How to set up a firewall on Ubuntu Server

The information in this post is based on Ubuntu Server 14.04 x64. It may or may not be valid for other versions.

When I first started out with Linux (Ubuntu) servers, setting up a firewall involved manually creating and maintaining a potentially complex configuration file for iptables. However, I have recently discovered ufw, which is short for Uncomplicated Firewall – and it really is 🙂

My installation of Ubuntu Server 14.04 already had ufw installed, but if your doesn’t, simply install it from the repositories:

sudo apt-get install ufw

UFW is actually just a tool that simplifies the iptables configuration – behind the scenes, it is still iptables and the Linux kernel firewall that does the filtering, so ufw is neither less nor more secure than these. However, because ufw makes it a lot easier to configure a firewall correctly, it may reduce the risk of human error and is therefore possibly more secure for inexperienced admins.

If your server is configured with IPv6 as well as IPv4, make sure that this is enabled for UFW as well. Edit the file /etc/default/ufw and look for a line saying IPV6=yes. On my installation it was already there, but if it’s not or if it says no, you should edit it.

Then simply use the command prompt to enable the ports you want opened. If you are connected to your server via ssh, make sure to allow that as well or it may disrupt your connection and possibly lock you out of your server when you activate it – depending on whether you have physical access to the server or not, this may be kinda inconvenient 😉

For example, if you use ssh on the standard port 22 and you are configuring a web server that supports both unencrypted (HTTP on port 80) and encrypted (HTTPS on port 443) connections, you would issue the following commands to configure ufw:

sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

If you need more rules, simply add them as above.

If you have a static IP address and only need to be able to connect via ssh from the one location, you can also restrict ssh connections to a single origin address like this:

sudo ufw allow from to any port 22

Of course, enter your own IP address instead.

When done, enable ufw by entering:

sudo ufw enable

And you’re done! The firewall is running and will automatically start up when you reboot your server 🙂

If you make changes to the ufw configuration, you may need to disable and enable it again to put them into effect, like this:

sudo ufw disable
sudo ufw enable

To look at the current configuration, simply enter:

sudo ufw status

If ufw is not enabled, this will simply show an “inactive” message, otherwise it will list the currently defined rules.