What's new

Welcome to GloTorrents Community

Join us now to get access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, and so, so much more. It's also quick and totally free, so what are you waiting for?

Ask question

Ask Questions and Get Answers from Our Community

Answer

Answer Questions and Become an Expert on Your Topic

Contact Staff

Our Experts are Ready to Answer your Questions

How to Install and Use UFW Firewall on Linux

_.:=iTake=:._

Administrator
Staff member
ZeuS
Super Moderator
+Lifetime VIP+
Registered
Joined
Oct 20, 2018
Messages
1,370
Reaction score
1,431
Points
113
Credits
14,854
UFW also known as Uncomplicated Firewall is an interface to iptables and is particularly well-suited for host-based firewalls. UFW provide an easy to use interface for beginner user who is unfamiliar with firewall concepts. It is most popular firewall tool originating from Ubuntu. It supports both IPv4 and IPv6.

In this tutorial, we will learn how to install and use UFW firewall on Linux.

Requirements
  • Any Linux based distribution installed on your system
  • root privileges setup on your system
Installing UFW
Ubuntu
By default, UFW is available in most Ubuntu based distributions. If it is deleted, you can install it by running the following linux command.

Bash:
# apt-get install ufw -y

Debian
You can install UFW in Debian by running the following linux command:
Code:
# apt-get install ufw -y

CentOS
By default, UFW is not available in CentOS repository. So you will need to install the EPEL repository to your system. You can do this by running the following linux command:

Code:
# yum install epel-release -y

Once the EPEL repository is installed, you can install UFW by just running the following linux command:
Code:
# yum install --enablerepo="epel" ufw -y

After installing UFW, start UFW service and enable it to start on boot time by running the following linux command.

Code:
# ufw enable

Next, check the status of UFW with the following linux command. You should see the following output:
Code:
# ufw status 
Status: active

You can also disable UFW firewall by running the following linux command:
Code:
# ufw disable

Set UFW Default Policy
By default, UFW default policy setup to block all incoming traffic and allow all outgoing traffic. You can setup your own default policy with the following linux command.

Code:
ufw default allow outgoing 
ufw default deny incoming

Add and Delete Firewall Rules
You can add rules for allowing incoming and outgoing traffic in two ways, using the port number or using the service name. For example, if you want to allow both incoming and outgoing connections of HTTP service. Then run the following linux command using the service name.

Code:
ufw allow http

Or, run the following command using the port number:
Code:
ufw allow 80

If you want to filter packets based on TCP or UDP, then run the following command:
Code:
ufw allow 80/tcp 
ufw allow 21/udp

You can check the status of added rules with the following linux command.ufw status verbose

You should see the following output:
Code:
Status: active 
Logging: on (low) 
Default: deny (incoming), allow (outgoing), deny (routed) 
New profiles: skip 

To                         Action      From 
--                         ------      ---- 
80/tcp                     ALLOW IN    Anywhere 
21/udp                     ALLOW IN    Anywhere 
80/tcp (v6)                ALLOW IN    Anywhere (v6) 
21/udp (v6)                ALLOW IN    Anywhere (v6)

You can also deny any incoming and outgoing traffic any time with the following commands:
Code:
# ufw deny 80 
# ufw deny 21

If you want to delete allowed rules for HTTP, simply prefix the original rule with delete as shown below:
Code:
# ufw delete allow http 
# ufw delete deny 21
 

_.:=iTake=:._

Administrator
Staff member
ZeuS
Super Moderator
+Lifetime VIP+
Registered
Joined
Oct 20, 2018
Messages
1,370
Reaction score
1,431
Points
113
Credits
14,854
Advanced UFW rules
You can also add specific IP address to allow and deny access to all services. Run the following command to allow the IP 192.168.0.200 to access all services on the server:
Code:
# ufw allow from 192.168.0.200

To deny the IP 192.168.0.200 to access all services on server:
Code:
# ufw deny from 192.168.0.200

You can allow range of IP address in UFW. Run the following command to allow all the connections from IP 192.168.1.1 to 192.168.1.254:

Code:
# ufw allow from 192.168.1.0/24

To allow IP address 192.168.1.200 access to port 80 using TCP, run the following linux command:

Code:
# ufw allow from 192.168.1.200 to any port 80 proto tcp

To allow access to tcp and udp port range from 2000 to 3000, run the following linux command:

Code:
# ufw allow 2000:3000/tcp

# ufw allow 2000:3000/udp

If you want to block access to port 22 from IP 192.168.0.4 and 192.168.0.10 but allow all other IPs to access to port 22, run the following command:

Code:
# ufw deny from 192.168.0.4 to any port 22

# ufw deny from 192.168.0.10 to any port 22

# ufw allow from 192.168.0.0/24 to any port 22

To allow HTTP traffic on network interface eth0, run the following linux command:
Code:
# ufw allow in on eth0 to any port 80

By default UFW allows ping requests. if you want to deny ping request, you will need to edit /etc/ufw/before.rules file:
Code:
# nano /etc/ufw/before.rules

Remove the following lines:
Code:
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT

-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT

-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT

-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT

-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT


Save the file, when you are finished.

If you ever need to Reset UFW, removing all of your rules, you can do so via the following linux command.
Code:
# ufw reset

Configure NAT with UFW
If you want to NAT the connections from the external interface to the internal using UFW. Then you can do this by editing /etc/default/ufw and /etc/ufw/before.rules file. First, open /etc/default/ufw file using nano editor:

Code:
# nano /etc/default/ufw

Change the following line:

Code:
DEFAULT_FORWARD_POLICY="ACCEPT"

Next, you will also need to allow ipv4 forwarding. You can do this by editing /etc/ufw/sysctl.conf file:

Code:
# nano /etc/ufw/sysctl.conf

Change the following line:

Code:
net/ipv4/ip_forward=1

Next, you will need to add NAT to ufw’s configuration file. You can do this by editing /etc/ufw/before.rules file:

Code:
# nano /etc/ufw/before.rules

Add the following lines just before the filter rules:
Code:
# NAT table rules

*nat

:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT
Save the file when you are finished. Then restart UFW with the following linux command:

Code:
ufw disable

ufw enable

Configure Port Forwarding with UFW
If you want to forward traffic from Public IP eg. 150.129.148.155 port 80 and 443 to another internal server with IP address 192.168.1.120. Then you can do this by editing /etc/default/before.rules:

Code:
# nano /etc/default/before.rules

Change the file as shown below::

Code:
PREROUTING ACCEPT [0:0]

-A PREROUTING -i eth0 -d 150.129.148.155   -p tcp --dport 80 -j  DNAT --to-destination 192.168.1.120:80

-A PREROUTING -i eth0 -d 150.129.148.155   -p tcp --dport 443 -j  DNAT --to-destination 192.168.1.120:443

-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE

Next, restart UFW with the following command:

Code:
# ufw disable

# ufw enable

Next, you will also need to allow port 80 and 443. You can do this by running the following command:

Code:
# ufw allow proto tcp from any to 150.129.148.155 port 80

# ufw allow proto tcp from any to 150.129.148.155 port 443
 
shape1
shape2
shape3
shape4
shape7
shape8
Top