ManagedCloud Servers

High performance handled and monitored by us 24/7/365. A complete solution to provide you with our in house expertise 24/7 tailored to your specific needs. We'll setup a bespoke server for your site using the latest tehnologies so you can get the most out of your hardware and get your website loading quickly and reliably. Find out more..

cPanelCloud Servers

Recommended - High performance cloud servers with no technical knowledge required. If you're hosting multiple websites already and you're looking to consolidate, or if you're looking to isolate yourself from the shared hosting environment but you don't have the time or knoweldge to manage a server, then the Managed cPanel Servers are for you. Find out more..

UnmanagedCloud Servers

Our unmanaged range gives you complete control at rock bottom prices and our cloud platform boasts super fast multipath 40Gb/s network, the latest Intel Xeon V3 CPUs and enterprise grade redundant SSDs. If you're a sysadmin look no further, we offer some of the best specification to price ratio servers available. Find out more..

Want your very own server? Get our 1GB memory, Xeon V4, 20GB SSD VPS for £10.00 / month.

View Plans

Install and Configure UFW Firewall on Ubuntu 16.04

Introduction

Security is very important thing to consider when you run your own server. The UFW (uncomplicated firewall) is a frontend for managing firewall rules and it is easy to use for host-based firewalls. UFW is used through the command line interface and aims to make firewall configuration easy.

Iptables is one of the most popular firewall tool used by system administrators. It is used to manage and secure incoming and outgoing connections in the server, but iptables runs in console mode and it is very complex to manage and configure. The ufw is an application firewall used to manage an iptables based firewall on Ubuntu that gives a framework for managing netfilter rules, as well as providing a command-line interface for controlling the firewall rules.

You can allow and block various services by port, network interface and source IP address using the UFW firewall. If you are beginner and are looking to get started securing your network, then the UFW is right choice for you.

In this tutorial, we will learn the UFW commands with different options to secure various services on Ubuntu 16.04.

  • Ubuntu-16.04 installed on your system
  • A non-root user account with sudo privilege set up on your system

Installing UFW

In Ubuntu 16.04, UFW is installed by default. If not, you can easily install it by running the following command:

sudo apt-get install ufw

You can also check the status of UFW by running the following command:

sudo ufw status

You should see the following output:

    Status: inactive

If you see above output, it means it's not active. You can enable it by just running the following command:

sudo ufw enable

You should see the following output:

    Firewall is active and enabled on system startup

To disable it, run the following command:

sudo ufw disable

List Out the Current UFW Rules

You can list the default firewall rules by using the following command:

sudo ufw status verbose

You should see the following output:

    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing), deny (routed)
    New profiles: skip

You should see that by default every incoming connection is denied.

Allow Incoming Connections

If you want to access your system from remote machine then you will need to allow SSH connections.

You can allow SSH by running the following command:

sudo ufw allow ssh
    or
sudo ufw allow 22/tcp

Output:

    Rule added
    Rule added (v6)

Now, check the status of ufw:

sudo ufw status

You should see the output like this:

    Status: active

To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6)

Deny Incoming Connections

If you want to deny access to a certain port then you can use the following format:

sudo ufw deny "Port/Protocol"

For example, you can deny access to port 80 by running the following command:

sudo ufw deny 80/tcp

Allow Port Range

You can also add port ranges into the rules. For example, if you want to allow ports from 2100 to 2200 with tcp protocol then run the following command:

sudo ufw allow 2100:2200/tcp

Now, check the status for the ufw:

sudo ufw status

You should see the following output:

    Status: active

To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 80/tcp DENY Anywhere 2200:2300/tcp ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) DENY Anywhere (v6) 2100:2200/tcp (v6) ALLOW Anywhere (v6)

Application Profiles

You can list out application profiles available on your local system. To do so, run the following command:

sudo ufw app list

Output:

    Available applications:
      Apache
      Apache Full
      Apache Secure
      CUPS
      Nginx Full
      Nginx HTTP
      Nginx HTTPS
      OpenSSH
      Samba

To list out information about a profile and its included rules, run the following command:

sudo ufw app info "App Name"

For example, if you want to know information of Apache profile, run the following command:

sudo ufw app info Apache

Output:

    Profile: Apache
    Title: Web Server
    Description: Apache v2 is the next generation of the omnipresent Apache web
    server.

Port: 80/tcp

Allow Access from Specific IP Addresses

You can also allow access to specific port from specific IP address. For example, if you want to allow IP 192.168.0.10 to access only port 22 then run the following command:

sudo ufw allow from 192.168.0.10 to any port 22

Deleting UFW Rules

You can also delete specific ufw rules. First, you will need to list ufw rules then you can remove it.

Run the following command to list out ufw rules:

sudo ufw status numbered

Output:

    Status: active

To Action From -- ------ ---- [ 1] 22 ALLOW IN Anywhere [ 2] 22/tcp ALLOW IN Anywhere [ 3] 80/tcp DENY IN Anywhere [ 4] 2200:2300/tcp ALLOW IN Anywhere [ 5] 22 ALLOW IN 192.168.0.15 [ 6] 22 (v6) ALLOW IN Anywhere (v6) [ 7] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 8] 80/tcp (v6) DENY IN Anywhere (v6) [ 9] 2200:2300/tcp (v6) ALLOW IN Anywhere (v6)

Now, to remove any of these rules, you will need to use these numbers.

sudo ufw delete [number]

For example, if you want to remove third number rule then run the following command:

sudo ufw delete [3]

If you need to go back to default settings, simply type in the following command. This will revert any of your changes.

sudo ufw reset

Logging UFW Firewall Events

Firewall logs are necessary for troubleshooting your firewall rules, and notifying unusual activity on your network. So you must add logging rules in your firewall. The ufw log file will be located at /var/log/ufw.log

You can turn on logging by running the following command:

sudo ufw logging on

You can turn off logging by running the following command:

sudo ufw logging off

UFW supports multiple logging levels low, medium and high. The default ufw loglevel is low.

You can set different loglevels by running the following command:

sudo ufw logging low|medium|high
  • Low log blocked all packets not matching the default policy as well as packets matching logged rules.
  • Medium log blocked low, plus all allowed packets not matching the default policy, all INVALID packets, and all new connections.
  • High log blocked medium plus all packets with rate limiting.

UFW Graphical Interface

GUFW is a graphical interface for ufw. By default, Ubuntu-16.04 does not come with GUFW. You can install GUFW from Ubuntu repository.

You can install it by simply running the following command:

sudo apt-get install gufw

Advanced UFW Rules

You can do everything with ufw that iptables can do. You can add only simple rules using the command line. If you want to add more advance rules, then you can accomplish this by editing several ufw config files.

  1. /etc/default/ufw : This is main ufw config file for default policy and kernel modules.
  2. /etc/ufw/before.rules : Rules in these files are calculate before any rules added via the ufw command.
  3. /etc/ufw/after.rules : Rules in these files are calculate after any rules added via the ufw command.

By default UFW allows DHCP, ping and loopback. You can disallow this by editing the before.rules file.

sudo nano /etc/ufw/before.rules

Comment out the following lines:

    #-A ufw-before-input -i lo -j ACCEPT
    #-A ufw-before-output -o lo -j ACCEPT

#-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT #-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT #-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT #-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT #-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

#-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

Save the file, disable and re-enable ufw to apply the changes:

sudo ufw disable && sudo ufw enable

UFW Help

To list out all available switches of ufw, run the following command:

sudo ufw -h

Output:

    Usage: ufw COMMAND

Commands: enable enables the firewall disable disables the firewall default ARG set default policy logging LEVEL set logging to LEVEL allow ARGS add allow rule deny ARGS add deny rule reject ARGS add reject rule limit ARGS add limit rule delete RULE|NUM delete RULE insert NUM RULE insert RULE at NUM reload reload firewall reset reset firewall status show firewall status status numbered show firewall status as numbered list of RULES status verbose show verbose firewall status show ARG show firewall report version display version information

Application profile commands: app list list application profiles app info PROFILE show information on PROFILE app update PROFILE update PROFILE app default ARG set default application policy

Conclusion

Now you have enough knowledge to install and configure UFW firewall on your server. UFW is a very flexible tool so you can use it in production environment with different options to match your specific needs if they aren't covered here.

Want your very own server? Get our 1GB memory, Xeon V4, 20GB SSD VPS for £10.00 / month.

View Plans