Configure Uncomplicated Firewall (UFW) on Ubuntu 14.04

Security is crucial when you run your own server. You want to make sure that only authorized users can access your server, configuration, and services.

In Ubuntu, there is a firewall that comes preloaded. It's called UFW (Uncomplicated Firewall). Although UFW is a pretty basic firewall, it is user friendly, excels at filtering traffic, and has good documentation. Some basic Linux knowledge should be enough to configure this firewall on your own.

Install UFW

Notice that UFW is typically installed by default in Ubuntu. But if anything, you can install it yourself. To install UFW, run the following command.

sudo apt-get install ufw

Allow connections

If you are running a web server, you obviously want the world to be able to access your website(s). Therefore, you need to make sure that the default TCP port for web is open.

sudo ufw allow 80/tcp

In general, you can allow any port you need by using the following format:

sudo ufw allow <port>/<optional: protocol>

Deny connections

If you need to deny access to a certain port, use this:

sudo ufw deny <port>/<optional: protocol>

For example, let's deny access to our default MySQL port.

sudo ufw deny 3306

UFW also supports a simplified syntax for the most common service ports.

root@127:~$ sudo ufw deny mysql
Rule updated
Rule updated (v6)

It is highly recommended to restrict access to your SSH port (by default it's port 22) from anywhere except your trusted IP addresses (example: office or home).

Allow access from a trusted IP address

Typically, you would need to allow access only to publicly open ports such as port 80. Access to all other ports need to be restricted or limited. You can whitelist your home/office IP address (preferably, it is supposed to be a static IP) to be able to access your server through SSH or FTP.

sudo ufw allow from 192.168.0.1 to any port 22

Let's also allow access to the MySQL port.

sudo ufw allow from 192.168.0.1 to any port 3306

Looks better now. Let's move on.

Enable UFW

Before enabling (or restating) UFW, you need to make sure that the SSH port is allowed to receive connections from your IP address. To start/enable your UFW firewall, use the following command:

sudo ufw enable

You will see this:

root@127:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Type Y, then press Enter to enable the firewall.

Firewall is active and enabled on system startup

Check UFW status

Take a look at all of your rules.

sudo ufw status

You will see output similar to the following.

sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   192.168.0.1
22:tcp                     DENY    ANYWHERE

Use the "verbose" parameter to see a more detailed status report.

sudo ufw status verbose

Disable/reload/restart UFW

To disable (stop) UFW, run this command.

sudo ufw disable

If you need to reload UFW (reload rules), run the following.

sudo ufw reload

In order to restart UFW, you will need to disable it first, and then enable it again.

sudo ufw disable
sudo ufw enable

Again, before enabling UFW, make sure that the SSH port is allowed for your IP address.

Removing rules

To manage your UFW rules, you need to list them. You can do that by checking UFW status with the parameter "numbered". You will see output similar to the following.

root@127:~$ sudo ufw status numbered
Status: active

To                              Action      From
--                              ------      ----
[ 1] 22                         ALLOW IN    192.168.0.1
[ 2] 80                         ALLOW IN    Anywhere
[ 3] 3306                       ALLOW IN    192.168.0.1
[ 4] 22                         DENY IN     Anywhere

Noticed the numbers in square brackets? Now, to remove any of these rules, you will need to use these numbers.

sudo ufw delete [number]

Enabling IPv6 support

If you use IPv6 on your VPS, you need to ensure that IPv6 support is enabled in UFW. To do so, open the config file in a text editor.

sudo nano /etc/default/ufw

Once opened, make sure that IPV6 is set to "yes":

IPV6=yes

After making this change, save the file. Then, restart UFW by disabling and re-enabling it.

sudo ufw disable
sudo ufw enable

Back to default settings

If you need to go back to default settings, simply type in the following command. This will revert any of your changes.

sudo ufw reset

Conclusion

Overall, UFW is able to protect your VPS against the most common hacking attempts. Of course, your security measures should be more detailed than just using UFW. However, it is a good (and necessary) start.

If you need more examples of using UFW, you can refer to UFW - Community Help Wiki.