Out of the box, Ubuntu Server is pretty secure. But like every machine you put on your network, you want to make sure it meets your company policy for standards. To that end, you’ll most likely be tweaking any firewall that winds up on your network. Fortunately, with Ubuntu Server, this isn’t terribly hard—thanks to Uncomplicated Firewall (UFW). I’m going to walk you through the process of configuring a UFW policy and then create your first firewall rule.
UFW briefly explained
Before we get into this setup, it’s important to understand that UFW acts as a front-end for the much more complicated iptables. In order to become proficient with iptables, you would be investing considerable time. Gaining a full understanding of UFW isn’t nearly as challenging. If you’re concerned that UFW doesn’t offer enough power, know that this particular firewall tool is very well-suited for host-based firewalls and offers quite a number of useful features (for a full list of the features, check out the official UWF Ubuntu wiki page).
Out of the box, UWF will be installed. You can double check on this by issuing the command ufw version. This will report back which version of UWF is installed on your system (on a fully updated installation of Ubuntu 16.04, UFW reports as 0.35).
Configuring the default policy
The default UFW policy is set in the file /etc/default/ufw. There are four particular lines you want to look for:
DEFAULT_INPUT_POLICY="DROP" DEFAULT_OUTPUT_POLICY="ACCEPT" DEFAULT_FORWARD_POLICY="DROP" DEFAULT_APPLICATION_POLICY="SKIP"
It’s important to know that each of the above policies can be adjusted with a slightly different default.
- INPUT/OUTPUT/FORWARD can be set to ACCEPT, DROP, or REJECT
- APPLICATION can be set to ACCEPT, DROP, REJECT, or SKIP
You can adjust the default policies to suit your needs. Out of the box, UFW denies all incoming traffic and allows all outgoing traffic. Effectively, these would be set with the following two commands:
sudo ufw default deny incoming sudo ufw default allow outgoing
If you make any changes to the default policies, check the status of UFW with the command:
sudo ufw status
If UFW reports that it is inactive, you must then activate it with the command:
sudo ufw enable
When you enable UWF, you will be required to reboot your machine before it is activated. Once rebooted, the sudo ufw status command will now report it as being active,
The default policy does work well for both servers and desktops. But what if you want to really lock down a particular machine? When you issue the status command it becomes clear the only rules in place are generated from the default policies. Why? No other rules have been set. Let’s take care of that.
Creating a UFW rule
Creating a UFW rule is really simple. You’ve already had a taste with the setting of the default policy for incoming and outgoing rules. Let’s start off with a very simple rule. Say you set the incoming policy to ALLOW (chances are slim you would do this), but know of an IP address that needs to be blocked from reaching your machine; let’s say the offending address is 184.108.40.206. You can block this with the command:
sudo ufw deny from 220.127.116.11
If your machine has two network interfaces (eth0 for external and eth1 for internal) and you want to block the above IP from entering the external interface, you could issue the command:
sudo ufw deny in on eth0 from 18.104.22.168
Let’s now consider incoming traffic we want to allow. At the moment, no address (neither private or public) can enter our machine. Let’s fix that. Say you need to allow secure shell traffic in from a machine on the same network (we’ll go with IP address 192.168.1.162). To do this, you would only have to issue a single command:
sudo ufw allow from 192.168.1.162 to any port 22
Now, when we run sudo ufw status, we see our new rule listed (Figure A).
If you need to allow secure shell traffic from any address, you can issue the command:
sudo ufw allow ssh
The above command would allow both internal and external addresses to reach the machine (via ssh), so long as the addresses had access to the network.
See how uncomplicated UFW is? It’s significantly easier to work with (although not quite as flexible) than iptables.
At this point we have touched on the very basics of UFW. You will want to continue this education and the first place to investigate is the UFW man page. Issue the command man ufw to read about all the options available to the ufw command.