Introduction

UFW is a firewall configuration tool for iptables that is included with Ubuntu by default. This cheat sheet-style guide provides a quick reference to UFW commands that will create iptables firewall rules are useful in common, everyday scenarios. This includes UFW examples of allowing and blocking various services by port, network interface, and source IP address.

Remember that you can check your current UFW ruleset with sudo ufw status or sudo ufw status verbose.

Block an IP Address

To block all network connections that originate from a specific IP address, 15.15.15.51 for example, run this command:

  • sudo ufw deny from 15.15.15.51

In this example, from 15.15.15.51 specifies a source IP address of “15.15.15.51”. If you wish, a subnet, such as 15.15.15.0/24, may be specified here instead. The source IP address can be specified in any firewall rule, including an allow rule.

Block Connections to a Network Interface

To block connections from a specific IP address, e.g. 15.15.15.51, to a specific network interface, e.g. eth0, use this command:

  • sudo ufw deny in on eth0 from 15.15.15.51

This is the same as the previous example, with the addition of in on eth0. The network interface can be specified in any firewall rule, and is a great way to limit the rule to a particular network.

Service: SSH

If you’re using a cloud server, you will probably want to allow incoming SSH connections (port 22) so you can connect to and manage your server. This section covers how to configure your firewall with various SSH-related rules.

Allow SSH

To allow all incoming SSH connections run this command:

  • sudo ufw allow ssh

An alternative syntax is to specify the port number of the SSH service:

  • sudo ufw allow 22
Allow Incoming SSH from Specific IP Address or Subnet

To allow incoming SSH connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24 subnet, run this command:

  • sudo ufw allow from 15.15.15.0/24 to any port 22
Allow Incoming Rsync from Specific IP Address or Subnet

Rsync, which runs on port 873, can be used to transfer files from one computer to another.

To allow incoming rsync connections from a specific IP address or subnet, specify the source IP address and the destination port. For example, if you want to allow the entire 15.15.15.0/24 subnet to be able to rsync to your server, run this command:

  • sudo ufw allow from 15.15.15.0/24 to any port 873

Service: Web Server

Web servers, such as Apache and Nginx, typically listen for requests on port 80 and 443 for HTTP and HTTPS connections, respectively. If your default policy for incoming traffic is set to drop or deny, you will want to create rules that will allow your server to respond to those requests.

Allow All Incoming HTTP

To allow all incoming HTTP (port 80) connections run this command:

  • sudo ufw allow http

An alternative syntax is to specify the port number of the HTTP service:

  • sudo ufw allow 80
Allow All Incoming HTTPS

To allow all incoming HTTPS (port 443) connections run this command:

  • sudo ufw allow https

An alternative syntax is to specify the port number of the HTTPS service:

sudo ufw allow 443
Allow All Incoming HTTP and HTTPS

If you want to allow both HTTP and HTTPS traffic, you can create a single rule that allows both ports. To allow all incoming HTTP and HTTPS (port 443) connections run this command:

sudo ufw allow proto tcp from any to any port 80,443

 

Note that you need to specify the protocol, with proto tcp, when specifying multiple ports.

Service: MySQL

MySQL listens for client connections on port 3306. If your MySQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.

Allow MySQL from Specific IP Address or Subnet

To allow incoming MySQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24 subnet, run this command:

  • sudo ufw allow from 15.15.15.0/24 to any port 3306

Allow MySQL to Specific Network Interface

To allow MySQL connections to a specific network interface—say you have a private network interface eth1, for example—use this command:

  • sudo ufw allow in on eth1 to any port 3306

 

 

Delete a entry

If you find a entry wrong. E.g. we find a entry is wrong or redundant, such as allow 80 and allow from 192.168.10.0/24 to any port 80, we want to delete the second one:

 

administrator@Confluence:/var/log$ sudo ufw status numbered
Status: active

To Action From
 -- ------ ----
[ 1] NRPE ALLOW IN Anywhere
[ 2] 22 ALLOW IN Anywhere
[ 3] 5666 ALLOW IN Anywhere
[ 4] 80 ALLOW IN Anywhere
[ 5] 8000 ALLOW IN Anywhere
[ 6] 8091 ALLOW IN Anywhere
[ 7] 80 ALLOW IN 192.168.10.0/24
[ 8] NRPE (v6) ALLOW IN Anywhere (v6)
[ 9] 22 (v6) ALLOW IN Anywhere (v6)
[10] 5666 (v6) ALLOW IN Anywhere (v6)
[11] 80 (v6) ALLOW IN Anywhere (v6)
[12] 8000 (v6) ALLOW IN Anywhere (v6)
[13] 8091 (v6) ALLOW IN Anywhere (v6)

administrator@Confluence:/var/log$ sudo ufw delete 7
Deleting:
 allow from 192.168.10.0/24 to any port 80
Proceed with operation (y|n)? y
Rule deleted

 

Reference

https://help.ubuntu.com/community/UFW