Set Up UFW Firewall in 5 Minutes

 Thank to: https://www.cyberciti.biz/

A Ubuntu 22.04 LTS comes with UFW (uncomplicated firewall) that protects the desktop or server against unauthorized access. UFW is easy to use frontend app for a Linux packet filtering system called Netfilter. Traditionally Netfilter rules are set up or configured using the iptables command by developers and sysadmins. However, new Ubuntu Linux users and developers unfamiliar with firewall concepts find Netfilter syntax confusing. Hence, the ufw project provides easy to use frontend for Ubuntu 22.04 LTS Linux server and desktop. It is so super easy to set up. You can configure UFW in under 5 minutes and secure your host.

This page explains how to set up a firewall with UFW on Ubuntu 22.04 LTS server or desktop.

Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Linux terminal
Category Firewall
OS compatibility Debian Linux Mint Ubuntu
Est. reading time 5 minutes

Ubuntu 22.04 LTS Set Up UFW Firewall in 5 Minutes

The steps are as follows for setting up UFW:

Step 1 – Set Up default UFW policies

Let us view the current status:

sudo ufw status

The default policy firewall works excellent for servers and the desktop. It is always a good policy to close all ports on the server and open only the required TCP or UDP ports. Let us block all incoming connections and only allow outgoing connections from the Ubuntu 22.04 LTS cloud server:

sudo ufw default allow outgoing
sudo ufw default deny incoming

Make sure IPv6 support enabled too. Run the grep command:
grep IPV6 /etc/default/ufw
Otherwise, edit the /etc/default/ufw:

sudo nano /etc/default/ufw
Set it as follows:

IPV6=yes

Step 2 – Open SSH TCP port 22 using the ufw

The next rational step is to allow incoming SSH connections on the default TCP port 22 as follows:

sudo ufw allow ssh
Say you are running the OpenSSH server on TCP port 4242, then:
sudo ufw allow 4242/tcp
You can limit ssh port access as follows too:

sudo ufw limit ssh
See “How to limit SSH (TCP port 22) connections with ufw on Ubuntu Linux” for more information.

Step 3 – Turning on the firewall

That is all needed. Now turn on the firewall protection for your Ubuntu Linux 22.04 LTS machine. For example:

sudo ufw enable
You need to confirm the operation by typing the y and followed by the [Enter] key:

How To Set Up a Firewall with UFW on Ubuntu 22.04 LTS

Click to enlarge

To view the current firewall status, type the systemctl command:
sudo ufw status
Please note that once UFW is enabled, it runs across system reboots. You can verify that easily using the systemctl command:
sudo systemctl status ufw.service

 ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
     Active: active (exited) since Fri 2022-08-26 01:02:24 UTC; 20min ago
       Docs: man:ufw(8)
    Process: 433 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
   Main PID: 433 (code=exited, status=0/SUCCESS)
        CPU: 2ms

Aug 26 01:02:24 localhost systemd[1]: Starting Uncomplicated firewall...
Aug 26 01:02:24 localhost systemd[1]: Finished Uncomplicated firewall.

Step 4 – Opening (allow) TCP or UDP ports

Now that you set up a firewall policy and opened TCP port 22 for ssh purposes, it is time to open other service ports as per the needs of your application. For example, open TCP port 80 and 443 for Nginx or Apache web server as follows:

sudo ufw allow 80/tcp comment 'Allow Apache HTTP'
sudo ufw allow 443/tcp comment 'Allow Nginx HTTPS'
Here is how to open the WireGuard VPN UDP port 41194, type:

sudo ufw allow 41194/udp comment 'Allow WireGuard VPN'
The ufw comment keywords adds comments, which act as an instrumental in understanding firewall rules.

Opening TCP and UDP port ranges

sudo ufw allow 4000:4200/tcp

sudo ufw allow 6000:7000/udp

Allowing connection from a single IP or CIDR

In this example, you want to allow ALL connections from an IP address called 1.2.3.4, enter:

sudo ufw allow from 1.2.3.4
Let us allow connections from an IP address called 1.2.3.4 to our port 25, enter:

sudo ufw allow from 1.2.3.4 to any port 25 proto tcp
And you can set destination IP 222.222.222.222 for port 25 too:
sudo ufw allow from 1.2.3.4 to 222.222.222.222 port 25 proto tcp

How to allow connection on specific interface

Open TCP port 22 for wg0 interface only:

sudo ufw allow in on wg0 to any port 22
Say you want to allow connection for TCP port 3306 on lxdbr0 interface from 10.105.28.22, then add:

sudo ufw allow in on lxdbr0 from 10.105.28.22 to any port 3306 proto tcp

Step 5 – Blocking TCP or UDP ports and connections

Do you want to close ports and block certain IP addresses? The syntax is as follows to deny access. In other words, simply ignoring access to port 23:

sudo ufw deny 23/tcp comment 'Block telnet'
Here is how to deny all connections from an IP address called 1.2.3.4, enter:
sudo ufw deny from 1.2.3.4

How about clock IP/subnet (CIDR) called 103.13.42.42/28, enter:
sudo ufw deny from 103.13.42.42/28

Finally, deny access to 1.1.1.2 (say bad guys or hacker IP address) on port 22? Try:

sudo ufw deny from 1.1.1.2 to any port 22 proto tcp

Step 6 – Viewing firewall rules

You can see firewall status as numbered list of RULES:

sudo ufw status numbered

How to view ufw firewall rules on Ubuntu Linux 22.04 LTS

Click to enlarge

Step 7 – Deleting ufw firewall rules

Get list all of the current rules in a numbered list format:

sudo ufw status numbered
 Outputs:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 80/tcp                     ALLOW IN    Anywhere                   # Allow Apache HTTP
[ 3] 443/tcp                    ALLOW IN    Anywhere                   # Allow Nginx HTTPS
[ 4] 41194/udp                  ALLOW IN    Anywhere                   # Allow WireGuard VPN
[ 5] 23/tcp                     DENY IN     Anywhere                   # Block telnet
[ 6] Anywhere                   DENY IN     103.13.42.32/28           
[ 7] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
[ 8] 80/tcp (v6)                ALLOW IN    Anywhere (v6)              # Allow Apache HTTP
[ 9] 443/tcp (v6)               ALLOW IN    Anywhere (v6)              # Allow Nginx HTTPS
[10] 41194/udp (v6)             ALLOW IN    Anywhere (v6)              # Allow WireGuard VPN
[11] 23/tcp (v6)                DENY IN     Anywhere (v6)              # Block telnet

To remove firewall rule # 6 type the command:

sudo ufw delete 6

sudo ufw status numbered

See how to delete a UFW firewall rule on Ubuntu / Debian Linux tutorial for further information.

Step 8 – Stopping and removing UFW

If you no longer need ufw, here is how to disable it:

sudo ufw disable

sudo ufw reset

Step 9 – View the firewall logs

By default all UFW entries are logged into /var/log/ufw.log file. Use the grep/less/more and other commands to view the ufw logs. For examples:

sudo more /var/log/ufw.log
sudo tail -f /var/log/ufw.log

Let us print a list of all IP address trying to log in via SSH port but dropped by the UFW:
grep 'DPT=22' /var/log/ufw.log |\
egrep -o 'SRC=([0-9]{1,3}[\.]){3}[0-9]{1,3}' |\
awk -F'=' '{ print $2 }' | sort -u

Finally, here is how to display the list of rules:
sudo ufw show listening

sudo ufw show added

Summing up

Wasn’t that easy? Now you know how to protect your Ubuntu 22.04 LTS Linux server. Please read the ufw command docs online or using the man command (ufw help command) as follows:

man ufw
ufw help

Comentarios

Publicar un comentario

Dime si la información de este blog te sirvio.

Entradas populares de este blog

Guía de herramientas básicas para estudiantes: 31 apps y webs imprescindibles para ayudarte con los estudios

Imagen
  Te traemos una guía con   31 aplicaciones y herramientas web para ayudarte como estudiante , una colección muy variada para sacar provecho en diferentes ámbitos en los que puedas necesitarlo. Nos hemos dejado fuera el ámbito educativo para los más jóvenes, recursos que tenemos en   esta otra guía , y nos hemos centrado en estudiantes más adultos. Hemos decidido centrarnos en herramientas prácticas, dejando fuera las plataformas para cursos online, tanto  las más conocidas  como  otras menos conocidas . Lo que hemos preferido buscar son recursos que puedas usar en tu día a día, como gestores de fuentes y citaciones, herramientas para diagramas, para intercambiar apuntes o para crear diferentes contenidos. Y lo que decimos siempre en Xataka Basics hoy cobra más sentido que nunca. Nosotros te traemos 31 herramientas, pero te invitamos a  compartir tus propuestas en la sección de comentarios  para que el resto de usuarios también pueda beneficiarse de los conocimientos de nuestros xatake
Leer más

Comando FOR para archivos BAT

Gracias a: http://profesoremiliobarco.blogspot.com/ El comando FOR sirve para ejecutar bucles de instrucciones, y es una instrucción que se encuentra disponible en todos los lenguajes de programación. Un bucle son varias repeticiones de algunas instrucciones. Este comando suele ser el más complicado de entender para las personas que empiezan a escribir archivos BAT complejos. Aqui intentaré explicar todas las opciones y usos del comando FOR, así como intentar resolver las dudas que los usuarios de Internet me puedan plantear. La sintaxis normal del comando FOR es: FOR %var IN (lista) DO (      comando     comando      ... )  Pero si lo vamos a usar dentro de un archivo BAT será así: FOR %%var IN (lista) DO (      comando     comando      ... ) Observa que la variable "var" ahora va precedida por dos simbolos de "%". Además, si este for está dentro de un archivo BAT, el nombre de la variable debe ser UNA SOLA LETRA (p.ej: %%n, %%i,  %%j , etc
Leer más

How to Fix Failed to Connect a Hyper-V Standalone to Veeam Backup

Imagen
 Thank to: https://bonguides.com/ Invalid Credentials Error Adding a Hyper-V Host When attempting to add a Hyper-V host to  Veeam Backup & Replication  using a local (non-domain) user account, the following error occurs: Failed to connect to host Access denied or timeout expired . Check if you have local administrator privileges on computer Possible reasons: 1 . Invalid credentials . 2 . Specified host is not a Hyper - V server . Solutions 1. Login into the Hyper-V host then open  Registry Editor . 2. Navigate to the following location then create a new  DWORD  value. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 3. Enter the name  LocalAccountTokenFilterPolicy  then double click on it and set the value data is  1. Or you can create a DWORD value using PowerShell, let run below command in PowerShell Admin. reg add HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system / v LocalAccountTokenFilterPolicy / t Reg_DWORD / d 1 Fin
Leer más