How To Use UFW Firewall On Debian, Ubuntu, Linux Mint
How To Use UFW Firewall On Debian, Ubuntu, Linux Mint
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 1/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint
systemctl status iptables
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 2/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint
UFW, you need to know what ports are opened on the public
IP address of your server, which can be obtained with the
help of nmap (Network Mapper).
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 4/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint
or
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 5/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint
If you run a BIND DNS server, then you need to open TCP
and UDP port 53.
The above command will allow both the TCP and UDP port.
If you want to allow the UDP port only, then
Enabling UFW
After you have set allowed ports in UFW, you need to enable
UFW. But before doing that, it’s recommended to enable
logging with the following command so that you can better
understand if your firewall is working correctly.
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 6/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint
Check status
Now you can re-scan your server to find out which ports are
still opened.
Then you can delete a rule, for example, the 8th rule.
Note that the reference number will change after you delete a
rule, so you need to run sudo ufw status numbered
again to delete another rule.
Reset UFW
Many server programs ship with UFW profiles. You can list
all application profiles with:
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 8/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint
We can see that the port used by this profile are TCP port 80
and 443. If we enable this application profile with the
following command, TCP port 80 and 443 will be allowed.
Note that newly added firewall rules are put in the bottom by
default. If you previously allowed access to port 25 from
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 9/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint
anywhere, then you need to insert the deny rule as the first
rule, just like above, so the deny rule will be applied first.
You can always insert new deny rule as the first rule.
Now let’s say you run a OpenSSH server and you only want
to allow certain IP address to log in to your server through
SSH. You can use UFW to create an IP address whitelist. For
example, I don’t have static IP address in my home, but I
have set up several VPN servers on the cloud, so now I can
configure UFW to allow inbound connection to port 22 from
the IP address of my VPN server only.
Then you need to get the reference number of the allow SSH
from anywhere rule and delete that rule.
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 10/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint
Note that you need to delete both the IPv4 and IPv6 rule.
Also notice that if you delete the upper rule first, the
reference number of the lower rule will change.
From here on out, only your IP address can access TCP port
22.
Then you can just replace IPv4 with IPv6 address in ufw
commands like below.
Note that you can’t insert an IPv6 rule between IPv4 rules.
IPv6 rules should always be placed after IPv4 rules.
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 11/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint
By default, there are some rules for the filter table. Add
the following lines at the end of this file.
*nat
COMMIT
-A ufw-before-forward -s 10.10.10.0/2
4 -j ACCEPT
-A ufw-before-forward -d 10.10.10.0/2
4 -j ACCEPT
or simply
net.ipv4.ip_forward = 1
sudo sysctl -p
What if you use UFW on your router, and you want to route
packets such as HTTP requests to internal LAN hosts? In this
case, you need to set up port forwarding. Edit the
/etc/ufw/before.rules file.
Then add the following lines in the NAT table, above the
COMMIT line. Replace 12.34.56.78 with your router’s
public IP address.
Note that the 192.168.1.100 LAN host must use the UFW
router as the gateway. If it’s using another IP address as the
gateway, port forwarding won’t work.
Restart UFW.
Gufw
Wrapping Up
That’s it! I hope this article helped you use UFW on Debian,
Ubuntu and Linux Mint. As always, if you found this post
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 17/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint
[Total: 9 Average: 5]
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 18/18