Another line of defense to complete on Linux servers is a functioning firewall. Now if you’ve ever used IP tables, you’ll know they are unnecessarily complicated. This is where ufw comes in to its own as it is a simple front end to the aforementioned IP tables.
Install is a breeze.
sudo apt-get install ufw
Also very easy.
sudo ufw status or sudo ufw status numbered
I prefer numbered, as it then makes it easier to remove entries you don’t want or need.
Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere [ 3] 22 (v6) ALLOW IN Anywhere (v6) [ 4] 80/tcp (v6) ALLOW IN Anywhere (v6)
Using UFW with IPv6
UFW works out of the box with IPv6. If you don’t use IPv6 yet on your network, it is easy to turn off by default.
sudo nano /etc/default/ufw
Then make sure “IPV6” is set to “no”, as follows:
Save and quit. Restart the firewall with the following commands:
sudo ufw disable sudo ufw enable
I always start a setup with the following:
sudo ufw default deny incoming sudo ufw default allow outgoing
Pretty obvious this one, allow all outbound communication, deny all incoming!
Depending on what your server is doing will obviously impact on what rules you need to allow inbound but for a web server this is how I would play it.
If you need to manage the server over the web because it’s hosted, then the simple command:
sudo ufw allow ssh
If it is local and SSH administration will be completed from your LAN range only. This is for management so would mean you could only manage your server from your internal range. Now the IP range you define here is dependent on what range you actually have configured.
sudo ufw allow from 192.168.1.0/24 to any port 22
To allow web traffic is also very easy:
sudo ufw allow www
You may need to open up other ports for example:
sudo ufw allow ftp
This i suggest should all be tested and checked you can access all required ports as you run through the configuration.
I like this way to delete rules. First get the numbered list as before:
sudo ufw status numbered
Then delete rules by issuing the following command:
sudo ufw delete [number]
Where “[number]” is the number of the rule you need to delete. Check the status numbered list as you go as they change as you delete rules.
Turning the Firewall On
This one’s simple.
sudo ufw enable
To get your full verbose status of the running firewall
sudo ufw status verbose
To turn it off:
sudo ufw disable
If, somehow you manage to get it all wrong and you want to start fresh. Then type the following:
sudo ufw reset
You will have a secured server configured to only the access required. As Alan Partridge would say, “Lovely Stuff”.