UFW Essentials: Common Firewall Rules and Commands
Introduction
UFW is a firewall configuration tool for iptables that is included with Ubuntu by default. This cheat sheet-style guide provides a quick reference to UFW commands that will create iptables firewall rules are useful in common, everyday scenarios. This includes UFW examples of allowing and blocking various services by port, network interface, and source IP address.
How To Use This Guide
- If you are just getting started with using UFW to configure your firewall, check out our introduction to UFW
- Most of the rules that are described here assume that you are using the default UFW ruleset. That is, it is set to allow outgoing and deny incoming traffic, through the default policies, so you have to selectively allow traffic in
- Use whichever subsequent sections are applicable to what you are trying to achieve. Most sections are not predicated on any other, so you can use the examples below independently
- Use the Contents menu on the right side of this page (at wide page widths) or your browser's find function to locate the sections you need
- Copy and paste the command-line examples given, substituting the values in red with your own values
Remember that you can check your current UFW ruleset with sudo ufw status
or sudo ufw status verbose
.
Block an IP Address
To block all network connections that originate from a specific IP address, 15.15.15.51
for example, run this command:
- sudo ufw deny from 15.15.15.51
In this example, from 15.15.15.51
specifies a source IP address of "15.15.15.51". If you wish, a subnet, such as 15.15.15.0/24
, may be specified here instead. The source IP address can be specified in any firewall rule, including an allow rule.
Block Connections to a Network Interface
To block connections from a specific IP address, e.g. 15.15.15.51
, to a specific network interface, e.g.eth0
, use this command:
- sudo ufw deny in on eth0 from 15.15.15.51
This is the same as the previous example, with the addition of in on eth0
. The network interface can be specified in any firewall rule, and is a great way to limit the rule to a particular network.
Service: SSH
If you're using a cloud server, you will probably want to allow incoming SSH connections (port 22) so you can connect to and manage your server. This section covers how to configure your firewall with various SSH-related rules.
Allow SSH
To allow all incoming SSH connections run this command:
- sudo ufw allow ssh
An alternative syntax is to specify the port number of the SSH service:
- sudo ufw allow 22
Allow Incoming SSH from Specific IP Address or Subnet
To allow incoming SSH connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24
subnet, run this command:
- sudo ufw allow from 15.15.15.0/24 to any port 22
Allow Incoming Rsync from Specific IP Address or Subnet
Rsync, which runs on port 873, can be used to transfer files from one computer to another.
To allow incoming rsync connections from a specific IP address or subnet, specify the source IP address and the destination port. For example, if you want to allow the entire 15.15.15.0/24
subnet to be able to rsync to your server, run this command:
- sudo ufw allow from 15.15.15.0/24 to any port 873
Service: Web Server
Web servers, such as Apache and Nginx, typically listen for requests on port 80 and 443 for HTTP and HTTPS connections, respectively. If your default policy for incoming traffic is set to drop or deny, you will want to create rules that will allow your server to respond to those requests.
Allow All Incoming HTTP
To allow all incoming HTTP (port 80) connections run this command:
- sudo ufw allow http
An alternative syntax is to specify the port number of the HTTP service:
- sudo ufw allow 80
Allow All Incoming HTTPS
To allow all incoming HTTPS (port 443) connections run this command:
- sudo ufw allow https
An alternative syntax is to specify the port number of the HTTPS service:
- sudo ufw allow 443
Allow All Incoming HTTP and HTTPS
If you want to allow both HTTP and HTTPS traffic, you can create a single rule that allows both ports. To allow all incoming HTTP and HTTPS (port 443) connections run this command:
- sudo ufw allow proto tcp from any to any port 80,443
Note that you need to specify the protocol, with proto tcp
, when specifying multiple ports.
Service: MySQL
MySQL listens for client connections on port 3306. If your MySQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.
Allow MySQL from Specific IP Address or Subnet
To allow incoming MySQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24
subnet, run this command:
- sudo ufw allow from 15.15.15.0/24 to any port 3306
Allow MySQL to Specific Network Interface
To allow MySQL connections to a specific network interface—say you have a private network interfaceeth1
, for example—use this command:
- sudo ufw allow in on eth1 to any port 3306
Service: PostgreSQL
PostgreSQL listens for client connections on port 5432. If your PostgreSQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.
PostgreSQL from Specific IP Address or Subnet
To allow incoming PostgreSQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24
subnet, run this command:
- sudo ufw allow from 15.15.15.0/24 to any port 5432
The second command, which allows the outgoing traffic of established PostgreSQL connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
Allow PostgreSQL to Specific Network Interface
To allow PostgreSQL connections to a specific network interface—say you have a private network interfaceeth1
, for example—use this command:
- sudo ufw allow in on eth1 to any port 5432
The second command, which allows the outgoing traffic of established PostgreSQL connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
Service: Mail
Mail servers, such as Sendmail and Postfix, listen on a variety of ports depending on the protocols being used for mail delivery. If you are running a mail server, determine which protocols you are using and allow the appropriate types of traffic. We will also show you how to create a rule to block outgoing SMTP mail.
Block Outgoing SMTP Mail
If your server shouldn't be sending outgoing mail, you may want to block that kind of traffic. To block outgoing SMTP mail, which uses port 25, run this command:
- sudo ufw deny out 25
This configures your firewall to drop all outgoing traffic on port 25. If you need to reject a different service by its port number, instead of port 25, simply replace it.
Allow All Incoming SMTP
To allow your server to respond to SMTP connections, port 25, run this command:
- sudo ufw allow 25
Note: It is common for SMTP servers to use port 587 for outbound mail.
Allow All Incoming IMAP
To allow your server to respond to IMAP connections, port 143, run this command:
- sudo ufw allow 143
Allow All Incoming IMAPS
To allow your server to respond to IMAPS connections, port 993, run this command:
- sudo ufw allow 993
Allow All Incoming POP3
To allow your server to respond to POP3 connections, port 110, run this command:
- sudo ufw allow 110
Allow All Incoming POP3S
To allow your server to respond to POP3S connections, port 995, run this command:
- sudo ufw allow 995
Conclusion
That should cover many of the commands that are commonly used when using UFW to configure a firewall. Of course, UFW is a very flexible tool so feel free to mix and match the commands with different options to match your specific needs if they aren't covered here.
Good luck!
Configure Ubuntu Firewall (UFW) on Ubuntu 14.04
Modified on: Wed, Jun 24, 2015 at 6:27 pm EST
Security is crucial when you run your own server. You want to make sure that only authorized users can access your server, configuration, and services.
In Ubuntu, there is a firewall that comes preloaded. It's called UFW (Ubuntu-Firewall). Although UFW is a pretty basic firewall, it is user friendly, excels at filtering traffic, and has good documentation. Some basic Linux knowledge should be enough to configure this firewall on your own.
Install UFW
Notice that UFW is typically installed by default in Ubuntu. But if anything, you can install it yourself. To install UFW, run the following command.
sudo apt-get install ufw
Allow connections
If you are running a web server, you obviously want the world to be able to access your website(s). Therefore, you need to make sure that the default TCP port for web is open.
sudo ufw allow 80/tcp
In general, you can allow any port you need by using the following format:
sudo ufw allow <port>/<optional: protocol>
Deny connections
If you need to deny access to a certain port, use this:
sudo ufw deny <port>/<optional: protocol>
For example, let's deny access to our default MySQL port.
sudo ufw deny 3306
UFW also supports a simplified syntax for the most common service ports.
root@127:~$ sudo ufw deny mysql
Rule updated
Rule updated (v6)
It is highly recommended to restrict access to your SSH port (by default it's port 22) from anywhere except your trusted IP addresses (example: office or home).
Allow access from a trusted IP address
Typically, you would need to allow access only to publicly open ports such as port 80. Access to all other ports need to be restricted or limited. You can whitelist your home/office IP address (preferably, it is supposed to be a static IP) to be able to access your server through SSH or FTP.
sudo ufw allow from 192.168.0.1 to any port 22
Let's also allow access to the MySQL port.
sudo ufw allow from 192.168.0.1 to any port 3306
Looks better now. Let's move on.
Enable UFW
Before enabling (or restating) UFW, you need to make sure that the SSH port is allowed to receive connections from your IP address. To start/enable your UFW firewall, use the following command:
sudo ufw enable
You will see this:
root@127:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Type Y, then press Enter to enable the firewall.
Firewall is active and enabled on system startup
Check UFW status
Take a look at all of your rules.
sudo ufw status
You will see output similar to the following.
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp ALLOW 192.168.0.1
22:tcp DENY ANYWHERE
Use the "verbose" parameter to see a more detailed status report.
sudo ufw status verbose
Disable/reload/restart UFW
To disable (stop) UFW, run this command.
sudo ufw disable
If you need to reload UFW (reload rules), run the following.
sudo ufw reload
In order to restart UFW, you will need to disable it first, and then enable it again.
sudo ufw disable
sudo ufw enable
Again, before enabling UFW, make sure that the SSH port is allowed for your IP address.
Removing rules
To manage your UFW rules, you need to list them. You can do that by checking UFW status with the parameter "numbered". You will see output similar to the following.
root@127:~$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN 192.168.0.1
[ 2] 80 ALLOW IN Anywhere
[ 3] 3306 ALLOW IN 192.168.0.1
[ 4] 22 DENY IN Anywhere
Noticed the numbers in square brackets? Now, to remove any of these rules, you will need to use these numbers.
sudo ufw delete [number]
Enabling IPv6 support
If you use IPv6 on your VPS, you need to ensure that IPv6 support is enabled in UFW. To do so, open the config file in a text editor.
sudo nano /etc/default/ufw
Once opened, make sure that IPV6
is set to "yes":
IPV6=yes
After making this change, save the file. Then, restart UFW by disabling and re-enabling it.
sudo ufw disable
sudo ufw enable
Back to default settings
If you need to go back to default settings, simply type in the following command. This will revert any of your changes.
sudo ufw reset
Conclusion
Overall, UFW is able to protect your VPS against the most common hacking attempts. Of course, your security measures should be more detailed than just using UFW. However, it is a good (and necessary) start.
If you need more examples of using UFW, you can refer to UFW - Community Help Wiki.
UFW Essentials: Common Firewall Rules and Commands的更多相关文章
- CentOS 7 下 安装Webmin 启动防火墙失败----Applying firewall rules:iptables-restore:line 2 failed
最近学习CentOS 7 系统管理,使用的是<CentOS 6.X系统管理实战宝典>一书------因为网购的CentOS 7 的书还没有送到 O(‘ ’!!)O~ (1)先使用yum方 ...
- [Windows Hyper-V-Server]Enable or disable firewall rules under powershell / powershell下启用禁用防火墙规则
http://www.cryer.co.uk/brian/windows/hyper-v-server/help_computer_cannot_be_managed.htm Enable COM+ ...
- Common Macros for Build Commands and Properties
https://msdn.microsoft.com/en-us/library/c02as0cs.aspx $(ProjectDir) The directory of the proje ...
- How To Set Up an OpenVPN Server on Ubuntu 14.04
Prerequisites The only prerequisite is having a Ubuntu 14.04 Droplet established and running. You wi ...
- ubuntu防火墙ufw使用教程
查看ubuntu版本cat /etc/issue或者lsb_release -a 防火墙 由于Linux原始的防火墙工具iptables过于繁琐,所以ubuntu默认提供了一个基于iptable之上的 ...
- ubuntu ufw防火墙
由于LInux原始的防火墙工具iptables过于繁琐,所以ubuntu默认提供了一个基于iptable之上的防火墙工具ufw. ubuntu 9.10默认的便是UFW防火墙,它已经支持界面操作了.在 ...
- ubuntu 中 iptables 和 ufw 的关系
我突然发现,自己平常使用的 iptables 和 ufw 到底是啥关系?平常其实iptables和ufw在配置防火墙,开启端口是,还是偶尔会使用到的. 没去思考过这两者是啥关系,哎...,这就不够好了 ...
- ubuntu ufw相关命令
引自:http://www.cnblogs.com/jiangyao/archive/2010/05/19/1738909.html 就这句话就够了,下面的可以不看 sudo ufw enable| ...
- NX 8.5 License Server Firewall Setting
Reference: http://eng-tips.com/viewthread.cfm?qid=284511 The FLEXNet Server(lmgrd) listens to 28000 ...
随机推荐
- Go语言fmt包详解
格式化输出函数 fmt包含有格式化I/O函数,类似于C语言的printf和scanf.格式字符串的规则来源于C,但更简单一些 1.print和println方法 print输出给定的字符串,如果是数值 ...
- leetcode 53 最大子序列之和(动态规划)
思路:nums为给定的数组,动态规划: 设 一维数组:dp[i] 表示 以第i个元素为结尾的一段最大子序和. 1)若dp[i-1]小于0,则dp[i]加上前面的任意长度的序列和都会小于nums[i], ...
- Docker部署Nginx应用(2)
Docker部署Nginx应用(2) 1.拉取Nginx镜像 [root@localhost ~]# docker pull nginx Using default tag: latest lates ...
- 推荐-Everything搜索工具
简介: windows操作系统下极其强大的文件搜索工具. 下载: https://www.voidtools.com/downloads/ 推荐理由: 速度之快难以想象,日常工作必备工具之一. 发现的 ...
- es第二篇:Document APIs
文档CRUD API分为单文档API和多文档API.这些API的索引名参数既可以是一个真正的索引的名称,也可以是某个索引的别名alias. 单文档API有:Index API.Get API.Dele ...
- CMS: DNN And Umbraco
在比较了众多CMS系统后,还是把焦点定在DNN和Umbraco两个系统上,这两个系统都可以使用UserControl扩展自己需要的功能. DNN的架构比较复杂,Module.Skin.Containe ...
- Rails 中 mattr_accessor 一处文档错误
http://xiewenwei.github.io/blog/2015/01/11/mattr-accessor-in-ruby-on-rails-activesupport/ module Hai ...
- Light Table 编辑器修改字体 更新
view->command->use.behaviors 加上这一句 (:lt.objs.style/font-settings "Inconsolata" 14 1 ...
- 想熟悉PostgreSQL?这篇就够了
欢迎大家前往腾讯云+社区,获取更多腾讯海量技术实践干货哦~ 本文由angel_郁 发表于云+社区专栏 什么是PostgreSQL? PostgreSQL是自由的对象-关系型数据库服务器,在灵活的BSD ...
- <数据挖掘导论>读书笔记8FP树
1FP树