Students tutorial – Managing Firewall on Ubuntu Systems

Ubuntu desktops and servers come with firewall installed and mostly not enabled. Right out of the box, all traffic in and out of the systems are not filtered or restricted.

This brief tutorial is going to show you how to easily manage Ubuntu firewall for desktops and servers.

By default, Ubuntu comes with firewall package installed. It is a kernel subsystem that filters network traffic in and out of Linux systems. The subsystem is known as iptables.

iptables is a just a database of rules that control which network traffic or port to allow and which to deny. iptables is the default firewall on almost all of Linux systems. It’s powerful, but not easy to manage.

That’s why Uncomplicated Firewall (ufw) was introduced.

ufw is a front end application to manage iptables on Ubuntu systems. It’s probably included on other Linux systems. With ufw, one can add/remove iptables rules easily via simple commands, instead of leaning iptables complicated rule policies.

To get started, verify that ufw is installed. To do that, run the commands below.

sudo apt-get update
sudo apt-get install ufw

After installing ufw, it’s disabled by default. In a disabled state, all traffic are allowed by default. Network filtering actions only take place when rules specific to those traffic are entered into iptables.

To enable ufw, run the commands below.

sudo ufw enable

When you enable ufw, all traffic will be denied right away and only existing connections will be allowed to continue. When those connections end, they won’t be allowed again. So when you enable ufw, make sure to immediately enable protocols and ports you’ll need opened to manage your systems.

When you run the commands above, you should see the message below.

Firewall is active and enabled on system startup

To see ufw status, run the commands below”

sudo ufw show raw

When you run commands above, you’ll see bunch of rules similar to the ones below

IPV4 (raw):
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3467 175643 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
3467 175643 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
9 452 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
3 168 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
3 168 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
3 168 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3469 175354 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
3469 175354 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
39 3356 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
39 3356 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
39 3356 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
39 3356 ufw-track-output all -

To allow traffic, use the command format below

sudo ufw allow service_name or service_port/protocol

To deny traffic, use the format below

sudo ufw deny service_name or service_port/protocol

By default, all outgoing traffic are allowed and filtering is only for inbound traffic. For example, to allow SSH inbound traffic through the firewall, run the commands below:

sudo ufw allow ssh

or

sudo ufw allow 22/tcp

For for HTTP traffic, run the commands below

sudo ufw allow http

or

sudo ufw allow 80/tcp

To allow traffic from a specific IP only, run the commands below.

sudo ufw allow from 111.222.333.444

To validate iptables rules, run the commands below.

sudo ufw status

To delete or remove a rule, prefix delete before allow in the command. Example,

sudo ufw delete allow from 111.222.333.444

For more help, run the help command

sudo ufw --help

You should see all the possible commands and extensions.

Usage: ufw COMMAND

Commands:
 enable                          enables the firewall
 disable                         disables the firewall
 default ARG                     set default policy
 logging LEVEL                   set logging to LEVEL
 allow ARGS                      add allow rule
 deny ARGS                       add deny rule
 reject ARGS                     add reject rule
 limit ARGS                      add limit rule
 delete RULE|NUM                 delete RULE
 insert NUM RULE                 insert RULE at NUM
 route RULE                      add route RULE
 route delete RULE|NUM           delete route RULE
 route insert NUM RULE           insert route RULE at NUM
 reload                          reload firewall
 reset                           reset firewall
 status                          show firewall status
 status numbered                 show firewall status as numbered list of RULES
 status verbose                  show verbose firewall status
 show ARG                        show firewall report
 version                         display version information

Application profile commands:
 app list                        list application profiles
 app info PROFILE                show information on PROFILE
 app update PROFILE              update PROFILE
 app default ARG                 set default application policy

Most Linux systems are configured with security in mind. You probably don’t need ufw on your Ubuntu desktop. Maybe not on your servers either. Since best way to protect your server is to only install needed services and nothing else.

This service you have running the better.