Jun 182011
 

firewallI use iptables by many years and used it also for complex solutions and only recently i’ve discovered ufw (Uncomplicated Firewall), the ubuntu version, or better developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.


Installation

I’ve ufw installed on my ubuntu 11.04, i don’t know if it’s a default (probably) or it’s been installed some time ago during some test, anyway on Debian and Ubuntu you can install it with

aptitude install ufw

Basic Operation

You can get the status, and start or stop ufw with these commands, please note all ufw commands must be run as root, so use a sudo in front of any command or become root with sudo -i

ufw status
ufw enable
ufw disable

If you enable or disable it the command will take care of enabling or disabling the firewall also at startup time.

Set a default behavior

With the argument default you can set your default policy to accept or deny packets.

ufw default allow
ufw default deny

Allow and Deny

The basic sintax to allow or deny a specific port is

ufw allow port 
ufw deny port

Without options it work BOTH for tcp and udp if you want to specify a protocol write

ufw allow port/protocol
ufw deny port/protocol

So to allow ssh only on your machine you can use:

ufw enable
ufw default deny
ufw allow 22/tcp

It is also possible to allow access from specific hosts or networks to a port. The following example allows ssh access from host 192.168.0.2 to any ip address on the host:

ufw allow from 192.168.0.2 to any port 22 proto tcp

Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire subnet.


dry-run

Adding the –dry-run option to a ufw command will output the resulting rules, but not apply them. For example, the following is what would be applied if opening the HTTP port:

~#ufw --dry-run allow http
 
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
 
### tuple ### allow tcp 22 0.0.0.0/0 any 192.168.0.2 in
-A ufw-user-input -p tcp --dport 22 -s 192.168.0.2 -j ACCEPT
 
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
 
### END RULES ###
 
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
 
### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT
Rules updated

Logging

Enabling and disabling logging it’s really easy, use :

ufw logging on
ufw logging off

gufw_screenshot2Ok this is all for a basic guide on ufw, but perhaps you think it’s still not so Uncomplicated ?
Don’t worry because there is also a nice GUI called gufw.
It supports common tasks such as allowing or blocking pre-configured services, common P2P, or individual IP/port(s), and many others operations  !

Check also this guide on gufw
How to easily manage your Linux firewall with gufw


Popular Posts:

flattr this!

  3 Responses to “ufw – Iptables under Ubuntu”

  1. Thanks, this looks nice and simple. Although I don’t know why someone would take a project he/she worked hard to create, and then name it “ufw” or “gufw” or “jdfhywesdshhsnbb112999sbdndb”… Maybe there’s a coolness quality I’m not aware of :)

  2. Application profiles are also supported by ufw. These are pre-defined protocols/ports that can be referenced by application name (protocol names are from /etc/services). I wrote a couple of hundred:
    Stubborn Tech Problem Solving: UFW application profiles
    Bug #659619 in ufw

    Unfortunately they haven’t been packaged yet.

 Leave a Reply

(required)

(required)


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>