[KVM Ubuntu] How To Set Up a Firewall with UFW
UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community—even installed by default in a lot of distros. As such, it’s a great way to get started securing your sever.
In this tutorial we will be using Ubuntu 16.04, however you should be able to use all our offered Ubuntu and Debian versions.
In Time4VPS you are able to install Ubuntu 16.04 template really easy and fast, only with few mouse clicks:
- Login to the Clients Portal;
- Select at the top of menu the "My Services > VPS" tab;
- Press the "Manage" button at the service table;
- Press the "Install OS" button;
- Choose Ubuntu 16.04 operating system, agree with warning and press "Continue";
- Wait for 5-10 minutes and refresh VPS management page.
First things first. Like always, first of all, we recommend to update and upgrade your server.
apt-get upgrade -y
First, obviously, you want to make sure UFW is installed. It should be installed by default in Ubuntu, but if for some reason it’s not, you can install the package using aptitude or apt-get using the following command:
apt-get install ufw
This tutorial is written with IPv4 in mind, but will work for IPv6 as well as long as you enable it. If your Ubuntu server has IPv6 enabled, ensure that UFW is configured to support IPv6 so that it will manage firewall rules for IPv6 in addition to IPv4. Open /etc/default/ufw:
nano /etc/default/ufwMake sure the value of IPV6 is yes. If it's not change it to yes.
Save and close. Now UFW will configure the firewall for both IPv4 and IPv6, when appropriate.
Note: Tutorial about enabling IPv6 tunneling on KVM based servers can be found here.
Setting Up Defaults
Let's set your UFW rules back to the defaults so we can be sure that you'll be able to follow along with this tutorial. To set the defaults used by UFW, use these commands:
ufw default deny incomingThese commands set the defaults to deny incoming and allow outgoing connections.
ufw default allow outgoing
Allowing SSH Connections
The syntax is pretty simple. You change the firewall rules by issuing commands in the terminal. If we turned on our firewall now, it would deny all incoming connections. If you’re connected over SSH to your server, that would be a problem because you would be locked out of your server. Let’s enable SSH connections to our server to prevent that from happening:
ufw allow 22/tcp
Note: If you are using not standard 22 port change it in above command to your port.
Now that your firewall is configured to allow incoming SSH connections, we can enable it.
Allowing Other Connections
Now is a good time to allow some other connections we might need:
Allowing websites, FTP connection:
ufw allow www
ufw allow ftp
Allowing xxxx port:
ufw allow xxxx/tcp
You can also specify port ranges with UFW. For example to allow ports from 1000 to 10 000, use the command:
ufw allow 1000:10000/tcp
If you want UDP:
ufw allow 1000:10000/udp
You can also specify IP addresses. For example, if you wante to allow
connections from a specific IP address (say my work or home address), use this command:
ufw allow from 22.214.171.124
You can also specify a specific port that the IP address is allowed to connect to by adding to any port followed by the port number. For example, If you want to allow 126.96.36.199 to connect to port 22 (SSH), use this command:
ufw allow from 188.8.131.52 to any port 22
Our default set up is to deny all incoming connections. This makes the firewall rules easier to administer since we are only selectively allowing certain ports and IP addresses through. However, if you want to flip it and open up all your server’s ports (not recommended), you could allow all connections and then restrictively deny ports you didn’t want to give access to with command:
ufw deny httpor
ufw deny from 184.108.40.206or etc.
You can delete rules with simple ufw delete. For example:
ufw delete allow sshor
ufw delete allow 80/tcpor
ufw delete allow 1000:2000/tcp
Finally, after everything is set up you can enable UFW. Use this command:
ufw enable -y
If, for whatever reason, you need to reset your server’s rules to their default settings, you can do this by typing this command:
You should now have a cloud server that is configured properly to restrict access to a subset of ports or IP addresses.