ufw firewall (by damian)

Uncomplicated firewall (ufw) is a very convenient command line tool to manipulate iptables and manage a host based firewall...

Installation

ufw installation with apt (debian/ubuntu/...)

$ sudo apt-get install ufw

Turn firewall on and off (’disable’ => default: ACCEPT)

$ sudo ufw enable
$ sudo ufw disable

WARNING: If you are connected over SSH, be aware that you might get locked out by enabling the firewall without allowing connections to port 22 (or to the app profile OpenSSH), you might FIRST add a rule like

$ sudo ufw allow from any to any port 22 proto tcp

Enable/Disable logging

$ sudo ufw logging on
$ sudo ufw logging off

default policy examples

$ sudo ufw default allow
$ sudo ufw default deny

$ sudo ufw default allow outgoing
$ sudo ufw default deny incoming

Accept or drop incoming packets to (can see what services are available with ’status’ (see below)). can be specified via service name in /etc/services, ‘protocol:port’, or via package meta-data. ‘allow’ adds service entry to /etc/ufw/maps and ‘deny’ removes service entry from /etc/ufw/maps. Basic syntax:

$ sudo ufw allow|deny [service]

Show the status of UFW

referencing '/var/lib/ufw/maps'. (Numbers in parenthesis are not displayed to user)

$ sudo ufw status
$ sudo ufw status verbose
$ sudo ufw status numbered

UFW Examples

Allow to port 53 | port 53/tcp | from any to port 53 | from any to port53/tcp | from any on eth0 to port 53/udp | allow from 1.2.3.4 to port 53

$ sudo ufw allow 53
$ sudo ufw allow 53/tcp
$ sudo ufw allow from any to any port 53
$ sudo ufw allow from any to any port 53 proto tcp
$ sudo ufw allow in on eth0 from any to any port 53 proto udp
​$ sudo ufw allow from 1.2.3.4 to any port 53

Delete Allow port 53

$ sudo ufw delete allow 53
​

To delete more complex rules it might be easier to delete the rule by number

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 53                         ALLOW IN    Anywhere                  
[ 2] 53 (v6)                    ALLOW IN    Anywhere (v6)             

$ sudo ufw delete 1
Deleting:
 allow 53
Proceed with operation (y|n)? y
Rule deleted

Instead of numeric port, service name can be used, see /etc/services

$ sudo ufw allow smtp

Allow all traffic from a particular IP

$ sudo ufw allow from 192.168.254.254

Deny all traffic from a particular IP

$ sudo deny from 192.168.1.2

Further it is possible to use ufw application profiles. To see which profiles are available:

$ sudo ufw app list
Available applications:
  Apache
  Apache Full
  Apache Secure
  CUPS
  OpenSSH

To allow access to app profile, e.g. "Apache Full" (http port 80 and https port 443):

$ sudo ufw allow from any to any app "Apache Full"
Rule added
Rule added (v6)

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80,443/tcp (Apache Full)   ALLOW IN    Anywhere                  
80,443/tcp (Apache Full (v6)) ALLOW IN    Anywhere (v6)

Many services installed will come with their own app profile. Profiles can also be edited/added in /etc/ufw/applications.d/

For example you could add a profile for MySQL if you are running a server you would create /etc/ufw/applications.d/mysqld and put

[MySQL]
title=MySQL database server
description=MySQL is a fast, stable and true multi-user, multi-threaded SQL database server
ports=3306/tcp

multiple profiles/port configurations can be configured (example from apache):

[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp

[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp

[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp

NAT

edit /etc/ufw/sysctl.conf and add/uncomment:

net/ipv4/ip_forward=1

edit /etc/ufw/before.rules and add something like

# nat Table rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

#-A PREROUTING -p tcp -d 188.92.146.4 --dport 443 -j DNAT --to-destination 192.168.3.20:443
-A PREROUTING -p tcp -i eth2 -d 188.92.146.4 --dport 443 -j DNAT --to-destination 192.168.3.20:443

-A POSTROUTING -s 192.168.2.0/24 -o eth2 -j MASQUERADE
-A POSTROUTING -s 192.168.3.0/24 -o eth2 -j MASQUERADE
-A POSTROUTING -p tcp --dport 25 -j SNAT --to-source 188.92.146.6

COMMIT

IPv6

To enable/disable IPv6 support edit /etc/default/ufw and add/uncomment/edit

IPV6=yes

After changing, ufw needs to be restarted:

$ sudo ufw disable ; sudo ufw enable

Rules that are not specific to IPv4/IPv6 will be added for both:

$ sudo ufw allow from any to any port 80
Rule added
Rule added (v6)

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
80                         ALLOW       Anywhere                  
80 (v6)                    ALLOW       Anywhere (v6)