How to Install and Use UFW Firewall on Linux

_.:=iTake=:._

Administrator
Staff member
ZeuS
Forum Moderator
+Lifetime VIP+
Contributor
Oct 20, 2018
692
985
93
Credits
8,577
UFW also known as Uncomplicated Firewall is an interface to iptables and is particularly well-suited for host-based firewalls. UFW provide an easy to use interface for beginner user who is unfamiliar with firewall concepts. It is most popular firewall tool originating from Ubuntu. It supports both IPv4 and IPv6.

In this tutorial, we will learn how to install and use UFW firewall on Linux.

Requirements
  • Any Linux based distribution installed on your system
  • root privileges setup on your system
Installing UFW
Ubuntu
By default, UFW is available in most Ubuntu based distributions. If it is deleted, you can install it by running the following linux command.

Bash:
# apt-get install ufw -y
Debian
You can install UFW in Debian by running the following linux command:
Code:
# apt-get install ufw -y
CentOS
By default, UFW is not available in CentOS repository. So you will need to install the EPEL repository to your system. You can do this by running the following linux command:

Code:
# yum install epel-release -y
Once the EPEL repository is installed, you can install UFW by just running the following linux command:
Code:
# yum install --enablerepo="epel" ufw -y
After installing UFW, start UFW service and enable it to start on boot time by running the following linux command.

Code:
# ufw enable
Next, check the status of UFW with the following linux command. You should see the following output:
Code:
# ufw status 
Status: active
You can also disable UFW firewall by running the following linux command:
Code:
# ufw disable
Set UFW Default Policy
By default, UFW default policy setup to block all incoming traffic and allow all outgoing traffic. You can setup your own default policy with the following linux command.

Code:
ufw default allow outgoing 
ufw default deny incoming
Add and Delete Firewall Rules
You can add rules for allowing incoming and outgoing traffic in two ways, using the port number or using the service name. For example, if you want to allow both incoming and outgoing connections of HTTP service. Then run the following linux command using the service name.

Code:
ufw allow http
Or, run the following command using the port number:
Code:
ufw allow 80
If you want to filter packets based on TCP or UDP, then run the following command:
Code:
ufw allow 80/tcp 
ufw allow 21/udp
You can check the status of added rules with the following linux command.ufw status verbose

You should see the following output:
Code:
Status: active 
Logging: on (low) 
Default: deny (incoming), allow (outgoing), deny (routed) 
New profiles: skip 

To                         Action      From 
--                         ------      ---- 
80/tcp                     ALLOW IN    Anywhere 
21/udp                     ALLOW IN    Anywhere 
80/tcp (v6)                ALLOW IN    Anywhere (v6) 
21/udp (v6)                ALLOW IN    Anywhere (v6)
You can also deny any incoming and outgoing traffic any time with the following commands:
Code:
# ufw deny 80 
# ufw deny 21
If you want to delete allowed rules for HTTP, simply prefix the original rule with delete as shown below:
Code:
# ufw delete allow http 
# ufw delete deny 21
 
  • Like
Reactions: Prom3th3uS

_.:=iTake=:._

Administrator
Staff member
ZeuS
Forum Moderator
+Lifetime VIP+
Contributor
Oct 20, 2018
692
985
93
Credits
8,577
Advanced UFW rules
You can also add specific IP address to allow and deny access to all services. Run the following command to allow the IP 192.168.0.200 to access all services on the server:
Code:
# ufw allow from 192.168.0.200
To deny the IP 192.168.0.200 to access all services on server:
Code:
# ufw deny from 192.168.0.200
You can allow range of IP address in UFW. Run the following command to allow all the connections from IP 192.168.1.1 to 192.168.1.254:

Code:
# ufw allow from 192.168.1.0/24
To allow IP address 192.168.1.200 access to port 80 using TCP, run the following linux command:

Code:
# ufw allow from 192.168.1.200 to any port 80 proto tcp
To allow access to tcp and udp port range from 2000 to 3000, run the following linux command:

Code:
# ufw allow 2000:3000/tcp

# ufw allow 2000:3000/udp
If you want to block access to port 22 from IP 192.168.0.4 and 192.168.0.10 but allow all other IPs to access to port 22, run the following command:

Code:
# ufw deny from 192.168.0.4 to any port 22

# ufw deny from 192.168.0.10 to any port 22

# ufw allow from 192.168.0.0/24 to any port 22
To allow HTTP traffic on network interface eth0, run the following linux command:
Code:
# ufw allow in on eth0 to any port 80
By default UFW allows ping requests. if you want to deny ping request, you will need to edit /etc/ufw/before.rules file:
Code:
# nano /etc/ufw/before.rules
Remove the following lines:
Code:
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT

-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT

-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT

-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT

-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Save the file, when you are finished.

If you ever need to Reset UFW, removing all of your rules, you can do so via the following linux command.
Code:
# ufw reset
Configure NAT with UFW
If you want to NAT the connections from the external interface to the internal using UFW. Then you can do this by editing /etc/default/ufw and /etc/ufw/before.rules file. First, open /etc/default/ufw file using nano editor:

Code:
# nano /etc/default/ufw
Change the following line:

Code:
DEFAULT_FORWARD_POLICY="ACCEPT"
Next, you will also need to allow ipv4 forwarding. You can do this by editing /etc/ufw/sysctl.conf file:

Code:
# nano /etc/ufw/sysctl.conf
Change the following line:

Code:
net/ipv4/ip_forward=1
Next, you will need to add NAT to ufw’s configuration file. You can do this by editing /etc/ufw/before.rules file:

Code:
# nano /etc/ufw/before.rules
Add the following lines just before the filter rules:
Code:
# NAT table rules

*nat

:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT
Save the file when you are finished. Then restart UFW with the following linux command:

Code:
ufw disable

ufw enable
Configure Port Forwarding with UFW
If you want to forward traffic from Public IP eg. 150.129.148.155 port 80 and 443 to another internal server with IP address 192.168.1.120. Then you can do this by editing /etc/default/before.rules:

Code:
# nano /etc/default/before.rules
Change the file as shown below::

Code:
PREROUTING ACCEPT [0:0]

-A PREROUTING -i eth0 -d 150.129.148.155   -p tcp --dport 80 -j  DNAT --to-destination 192.168.1.120:80

-A PREROUTING -i eth0 -d 150.129.148.155   -p tcp --dport 443 -j  DNAT --to-destination 192.168.1.120:443

-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
Next, restart UFW with the following command:

Code:
# ufw disable

# ufw enable
Next, you will also need to allow port 80 and 443. You can do this by running the following command:

Code:
# ufw allow proto tcp from any to 150.129.148.155 port 80

# ufw allow proto tcp from any to 150.129.148.155 port 443
 
  • Like
Reactions: Prom3th3uS