Ultimate UFW: Securing Your Ubuntu 20.04 – Step-by-Step

Ultimate UFW: Securing Your Ubuntu 20.04 - Step-by-Step
Table of Content

UFW, short for Uncomplicated Firewall, offers a streamlined approach to managing firewalls, abstracting the intricacies of underlying packet filtering technologies like iptables and nftables. If you're venturing into network security and unsure about the tool to employ, UFW could be the ideal solution for you.

In this guide, you'll learn how to establish a firewall using UFW on Ubuntu 20.04.

Prerequisites


A single Ubuntu 20.04 server with a non-root user granted sudo privileges.

UFW comes pre-installed on Ubuntu by default. However, if it has been removed for any reason, you can reinstall it using the command: sudo apt install ufw.

Step 1: Enabling IPv6 Support in UFW (Optional)

While this tutorial primarily focuses on IPv4, it is also applicable to IPv6 if enabled. If your Ubuntu server utilizes IPv6, it's essential to configure UFW to handle IPv6 firewall rules alongside IPv4. To achieve this, access the UFW configuration using nano or your preferred text editor.

sudo nano /etc/default/ufw

Next, verify that the value of IPV6 is set to "yes." It should appear as follows:

/etc/default/ufw excerpt

IPV6= yes

After making the change, save and close the file. With this configuration, when UFW is enabled, it will be set to manage both IPv4 and IPv6 firewall rules. However, before activating UFW, it's crucial to ensure that your firewall permits SSH connections. Let's begin by establishing the default policies.

Step 2: Configuring Default Policies

If you're new to configuring your firewall, it's essential to establish your default policies first. These policies dictate how to manage traffic that doesn't specifically match any other rules. By default, UFW is configured to deny all incoming connections and allow all outgoing connections. Essentially, this setup prevents external connections to your server while permitting applications within the server to access the internet.

To ensure you can follow along with this tutorial, let's revert your UFW rules back to their default settings. Execute the following commands to set the defaults used by UFW:

sudo ufw default deny incoming
sudo ufw default allow outgoing


Executing these commands will establish default settings to deny incoming connections and allow outgoing connections. While these firewall defaults might be adequate for a personal computer, servers typically require the ability to respond to incoming requests from external users. We'll explore how to address this next.

Step 3: Permitting SSH Connections

Enabling our UFW firewall at this point would result in denying all incoming connections. Therefore, we must establish rules that explicitly permit legitimate incoming connections, such as SSH or HTTP connections, if we want our server to respond to those requests. Particularly, if you're using a cloud server, allowing incoming SSH connections is essential for connecting to and managing your server.

To configure your server to allow incoming SSH connections, you can utilize the following command:

sudo ufw allow ssh

This command will establish firewall rules permitting all connections on port 22, the default port for the SSH daemon. UFW recognizes "ssh" as a service due to its listing in the /etc/services file.

Alternatively, we can define an equivalent rule by specifying the port rather than the service name. For instance, the following command achieves the same outcome as the previous one:

sudo ufw allow 22

If you've configured your SSH daemon to utilize a different port, you'll need to specify the correct port accordingly. For instance, if your SSH server listens on port 2222, you can execute this command to permit connections on that port:

sudo ufw allow 2222


With your firewall now set up to allow incoming SSH connections, you can proceed to enable it.

Step 4: Activating UFW

To activate UFW, execute the following command:

sudo ufw enable

could potentially disrupt existing SSH connections. Since we've already established a firewall rule permitting SSH connections, it should be safe to proceed. Respond to the prompt with 'y' and press ENTER.

Once enabled, the firewall becomes active. To inspect the set rules, run the command sudo ufw status verbose. Subsequent sections of this tutorial delve into utilizing UFW in greater depth, including allowing or denying various types of connections.

Step 5: Permitting Additional Connections

Now, it's time to enable the other connections that your server needs to respond to. The specific connections to allow will vary based on your requirements. Fortunately, you're already familiar with creating rules to permit connections based on service name or port; we've already done this for SSH on port 22. You can also employ this approach for:


To permit HTTP traffic on port 80, the standard port for unencrypted web servers, you can execute either of the following commands:

sudo ufw allow http
sudo ufw allow 80

To enable HTTPS traffic on port 443, which encrypted web servers typically use, you can utilize the following command:

sudo ufw allow https
sudo ufw allow 443

In addition to specifying a port or known service, there are several other methods to permit other connections.

Specific Port Ranges


You can define port ranges with UFW. Certain applications utilize multiple ports instead of a single port.

For instance, to permit X11 connections, which operate on ports 6000-6007, you can employ these commands:

sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp


When defining port ranges with UFW, it's essential to specify the protocol (tcp or udp) that the rules should apply to. We didn't highlight this before because not mentioning the protocol automatically allows both protocols, which is generally fine in most cases.

Specific IP Addresses

In UFW, you have the option to specify IP addresses as well. For instance, if you wish to allow connections from a particular IP address, such as a workplace or home IP address like 203.0.113.4, you would need to specify "from" followed by the IP address:

sudo ufw allow from 203.0.113.4

You can also define a specific port to which the IP address is permitted to connect by appending "to" followed by the port number. For instance, if you wish to enable connection from 203.0.113.4 to port 22 (SSH), you would execute the following command:

sudo ufw allow from 202.0.114.0/24 to any port 22

Subnets

If you aim to permit a subnet of IP addresses, you can achieve this using CIDR notation to specify a netmask. For instance, if you intend to allow all IP addresses ranging from 203.0.113.1 to 203.0.113.254, you could execute the following command:

sudo ufw allow from 202.0.114.0/24

Similarly, you can allow connections from the subnet 202.0.114.0/24 to a specific destination port. For example, to allow SSH (port 22) access, use this command: sudo ufw allow from 202.0.114.0/24 to any port 22

sudo ufw allow from 202.0.114.0/24 to any port 22

Managing connections to a specific network interface

To create a firewall rule that exclusively applies to a designated network interface, you can specify "allow in on" followed by the name of the network interface.

Before proceeding, you might need to check your network interfaces. You can achieve this with the following command:

ip addr
Output Excerpt
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
. . .
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
. . .

The highlighted output displays the network interface names, which are commonly named something similar to eth0 or enp3s2.

For example, if your server has a public network interface called eth0, you can allow HTTP traffic (port 80) to it with this command:

sudo ufw allow in on eth0 to any port 80


By doing so, your server would be able to accept HTTP requests from the public internet.

If you want your MySQL database server (port 3306) to only accept connections on the private network interface eth1, you can use this command:

sudo ufw allow in on eth1 to any port 3306


Enabling this setting allows servers on your private network to connect to your MySQL database.

Your firewall is now set up to allow, at the very least, SSH connections. Ensure to permit any additional incoming connections necessary for your server's functionality while restricting any unnecessary connections. This approach will ensure your server remains both functional and secure.