Install and configure UFW In Debian/Ubuntu-Simple Firewall

Source: Internet
Author: User
Tags add numbers ftp access ssh port linux mint

Since the computer interconnection, various services have developed rapidly. Services such as e-mails, social media, online malls, instant chats, and even online meetings have sprung up. But on the other hand, these connection services also have a double-edged sword, such as viruses, malware, Trojan horses, and so on, which can send malicious messages to computers.

As the largest computer network, the Internet may not be a good user. Therefore, to ensure the security of our computers or servers, we need to protect them.
A required component on your computer or server is the firewall. In Wikipedia, the definition is:
A firewall is an application software in a computer or a hardware-based network security system. It analyzes the data packets according to the rules configured by the application and determines whether to allow the data packets to pass through to control the network data access permissions of the entire system.
Iptables is a firewall widely used on servers. It is an application that manages inbound and outbound data streams on the server according to a series of rules. Generally, only trusted connections are allowed to access the server. However, iptables runs in Console mode, which is very complicated. Users who are not familiar with iptables configuration rules and commands can read the following article, which describes how to use iptables firewall.

Install UFW firewall In Debian/Ubuntu
To reduce the complexity of iptables settings, there are many front-end applications. If you are running Ubuntu linux, UFW is a default firewall tool. Let's start with the UFW firewall.
What is UFW?
UFW (Simple Firewall) is a widely used front-end application of iptables firewall, which is very suitable for host-based firewalls. UFW provides a framework for managing network filters and a command line interface for controlling firewalls. It provides friendly and easy-to-use user interfaces for new Linux users who are not familiar with the concept of firewall.
At the same time, it also provides the command line interface and provides a complex set of commands for the system administrator to set complex firewall rules. UFW is also the top choice for Release versions such as Debian, Ubuntu, and Linux Mint.
Basic UFW usage
First, run the following command to check whether UFW has been installed on the system.
$ Sudo dpkg -- get-selections | grep ufw
If no installation is available, you can use the apt command to install it, as shown below:

$ Sudo apt-get install ufw

Before use, check whether UFW is running. Run the following command to check the configuration.
$ Sudo ufw status
If the status is inactive, it means it is not activated or does not work.
Enable/disable UFW

To enable it, you only need to enter the following command in the terminal:
$ Sudo ufw enable
Enable and activate the firewall when the system starts

To disable the function, enter:
$ Sudo ufw disable

List current UFW rules
After the firewall is activated, you can add your own rules to it. If you want to see the default rule, you can enter it.
$ Sudo ufw status verbose
Output example:
 

Status: activeLogging: on (low)Default: deny (incoming), allow (outgoing)New profiles: skip$

Add UFW rules
As you can see, all external access connections are not allowed by default. If you want to remotely connect to your machine, open the corresponding port. For example, if you want to connect using ssh, the following command is added.
Allow access

$ sudo ufw allow ssh[sudo] password for pungki :Rule addedRule added (v6)$


Check the status again and you will see the following output.
 

$ sudo ufw statusTo      Action          From--      -----------         ------22      ALLOW           Anywhere22      ALLOW           Anywhere (v6)
If you have many rules and want to quickly add numbers to each rule, use the numbered parameter.
$ sudo ufw status numberedTo      Action          From------      -----------         ------[1] 22      ALLOW           Anywhere[2] 22      ALLOW           Anywhere (v6)

The first rule means that all tcp or udp packets that access the machine through port 22 are allowed. What if you want to allow only tcp packet access? You can add a tcp Parameter after the service port. The following example and corresponding output.
 

$ sudo ufw allow ssh/tcpTo      Action          From------      -----------         ------22/tcp      ALLOW           Anywhere22/tcp      ALLOW           Anywhere (v6)

Access denied
The same rule is used to add denial rules. If you want to reject ftp access, you only need to enter
 

$ sudo ufw deny ftpTo      Action          From------      -----------         ------21/tcp      DENY            Anywhere21/tcp      DENY            Anywhere (v6)

Add specific Port
Sometimes, we will customize a port instead of using the standard. Let's try to replace ssh port 22 on the machine with port 2290, and then allow access from Port 2290. we add the following as follows:
 

$ Sudo ufw allow 2290/ssh (Note: some demo examples have problems) To Action From -- ----------- ------ 2290 ALLOW Anywhere2290 ALLOW Anywhere (v6)

You can also add the port range to the rule. If we want to open a port from 2290 to 2300 for the tcp protocol, the command is as follows:
 

$ sudo ufw allow 2290:2300/tcpTo          Action          From------          -----------         ------2290:2300/tcp       ALLOW           Anywhere2290:2300/tcp       ALLOW           Anywhere (v6)

If you want to use udp, perform the following operations.
 

$ sudo ufw allow 2290:2300/udpTo          Action          From------          -----------         ------2290:2300/udp       ALLOW           Anywhere2290:2300/udp       ALLOW           Anywhere (v6)

Note that you must specify 'tcp 'or 'udp'. Otherwise, an error message similar to the following is displayed.
ERROR: Must specify 'tcp 'or 'udp' with multiple ports

Add a specific IP Address
The rules we added earlier are based on service programs or ports, and UFW can also add rules based on IP addresses. The following is a command example.
 

$ Sudo ufw allow from 192.168.0.104
 

You can also use the subnet mask to expand the range.
 

$ sudo ufw allow form 192.168.0.0/24To      Action          From--      -----------         ------Anywhere    ALLOW           192.168.0.104Anywhere    ALLOW           192.168.0.0/24

As you can see, the from parameter only limits the source of the connection, and the purpose (represented by the To column) is everywhere. Let's take a look at the example of allowing access to port 22 (ssh.

$ Sudo ufw allow to any port 22
The preceding command allows access to port 22 from anywhere and from any protocol.

 


Combination Parameters

For more specific rules, you can also combine IP addresses, protocols, and ports. We want to create a rule that only comes from the IP address 192.168.0.104 and can only access local resources through tcp and port 22. We can use the following command.
$ Sudo ufw allow from 192.168.0.104 proto tcp to any port 22
The command used to create a denial rule is similar to the allowed rule. You only need to replace the allow parameter with the deny parameter.

Delete rule

In some cases, you need to delete existing rules. It is very easy to use UFW to delete rules again. In the preceding example, the following rules have been created and you want to delete them.
 

To      Action          From--      -----------         ------22/tcp      ALLOW           192.168.0.10421/tcp      ALLOW           Anywhere21/tcp      ALLOW           Anywhere (v6)

There are two methods to delete a rule.
Method 1
 

The following command deletes ftp-related rules. Therefore, the default access port rule for ftp like 21/tcp will be deleted.
$ Sudo ufw delete allow ftp

Method 2

However, when you use the following command to delete the rule in the preceding example,
$ Sudo ufw delete allow ssh

Or

$ Sudo ufw delete allow 22/tcp

The following errors may occur:
Cocould not delete non-existent rule
Cocould not delete non-existent rule (v6)

We have another trick. As mentioned above, sequence numbers can be used to replace the rules you want to delete. Let's try.
 

$ sudo ufw status numberedTo      Action          From--      -----------         ------[1] 22/tcp      ALLOW           192.168.0.104[2] 21/tcp      ALLOW           Anywhere[3] 21/tcp      ALLOW           Anywhere (v6)

Then we delete the first rule in use. Press "y" to permanently delete the rule.
 

$ sudo ufw delete 1Deleting :Allow from 192.168.0.104 to any port 22 proto tcpProceed with operation (y|n)? y

From these usage, you can find their differences.

Method 2 requires confirmation before deletion, but method 1 does not.
Reset all rules
In some cases, you may need to delete/reset all rules. Yes.
$ Sudo ufw reset
Resetting all rules to installed defaults. Proceed with operation (y | n )? Y

If you enter "y", UFW backs up all existing rules before resetting your ufw, and then resets them. The reset operation also makes your firewall unavailable. If you want to use it, you must enable it again.
Advanced functions
As I said above, UFW firewall can do everything iptables can do. This is done through some rule files. They are only text files corresponding to iptables-restore. Whether you can use the ufw command to fine-tune the UFW and/or logic to add the iptables command is actually about editing several text files.
 

/Etc/default/ufw: The main configuration file of the default policy. It supports IPv6 and kernel modules. /Etc/ufw/before [6]. rules: the rules that exist before they are added to the rules by using the ufw command will be calculated first. /Etc/ufw/after [6]. rules: after the ufw command is added to the rule, the rules that exist in the rule are calculated. /Etc/ufw/sysctl. conf: the kernel network adjustable parameter. /Etc/ufw. conf: Set whether UFW is available when the system starts, and set the log level.

Conclusion
As a front-end application of iptables, UFW provides users with a simple interface. You do not need to remember the extremely complex iptables syntax. UFW also uses simple English as its parameter.

Like Allow, deny, and reset are part of them. I believe there are many front-end applications of iptables, but UFW is definitely one of the best alternatives for users who want to quickly and easily build their own firewalls and are secure. Enter man ufw to view ufw user manual for more details.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.