IntroductionUFW also known as Uncomplicated Firewall is an interface to iptables and is particularly well-suited for host-based firewalls. UFW provide an easy to use interface for beginner user who is unfamiliar with firewall concepts. It is most popular firewall tool originating from Ubuntu. It supports both IPv4 and IPv6.
In this tutorial, we will learn how to install and use UFW firewall on Linux.
- Any Linux based distribution installed on your system
- root privileges setup on your system
UbuntuBy default, UFW is available in most Ubuntu based distributions. If it is deleted, you can install it by running the following linux command.
# apt-get install ufw -y
DebianYou can install UFW in Debian by running the following linux command:
# apt-get install ufw -y
CentOSBy default, UFW is not available in CentOS repository. So you will need to install the EPEL repository to your system. You can do this by running the following linux command:
# yum install epel-release -yOnce the EPEL repository is installed, you can install UFW by just running the following linux command:
# yum install --enablerepo="epel" ufw -yAfter installing UFW, start UFW service and enable it to start on boot time by running the following linux command.
# ufw enableNext, check the status of UFW with the following linux command. You should see the following output:
# ufw status Status: activeYou can also disable UFW firewall by running the following linux command:
# ufw disable
Set UFW Default PolicyBy default, UFW default policy setup to block all incoming traffic and allow all outgoing traffic. You can setup your own default policy with the following linux command.
ufw default allow outgoing ufw default deny incoming
Add and Delete Firewall RulesYou can add rules for allowing incoming and outgoing traffic in two ways, using the port number or using the service name. For example, if you want to allow both incoming and outgoing connections of HTTP service. Then run the following linux command using the service name.
ufw allow httpOr, run the following command using the port number:
ufw allow 80If you want to filter packets based on TCP or UDP, then run the following command:
ufw allow 80/tcp ufw allow 21/udpYou can check the status of added rules with the following linux command.
ufw status verboseYou should see the following output:
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip To Action From -- ------ ---- 80/tcp ALLOW IN Anywhere 21/udp ALLOW IN Anywhere 80/tcp (v6) ALLOW IN Anywhere (v6) 21/udp (v6) ALLOW IN Anywhere (v6)You can also deny any incoming and outgoing traffic any time with the following commands:
# ufw deny 80 # ufw deny 21If you want to delete allowed rules for HTTP, simply prefix the original rule with delete as shown below:
# ufw delete allow http # ufw delete deny 21
Advanced UFW rulesYou can also add specific IP address to allow and deny access to all services. Run the following command to allow the IP 192.168.0.200 to access all services on the server:
# ufw allow from 192.168.0.200To deny the IP 192.168.0.200 to access all services on server:
# ufw deny from 192.168.0.200You can allow range of IP address in UFW. Run the following command to allow all the connections from IP 192.168.1.1 to 192.168.1.254:
# ufw allow from 192.168.1.0/24To allow IP address 192.168.1.200 access to port 80 using TCP, run the following linux command:
# ufw allow from 192.168.1.200 to any port 80 proto tcpTo allow access to tcp and udp port range from 2000 to 3000, run the following linux command:
# ufw allow 2000:3000/tcp # ufw allow 2000:3000/udpIf you want to block access to port 22 from IP 192.168.0.4 and 192.168.0.10 but allow all other IPs to access to port 22, run the following command:
# ufw deny from 192.168.0.4 to any port 22 # ufw deny from 192.168.0.10 to any port 22 # ufw allow from 192.168.0.0/24 to any port 22To allow HTTP traffic on network interface eth0, run the following linux command:
# ufw allow in on eth0 to any port 80By default UFW allows ping requests. if you want to deny ping request, you will need to edit /etc/ufw/before.rules file:
# nano /etc/ufw/before.rulesRemove the following lines:
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPTSave the file, when you are finished.
If you ever need to Reset UFW, removing all of your rules, you can do so via the following linux command.
# ufw reset
Configure NAT with UFWIf you want to NAT the connections from the external interface to the internal using UFW. Then you can do this by editing
/etc/ufw/before.rulesfile. First, open
/etc/default/ufwfile using nano editor:
# nano /etc/default/ufwChange the following line:
# nano /etc/ufw/sysctl.confChange the following line:
net/ipv4/ip_forward=1Next, you will need to add NAT to ufw’s configuration file. You can do this by editing
# nano /etc/ufw/before.rulesAdd the following lines just before the filter rules:
# NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through eth0 - Change to match you out-interface -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't # be processed COMMIT Save the file when you are finished. Then restart UFW with the following linux command: ufw disable ufw enable
Configure Port Forwarding with UFWIf you want to forward traffic from Public IP eg.
184.108.40.206port 80 and 443 to another internal server with IP address 192.168.1.120. Then you can do this by editing
# nano /etc/default/before.rulesChange the file as shown below:
:PREROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -d 220.127.116.11 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.120:80 -A PREROUTING -i eth0 -d 18.104.22.168 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.120:443 -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADENext, restart UFW with the following command:
# ufw disable # ufw enableNext, you will also need to allow port 80 and 443. You can do this by running the following command:
# ufw allow proto tcp from any to 22.214.171.124 port 80 # ufw allow proto tcp from any to 126.96.36.199 port 443