[KVM Ubuntu] How To Set Up a Firewall with UFW

LawrenceLawrence Moderator
edited May 11 in KVM Based Servers
Introduction
UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community—even installed by default in a lot of distros. As such, it’s a great way to get started securing your sever.


Requirements

In this tutorial we will be using Ubuntu 16.04, however you should be able to use all our offered Ubuntu and Debian versions.

In Time4VPS you are able to install Ubuntu 16.04 template really easy and fast, only with few mouse clicks:
  1. Login to the Clients Portal;
  2. Select at the top of menu the "My Services > VPS" tab;
  3. Press the "Manage" button at the service table;
  4. Press the "Install OS" button;
  5. Choose Ubuntu 16.04 operating system, agree with warning and press "Continue";
  6. Wait for 5-10 minutes and refresh VPS management page.

Updating System

First things first. Like always, first of all, we recommend to update and upgrade your server.
apt-get update
apt-get upgrade -y


Installing

First, obviously, you want to make sure UFW is installed. It should be installed by default in Ubuntu, but if for some reason it’s not, you can install the package using aptitude or apt-get using the following command:

apt-get install ufw


Using IPv6

This tutorial is written with IPv4 in mind, but will work for IPv6 as well as long as you enable it. If your Ubuntu server has IPv6 enabled, ensure that UFW is configured to support IPv6 so that it will manage firewall rules for IPv6 in addition to IPv4.  Open /etc/default/ufw:

nano /etc/default/ufw
Make sure the value of IPV6 is yes. If it's not change it to yes.

Save and close. Now UFW will configure the firewall for both IPv4 and IPv6, when appropriate.
Note: Tutorial about enabling IPv6 tunneling on KVM based servers can be found here.


Setting Up Defaults

Let's set your UFW rules back to the defaults so we can be sure that you'll be able to follow along with this tutorial. To set the defaults used by UFW, use these commands:
ufw default deny incoming
ufw default allow outgoing
These commands set the defaults to deny incoming and allow outgoing connections.


Allowing SSH Connections


The syntax is pretty simple. You change the firewall rules by issuing commands in the terminal. If we turned on our firewall now, it would deny all incoming connections. If you’re connected over SSH to your server, that would be a problem because you would be locked out of your server. Let’s enable SSH connections to our server to prevent that from happening:
ufw allow 22/tcp
Note: If you are using not standard 22 port change it in above command to your port.

Now that your firewall is configured to allow incoming SSH connections, we can enable it.

Allowing Other Connections

Now is a good time to allow some other connections we might need:

Allowing websites, FTP connection:

ufw allow www
ufw allow ftp

Allowing xxxx port:

ufw allow xxxx/tcp

You can also specify port ranges with UFW. For example to allow ports from 1000 to 10 000, use the command:

ufw allow 1000:10000/tcp

If you want UDP:

ufw allow 1000:10000/udp

You can also specify IP addresses. For example, if you wante to allow connections from a specific IP address (say my work or home address), use this command:

ufw allow from 123.12.1.123

You can also specify a specific port that the IP address is allowed to connect to by adding to any port followed by the port number. For example, If you want to allow 123.12.1.123 to connect to port 22 (SSH), use this command:
ufw allow from 123.12.1.123 to any port 22


Denying Connections

Our default set up is to deny all incoming connections. This makes the firewall rules easier to administer since we are only selectively allowing certain ports and IP addresses through. However, if you want to flip it and open up all your server’s ports (not recommended), you could allow all connections and then restrictively deny ports you didn’t want to give access to with command:
ufw deny http
or
ufw deny from 123.12.1.123
or etc.


Deleting Rules

You can delete rules with simple ufw delete. For example:
ufw delete allow ssh
or
ufw delete allow 80/tcp
or
ufw delete allow 1000:2000/tcp


Enabling UFW

Finally, after everything is set up you can enable UFW. Use this command:
ufw enable -y


Resetting UFW

If, for whatever reason, you need to reset your server’s rules to their default settings, you can do this by typing this command:
ufw reset


Conclusion

You should now have a cloud server that is configured properly to restrict access to a subset of ports or IP addresses.
Sign In or Register to comment.