How to get started with iptables
On default Ubuntu uses UFW for its firewall. UFW stands for “uncomplicated Firewall” and was first introduced with the release of Ubuntu 16.04. UFW is a beginner friendly alternative to iptables. UFW provides an easy to use interface, so that you as a user don’t have to deal with messy iptables commands. In this artcile we will show you, how to use UFW correctly.
Configure UFW in the Terminal
UFW is an interface to IPTables intended to simplify the process of configuring a firewall. If you want to secure the network or want to monitor the incoming and outgoing connections of your server, you cannot avoid a firewall. UFW is a handy tool that can be controlled and configured via the terminal in Ubuntu:
Prerequisits
Before we start, you have to ensure that UFW is intalled on your machine. If you are using Ubuntu 16.04 or above UFW should already been intalled. You can verify or intall it from scratch with the following command:
sudo apt-get install ufw
Set Default Rules
Before creating your own firewall rules, you should first define how incoming and outgoing traffic will be handled. By default, all incoming connections are denied and all outgoing connections are allowed. If every incoming connection were allowed, anyone from outside could reach your server. To ensure that the default settings are correct, enter the following commands one after the other:
sudo ufw default allow outgoing
This command allows all outgoing traffic from our Ubuntu machine to the network.
sudo ufw default deny incoming
The command above blocks all incoming traffic to our machine.
In the next step we can set our rules for each service we want to access from the outside.
Configure Incoming Rules
If we would activate our Firewall after we set the default settings without any further configuration, we would block all incoming traffic. This would also block SSH, therefore it is important to create a rule for all our services first, before we activate the rules. In this case, it will be the first rule we want to set.
Configure SSH with UFW
In our example we want to configure SSH first by simply typing:
sudo ufw allow ssh
Alternatively we can also specify the port instead of the service name like so:
sudo ufw allow 22
If you have SSH on a different port, you want to make sure to use the specific port number instead of the service name SSH.
Configure Specific IP for SSH with UFW Firewall
In the example above we enabled SSH on our server, but right now the SSH port is accessible from anywhere. If you want to secure your server even better, it is advised to only allow SSH for the IPs you want to access your server. To do so we can type the following command:
ufw allow from IP to any port 22 proto tcp
Please keep in mind that your public IP might change and that the commmand above could lock you out. Only use this if you have a static IP address.