Introduction

UFW also known as Uncomplicated Firewall is an interface to iptables and is particularly well-suited for host-based firewalls. UFW provide an easy to use interface for beginner user who is unfamiliar with firewall concepts. It is most popular firewall tool originating from Ubuntu. It supports both IPv4 and IPv6.

In this tutorial, we will learn how to install and use UFW firewall on Linux.

Requirements

  • Any Linux based distribution installed on your system
  • root privileges setup on your system

Installing UFW

Ubuntu

By default, UFW is available in most Ubuntu based distributions. If it is deleted, you can install it by running the following linux command.
# apt-get install ufw -y 

Debian

You can install UFW in Debian by running the following linux command:
# apt-get install ufw -y

CentOS

By default, UFW is not available in CentOS repository. So you will need to install the EPEL repository to your system. You can do this by running the following linux command:
# yum install epel-release -y
Once the EPEL repository is installed, you can install UFW by just running the following linux command:
# yum install --enablerepo="epel" ufw -y
After installing UFW, start UFW service and enable it to start on boot time by running the following linux command.
# ufw enable 
Next, check the status of UFW with the following linux command. You should see the following output:
# ufw status 
Status: active 
You can also disable UFW firewall by running the following linux command:
# ufw disable 

SUBSCRIBE TO NEWSLETTER
Subscribe to Linux Career NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.


Set UFW Default Policy

By default, UFW default policy setup to block all incoming traffic and allow all outgoing traffic. You can setup your own default policy with the following linux command.
ufw default allow outgoing 
ufw default deny incoming 

Add and Delete Firewall Rules

You can add rules for allowing incoming and outgoing traffic in two ways, using the port number or using the service name. For example, if you want to allow both incoming and outgoing connections of HTTP service. Then run the following linux command using the service name.
ufw allow http 
Or, run the following command using the port number:
ufw allow 80 
If you want to filter packets based on TCP or UDP, then run the following command:
ufw allow 80/tcp 
ufw allow 21/udp 
You can check the status of added rules with the following linux command.
ufw status verbose 
You should see the following output:
Status: active 
Logging: on (low) 
Default: deny (incoming), allow (outgoing), deny (routed) 
New profiles: skip 

To                         Action      From 
--                         ------      ---- 
80/tcp                     ALLOW IN    Anywhere 
21/udp                     ALLOW IN    Anywhere 
80/tcp (v6)                ALLOW IN    Anywhere (v6) 
21/udp (v6)                ALLOW IN    Anywhere (v6) 
You can also deny any incoming and outgoing traffic any time with the following commands:
# ufw deny 80 
# ufw deny 21 
If you want to delete allowed rules for HTTP, simply prefix the original rule with delete as shown below:
# ufw delete allow http 
# ufw delete deny 21 


Advanced UFW rules

You can also add specific IP address to allow and deny access to all services. Run the following command to allow the IP 192.168.0.200 to access all services on the server:
# ufw allow from 192.168.0.200 
To deny the IP 192.168.0.200 to access all services on server:
# ufw deny from 192.168.0.200 
You can allow range of IP address in UFW. Run the following command to allow all the connections from IP 192.168.1.1 to 192.168.1.254:
# ufw allow from 192.168.1.0/24 
To allow IP address 192.168.1.200 access to port 80 using TCP, run the following linux command:
# ufw allow from 192.168.1.200 to any port 80 proto tcp 
To allow access to tcp and udp port range from 2000 to 3000, run the following linux command:
# ufw allow 2000:3000/tcp 
# ufw allow 2000:3000/udp 
If you want to block access to port 22 from IP 192.168.0.4 and 192.168.0.10 but allow all other IPs to access to port 22, run the following command:
# ufw deny from 192.168.0.4 to any port 22 
# ufw deny from 192.168.0.10 to any port 22 
# ufw allow from 192.168.0.0/24 to any port 22 
To allow HTTP traffic on network interface eth0, run the following linux command:
# ufw allow in on eth0 to any port 80 
By default UFW allows ping requests. if you want to deny ping request, you will need to edit /etc/ufw/before.rules file:
# nano /etc/ufw/before.rules 
Remove the following lines:
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT 
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT 
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT 
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT 
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT 
Save the file, when you are finished.

If you ever need to Reset UFW, removing all of your rules, you can do so via the following linux command.
# ufw reset 

Configure NAT with UFW

If you want to NAT the connections from the external interface to the internal using UFW. Then you can do this by editing /etc/default/ufw and /etc/ufw/before.rules file. First, open /etc/default/ufw file using nano editor:
# nano /etc/default/ufw
Change the following line:
DEFAULT_FORWARD_POLICY="ACCEPT"


Next, you will also need to allow ipv4 forwarding. You can do this by editing /etc/ufw/sysctl.conf file:
# nano /etc/ufw/sysctl.conf
Change the following line:
net/ipv4/ip_forward=1 
Next, you will need to add NAT to ufw’s configuration file. You can do this by editing /etc/ufw/before.rules file:
# nano /etc/ufw/before.rules
Add the following lines just before the filter rules:
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT
Save the file when you are finished. Then restart UFW with the following linux command:
ufw disable
ufw enable

Configure Port Forwarding with UFW

If you want to forward traffic from Public IP eg. 150.129.148.155 port 80 and 443 to another internal server with IP address 192.168.1.120. Then you can do this by editing /etc/default/before.rules:
# nano /etc/default/before.rules
Change the file as shown below:
:PREROUTING ACCEPT [0:0] 
-A PREROUTING -i eth0 -d 150.129.148.155   -p tcp --dport 80 -j  DNAT --to-destination 192.168.1.120:80 
-A PREROUTING -i eth0 -d 150.129.148.155   -p tcp --dport 443 -j  DNAT --to-destination 192.168.1.120:443 
-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE 
 
Next, restart UFW with the following command:
# ufw disable
# ufw enable
Next, you will also need to allow port 80 and 443. You can do this by running the following command:
# ufw allow proto tcp from any to 150.129.148.155 port 80
# ufw allow proto tcp from any to 150.129.148.155 port 443
FIND LATEST LINUX JOBS on LinuxCareers.com
Submit your RESUME, create a JOB ALERT or subscribe to RSS feed.
LINUX CAREER NEWSLETTER
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
DO YOU NEED ADDITIONAL HELP?
Get extra help by visiting our LINUX FORUM or simply use comments below.

You may also be interested in: