desktop. It is always a good policy to close all ports on the server and open only the required TCP or UDP ports. Let us block all incoming connections and only allow outgoing connections from the Ubuntu 22.04 LTS cloud server:
1 2 |
sudo ufw default allow outgoing sudo ufw default deny incoming |
Make sure IPv6 support enabled too. Run the grep command:
1 |
grep IPV6 /etc/default/ufw |
Otherwise, edit the /etc/default/ufw:
1 |
sudo nano /etc/default/ufw |
Set it as follows:
1 |
IPV6=yes |
2.Open SSH TCP port 22 using the ufw
The next rational step is to allow incoming SSH connections on the default TCP port 22 as follows:
1 |
sudo ufw allow ssh |
Say you are running the OpenSSH server on TCP port 4242, then:
1 |
sudo ufw allow 4242/tcp |
You can limit ssh port access as follows too:
1 |
sudo ufw limit ssh |
See “How to limit SSH (TCP port 22) connections with ufw on Ubuntu Linux” for more information.
3.Turning on the firewall
That is all needed. Now turn on the firewall protection for your Ubuntu Linux 22.04 LTS machine. For example:
1 |
sudo ufw enable |
You need to confirm the operation by typing the y and followed by the [Enter] key:
To view the current firewall status, type the systemctl command:
1 |
sudo ufw status |
Please note that once UFW is enabled, it runs across system reboots. You can verify that easily using the systemctl command:
1 |
sudo systemctl status ufw.service |
1 2 3 4 5 6 7 8 9 |
● ufw.service - Uncomplicated firewall Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled) Active: active (exited) since Fri 2022-08-26 01:02:24 UTC; 20min ago Docs: man:ufw(8) Process: 433 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS) Main PID: 433 (code=exited, status=0/SUCCESS) CPU: 2ms Aug 26 01:02:24 localhost systemd[1]: Starting Uncomplicated firewall... Aug 26 01:02:24 localhost systemd[1]: Finished Uncomplicated firewall. |
4.Opening (allow) TCP or UDP ports
Now that you set up a firewall policy and opened TCP port 22 for ssh purposes, it is time to open other service ports as per the needs of your application. For example, open TCP port 80 and 443 for Nginx or Apache web server as follows:
1 2 |
sudo ufw allow 80/tcp comment 'Allow Apache HTTP' sudo ufw allow 443/tcp comment 'Allow Nginx HTTPS' |
Here is how to open the WireGuard VPN UDP port 41194, type:
1 |
sudo ufw allow 41194/udp comment 'Allow WireGuard VPN' |
The ufw comment keywords adds comments, which act as an instrumental in understanding firewall rules.
Opening TCP and UDP port ranges
1 2 |
sudo ufw allow 4000:4200/tcp sudo ufw allow 6000:7000/udp |
Allowing connection from a single IP or CIDR
In this example, you want to allow ALL connections from an IP address called 1.2.3.4, enter:
1 |
sudo ufw allow from 1.2.3.4 |
Let us allow connections from an IP address called 1.2.3.4 to our port 25, enter:
1 |
sudo ufw allow from 1.2.3.4 to any port 25 proto tcp |
And you can set destination IP 222.222.222.222 for port 25 too: sudo ufw allow from 1.2.3.4 to 222.222.222.222 port 25 proto tcp
How to allow connection on specific interface
Open TCP port 22 for wg0 interface only:
1 |
sudo ufw allow in on wg0 to any port 22 |
Say you want to allow connection for TCP port 3306 on lxdbr0 interface from 10.105.28.22, then add:
1 |
sudo ufw allow in on lxdbr0 from 10.105.28.22 to any port 3306 proto tcp |
5.Blocking TCP or UDP ports and connections
Do you want to close ports and block certain IP addresses? The syntax is as follows to deny access. In other words, simply ignoring access to port 23:
1 |
$ sudo ufw deny 23/tcp comment 'Block telnet' |
Here is how to deny all connections from an IP address called 1.2.3.4, enter:
1 |
sudo ufw deny from 1.2.3.4 |
How about clock IP/subnet (CIDR) called 103.13.42.42/28, enter:
1 |
sudo ufw deny from 103.13.42.42/28 |
Finally, deny access to 1.1.1.2 (say bad guys or hacker IP address) on port 22? Try:
1 |
sudo ufw deny from 1.1.1.2 to any port 22 proto tcp |
6.Viewing firewall rules
You can see firewall status as numbered list of RULES:
1 |
sudo ufw status numbered |
7.Deleting ufw firewall rules
Get list all of the current rules in a numbered list format:
1 |
sudo ufw status numbered Outputs: |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere # Allow Apache HTTP [ 3] 443/tcp ALLOW IN Anywhere # Allow Nginx HTTPS [ 4] 41194/udp ALLOW IN Anywhere # Allow WireGuard VPN [ 5] 23/tcp DENY IN Anywhere # Block telnet [ 6] Anywhere DENY IN 103.13.42.32/28 [ 7] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 8] 80/tcp (v6) ALLOW IN Anywhere (v6) # Allow Apache HTTP [ 9] 443/tcp (v6) ALLOW IN Anywhere (v6) # Allow Nginx HTTPS [10] 41194/udp (v6) ALLOW IN Anywhere (v6) # Allow WireGuard VPN [11] 23/tcp (v6) DENY IN Anywhere (v6) # Block telnet |
To remove firewall rule # 6 type the command:
1 2 |
$ sudo ufw delete 6 $ sudo ufw status numbered |
See how to delete a UFW firewall rule on Ubuntu / Debian Linux tutorial for further information.
8.Stopping and removing UFW
If you no longer need ufw, here is how to disable it:
1 2 |
sudo ufw disable sudo ufw reset |
9.View the firewall logs
By default all UFW entries are logged into /var/log/ufw.log file. Use the grep/less/more and other commands to view the ufw logs. For examples:
1 2 3 |
sudo more /var/log/ufw.log sudo tail -f /var/log/ufw.log Let us print a list of all IP address trying to log in via SSH port but dropped by the UFW: grep 'DPT=22' /var/log/ufw.log |\ egrep -o 'SRC=([0-9]{1,3}[\.]){3}[0-9]{1,3}' |\ awk -F'=' '{ print $2 }' | sort -u |
Finally, here is how to display the list of rules:
1 2 |
sudo ufw show listening sudo ufw show added |
Wasn’t that easy? Now you know how to protect your Ubuntu 22.04 LTS Linux server. Please read the ufw command docs online or using the man command (ufw help command) as follows:
12 man ufwufw help