How to Install and Use UFW Firewall on Linux

How to Install and Use UFW Firewall on Linux

In this tutorial I will show you, how to install and use UFW Firewall on Linux.

UFW also known as Uncomplicated Firewall is an interface to iptables and is particularly well-suited for host-based firewalls. UFW provide an easy to use interface for beginner user who is unfamiliar with firewall concepts. It is most popular firewall tool originating from Ubuntu. It supports both IPv4 and IPv6.

How to Install and Use UFW Firewall on Linux

Ubuntu

By default, UFW is available in most Ubuntu based distributions. If it is deleted, you can install it by running the following command.

# apt-get install ufw -y 

Debian

You can install UFW in Debian by running the following command:

# apt-get install ufw -y

CentOS

By default, UFW is not available in CentOS repository. So you will need to install the EPEL repository to your system. You can do this by running the following command:

# yum install epel-release -y

Once the EPEL repository is installed, you can install UFW by just running the following command:

# yum install --enablerepo="epel" ufw -y

After installing UFW, start UFW service and enable it to start on boot time by running the following command.

# ufw enable 

Next, check the status of UFW with the following command. You should see the following output:

# ufw status 
Status: active 

You can also disable UFW firewall by running the following command:

# ufw disable 

Set UFW Default Policy

By default, UFW default policy setup to block all incoming traffic and allow all outgoing traffic. You can setup your own default policy with the following command.

ufw default allow outgoing 
ufw default deny incoming 

Add and Delete Firewall Rules

You can add rules for allowing incoming and outgoing traffic in two ways, using the port number or using the service name. For example, if you want to allow both incoming and outgoing connections of HTTP service. Then run the following command using the service name.

ufw allow http 

Or, run the following command using the port number:

ufw allow 80 

If you want to filter packets based on TCP or UDP, then run the following command:

ufw allow 80/tcp 
ufw allow 21/udp 

You can check the status of added rules with the following command.

ufw status verbose 

You should see the following output:

Status: active 
Logging: on (low) 
Default: deny (incoming), allow (outgoing), deny (routed) 
New profiles: skip 

To                         Action      From 
--                         ------      ---- 
80/tcp                     ALLOW IN    Anywhere 
21/udp                     ALLOW IN    Anywhere 
80/tcp (v6)                ALLOW IN    Anywhere (v6) 
21/udp (v6)                ALLOW IN    Anywhere (v6) 

You can also deny any incoming and outgoing traffic any time with the following commands:

# ufw deny 80 
# ufw deny 21 

If you want to delete allowed rules for HTTP, simply prefix the original rule with delete as shown below:

# ufw delete allow http 
# ufw delete deny 21 

Advanced UFW rules

You can also add specific IP address to allow and deny access to all services. Run the following command to allow the IP 192.168.0.200 to access all services on the server:

# ufw allow from 192.168.0.200 

To deny the IP 192.168.0.200 to access all services on server:

# ufw deny from 192.168.0.200 

You can allow range of IP address in UFW. Run the following command to allow all the connections from IP 192.168.1.1 to 192.168.1.254:

# ufw allow from 192.168.1.0/24 

To allow IP address 192.168.1.200 access to port 80 using TCP, run the following command:

# ufw allow from 192.168.1.200 to any port 80 proto tcp 

To allow access to tcp and udp port range from 2000 to 3000, run the following command:

# ufw allow 2000:3000/tcp 
# ufw allow 2000:3000/udp 

If you want to block access to port 22 from IP 192.168.0.4 and 192.168.0.10 but allow all other IPs to access to port 22, run the following command:

# ufw deny from 192.168.0.4 to any port 22 
# ufw deny from 192.168.0.10 to any port 22 
# ufw allow from 192.168.0.0/24 to any port 22 

To allow HTTP traffic on network interface eth0, run the following command:

# ufw allow in on eth0 to any port 80 

By default UFW allows ping requests. if you want to deny ping request, you will need to edit /etc/ufw/before.rules file:

# nano /etc/ufw/before.rules 

Remove the following lines:

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT 
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT 
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT 
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT 
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT 

Save the file, when you are finished.

If you ever need to Reset UFW, removing all of your rules, you can do so via the following command.

# ufw reset 

Configure NAT with UFW

If you want to NAT the connections from the external interface to the internal using UFW. Then you can do this by editing /etc/default/ufw and /etc/ufw/before.rules file. First, open /etc/default/ufw file using nano editor:

# nano /etc/default/ufw

Change the following line:

DEFAULT_FORWARD_POLICY="ACCEPT"

Next, you will also need to allow ipv4 forwarding. You can do this by editing /etc/ufw/sysctl.conf file:

# nano /etc/ufw/sysctl.conf

Change the following line:

net/ipv4/ip_forward=1 

Next, you will need to add NAT to ufw’s configuration file. You can do this by editing /etc/ufw/before.rules file:

# nano /etc/ufw/before.rules

Add the following lines just before the filter rules:

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT
Save the file when you are finished. Then restart UFW with the following command:
ufw disable
ufw enable

Configure Port Forwarding with UFW

If you want to forward traffic from Public IP eg. 150.129.148.155 port 80 and 443 to another internal server with IP address 192.168.1.120. Then you can do this by editing /etc/default/before.rules:

# nano /etc/default/before.rules

Change the file as shown below:

:PREROUTING ACCEPT [0:0] 
-A PREROUTING -i eth0 -d 150.129.148.155   -p tcp --dport 80 -j  DNAT --to-destination 192.168.1.120:80 
-A PREROUTING -i eth0 -d 150.129.148.155   -p tcp --dport 443 -j  DNAT --to-destination 192.168.1.120:443 
-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE 

Next, restart UFW with the following command:

# ufw disable
# ufw enable

Next, you will also need to allow port 80 and 443. You can do this by running the following command:

# ufw allow proto tcp from any to 150.129.148.155 port 80
# ufw allow proto tcp from any to 150.129.148.155 port 443
 
Enjoyed this video?
How to Install and Use UFW Firewall on Linux
"No Thanks. Please Close This Box!"