Use ufw to configure Linux firewall

This website runs on an Ubuntu virtual machine, and configuring a firewall is paramount to limiting malicious traffic. While Linux relies on iptables for its underlying firewall rules, manually configuring it can be complex. That's why we use UFW (Uncomplicated Firewall)—a front-end tool that makes managing iptables rules simple and intuitive.

1. Installation and Preparation

Install UFW

First, install UFW using the package manager:

sudo apt install ufw

Purge Existing Iptables Rules (Recommended)

To ensure UFW has a clean slate and that no conflicting iptables rules are active, it's a good idea to purge all existing chains before enabling UFW. Run these commands one at a time:

sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -F INPUT
sudo iptables -F OUTPUT
sudo iptables -F FORWARD

2. Essential Connection Rules (The Critical Step)

⚠️ WARNING: By default, UFW blocks ALL incoming traffic. You must explicitly allow SSH (Port 22) BEFORE enabling the firewall, or you will lose access to your server!

Allow SSH Access

Since you are likely connected via SSH, ensure port 22 is allowed:

sudo ufw allow 22

3. Enable and Manage UFW

Enable the Firewall

After double-checking that SSH (port 22) is allowed, enable UFW to activate all rules:

sudo ufw enable

Check UFW Status

You can check the current status, including all active rules, anytime:

sudo ufw status

Disable UFW (If Necessary)

If you need to completely stop the firewall (only recommended for debugging or maintenance):

sudo ufw disable

4. Configuring Web Traffic and Specific IPs

Allow Standard Web Ports

To allow general web traffic for HTTP (Port 80) and HTTPS (Port 443):

sudo ufw allow 80
sudo ufw allow 443

Allow Traffic from a Specific IP

To restrict access to a specific port from a single IP address (e.g., your development machine at 8.8.8.8), you can do the following (note that you should delete the broader rule for port 80 first, if applicable):

sudo ufw delete allow 80
sudo ufw allow from 8.8.8.8 to any port 80

Allow Traffic from a Subnet (e.g., Home Intranet)

To allow access from an entire range of internal IPs (e.g., all IPs on your local network that fall within the 192.168.0.0/16 range):

sudo ufw allow from 192.168.0.0/16 to any port 80

Delete a Rule

To remove any rule, simply insert the word delete before allow. For example:

sudo ufw delete allow 80
sudo ufw delete allow from 192.168.0.0/16 to any port 80

UFW provides a simple, yet robust, way to manage your server's security policy!

Don't Stop Saving!

Leave a Comment:

Comments:

DON'T MISS OUT!

POPULAR POSTS

BROWSE CATEGORIES