0% found this document useful (0 votes)
95 views18 pages

How To Use UFW Firewall On Debian, Ubuntu, Linux Mint

This document provides instructions on how to use UFW (Uncomplicated Firewall) on Debian, Ubuntu, and Linux Mint systems. It begins by explaining how to disable any other iptables restore services that could conflict with UFW. It then explains how to install UFW if not already present, check its status, and see which ports are open using nmap. The document outlines allowing common ports like SSH, HTTP, HTTPS and providing examples of allowing multiple ports. It concludes by enabling UFW logging and turning on the firewall.

Uploaded by

Twom Ali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
95 views18 pages

How To Use UFW Firewall On Debian, Ubuntu, Linux Mint

This document provides instructions on how to use UFW (Uncomplicated Firewall) on Debian, Ubuntu, and Linux Mint systems. It begins by explaining how to disable any other iptables restore services that could conflict with UFW. It then explains how to install UFW if not already present, check its status, and see which ports are open using nmap. The document outlines allowing common ports like SSH, HTTP, HTTPS and providing examples of allowing multiple ports. It concludes by enabling UFW logging and turning on the firewall.

Uploaded by

Twom Ali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

How to Use UFW Firewall


on Debian, Ubuntu, Linux
Mint
 Last Updated: May 22nd, 2022
 Xiao Guoan (Admin)
 8
Comments  Security

This tutorial is going to show you how to use UFW


(Uncomplicated FireWall) on Debian/Ubuntu/Linux Mint
with some real-world examples. Managing firewall is a basic
skill that every system admin needs to know. This article
intends to get the reader started with UFW, but does not
explore the ins and outs of UFW.

UFW is a front-end for iptables, to make managing a


Netfilter firewall easier, hence the name “Uncomplicated
Firewall”. It provides a command line interface with syntax
similar to OpenBSD’s Packet Filter. It is particularly well-
suited as a host-based firewall. UFW is the recommended
iptables front-end on Debian based Linux Distros and is
usually pre-installed on these distros. By default, UFW set
firewall rules for both IPv4 and IPv6 address. Another well-
known iptables front-end is firewalld, which is the default
firewall application on RPM based Linux distros (RHEL,
CentOS, Fedora, OpenSUSE, etc).


https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 1/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

Disabling Other Iptables Restore


Services

As you probably know, iptables firewall rules will be flushed


when the OS shuts down and the iptables program itself
does not restore the firewall rules. UFW by default restores
firewall rules after system reboot. Before using UFW, it’s
important that you check whether there’s another iptables
restore service on your system. If there are two restore
services, they will conflict with each other, which often
results in web applications not available after system reboot.

If you were using iptables firewall directly and now you


want to switch to UFW, you just need to disable your
iptables restore service. Iptables-persistent is a well-known
iptables restore service on Debian/Ubuntu. You can check
whether it’s running with the following command.

systemctl status iptables-persistent

If it’s running, you can stop and disable it.

sudo systemctl stop iptables-persiste


nt

sudo systemctl disable iptables-persi


stent

Or you can remove it from your system.

sudo apt remove iptables-persistent

If you have set up your mail server using iRedMail, be sure


to run the following command to check whether the
iptables service is running.


systemctl status iptables
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 2/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

This iptables service is shipped with iRedMail to restore


iptables firewall rules. If it’s running, you can stop and
disable it.

sudo systemctl stop iptables

sudo systemctl disable iptables

Now let’s learn how to use UFW.

Getting Started with UFW on


Debian/Ubuntu/Linux Mint Server

UFW is usually pre-installed on Debian/Ubuntu/Linux Mint,


although you can always run the following command to
install it.

sudo apt install ufw

Note: You can install UFW on Arch Linux with sudo


pacman -S ufw , but you also need to enable the
UFW systemd service with sudo systemctl
enable ufw .

On installation, ufw is disabled. You can check UFW status


with:

sudo ufw status

UFW comes with a default incoming policy of deny , a


default forward policy of deny , and a default outgoing
policy of allow , with stateful tracking for new connections
for incoming and forwarded connections. Before enabling 
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 3/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

UFW, you need to know what ports are opened on the public
IP address of your server, which can be obtained with the
help of nmap (Network Mapper).

Install nmap on your Debian/Ubuntu/Linux Mint server and


scan opened ports on the public IP address.

sudo apt install nmap

sudo nmap 12.34.56.78

Replace 12.34.56.78 with the actual public IP address of


your server. As you can see from the screenshot below, there
are several opened ports on my server.

There are also opened ports that listen on localhost only,


which can be obtained by running sudo nmap
localhost , but we don’t need to worry about them.

Nmap by default only scans TCP ports. We can use the


following command to scan UDP ports.

sudo nmap -sU 12.34.56.78

However, UDP scan is terribly slow. If you can’t wait that


long, you can use netstat to list UDP ports.

sudo netstat -lnpu

After obtaining the opened TCP and UDP ports on your


server, you need to decide which ports should be allowed to

accept inbound connections. If there’s an openSSH server

https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 4/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

running, then you should always allow TCP port 22 before


activating UFW. This is achieved via the following
command.

sudo ufw allow 22/tcp

or

sudo ufw allow ssh

You probably want to allow HTTP and HTTPS traffic, so run


the following command to allow inbound connection on TCP
port 80 and 443.

sudo ufw allow 80/tcp

sudo ufw allow 443/tcp

If you run an email server, you need to allow TCP port 25


(SMTP), 587(submission), 143(imap) and 993 (imaps).

sudo ufw allow 25/tcp

sudo ufw allow 587/tcp

sudo ufw allow 143/tcp

sudo ufw allow 993/tcp

If you want your user to be able to use POP3 protocol, you


need to allow TCP port 110 (POP3) and 995 (POP3S).

sudo ufw allow 110/tcp

sudo ufw allow 995/tcp


https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 5/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

If you run a BIND DNS server, then you need to open TCP
and UDP port 53.

sudo ufw allow 53

The above command will allow both the TCP and UDP port.
If you want to allow the UDP port only, then

sudo ufw allow 53/udp

Opening Multiple Ports at Once

You can allow multiple ports like below.

sudo ufw allow 80,443,25,587,465,143,


993/tcp

Enabling UFW

After you have set allowed ports in UFW, you need to enable
UFW. But before doing that, it’s recommended to enable
logging with the following command so that you can better
understand if your firewall is working correctly.

sudo ufw logging on

The default log level is ‘low’. The log file is


/var/log/ufw.log . I usually use the “medium” log level.

sudo ufw logging medium

Now enable UFW.

sudo ufw enable


https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 6/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

Note: If you have previously used iptables firewall


directly, those iptables firewall rules will be undone
once UFW is enabled.

Check status

sudo ufw status

To show more information, run

sudo ufw status verbose

Now you can re-scan your server to find out which ports are
still opened.

sudo nmap 12.34.56.78

Also, enable the UFW systemd service, so it will


automatically start at system boot time.

sudo systemctl enable ufw

How to Delete A Firewall Rule

First, you need to get the reference number of the firewall


rule you want to delete with the following command.

https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 7/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

sudo ufw status numbered

Then you can delete a rule, for example, the 8th rule.

sudo ufw delete 8

Note that the reference number will change after you delete a
rule, so you need to run sudo ufw status numbered
again to delete another rule.

Reset UFW

If you made a mistake, you can disable and reset firewall to


installation defaults.

sudo ufw reset

This is particularly useful for beginners.

UFW Application Profile

Many server programs ship with UFW profiles. You can list
all application profiles with:

sudo ufw app list


https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 8/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

We can show information on a specific application profile,


for example, the “Apache Full” profile.

sudo ufw app info "Apache Full"

We can see that the port used by this profile are TCP port 80
and 443. If we enable this application profile with the
following command, TCP port 80 and 443 will be allowed.

sudo ufw allow "Apache Full"

Creating IP Address Blacklist with


UFW

Let’s say there’s a spammer who is constantly trying to send


spam to your mail server. You can use UFW to block the
spammer’s IP address from accessing TCP port 25 of your
mail server, with the following command. Replace
12.34.56.78 with the spammer’s IP address.

sudo ufw insert 1 deny in from 12.34.


56.78 to any port 25 proto tcp

Note that newly added firewall rules are put in the bottom by

default. If you previously allowed access to port 25 from

https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 9/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

anywhere, then you need to insert the deny rule as the first
rule, just like above, so the deny rule will be applied first.
You can always insert new deny rule as the first rule.

sudo ufw insert 1 deny in from 78.56.


34.12 to any port 25 proto tcp

You can also block an IP address range like below.

sudo ufw insert 1 deny in from 192.16


8.0.0/24 to any port 25 proto tcp

To block an IP address from accessing all ports on your


server, run

sudo ufw insert 1 deny in from 12.34.


56.78

Creating IP Address Whitelist with


UFW

Now let’s say you run a OpenSSH server and you only want
to allow certain IP address to log in to your server through
SSH. You can use UFW to create an IP address whitelist. For
example, I don’t have static IP address in my home, but I
have set up several VPN servers on the cloud, so now I can
configure UFW to allow inbound connection to port 22 from
the IP address of my VPN server only.

First, add the IP address to the allow list.

sudo ufw insert 1 allow in from 12.3


4.56.78 to any port 22 proto tcp

Then you need to get the reference number of the allow SSH
from anywhere rule and delete that rule. 
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 10/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

sudo ufw status numbered

sudo ufw delete reference-number

Note that you need to delete both the IPv4 and IPv6 rule.
Also notice that if you delete the upper rule first, the
reference number of the lower rule will change.

From here on out, only your IP address can access TCP port
22.

How to Use IPv6 Address in UFW

First, make sure the IPV6=yes is set in


/etc/default/ufw file. If it’s not set, then add it in that
file and restart UFW (sudo systemctl restart ufw).

Then you can just replace IPv4 with IPv6 address in ufw
commands like below.

sudo ufw allow in from 2607:f8b0:400


5:804::200e to any port 587

Note that you can’t insert an IPv6 rule between IPv4 rules.

IPv6 rules should always be placed after IPv4 rules.
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 11/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

How to Set Up IP Masquerading with


UFW

Sometimes you want to set up your own VPN server, then


you will need to set up IP masquerading on your VPN server
so that it becomes a virtual router for VPN clients.
Unfortunately, UFW doesn’t provide a convenient way to do
this. We have to add iptables command in a UFW
configuration file.

sudo nano /etc/ufw/before.rules

By default, there are some rules for the filter table. Add
the following lines at the end of this file.

# NAT table rules

*nat

:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Chan


ge eth0 to match your network interfa
ce

-A POSTROUTING -o eth0 -j MASQUERADE

# End each table with the 'COMMIT' li


ne or these rules won't be processed

COMMIT

Notice that if your main network interface isn’t eth0 , you


need to change eth0 to your network interface name, which
can be obtained with the ip addr command. And because

https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 12/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

we are adding firewall rules to a new table, namely the nat


table, we need to add the ‘COMMIT’ line.

By default, UFW forbids packet forwarding, which is great


because it prevents random people on the Internet to use your
box to do malicious stuff. But we need to allow forwarding
for our private network. Find the ufw-before-forward
chain in this file and add the following 3 lines, which will
accept packet forwarding if the source IP or destination IP is
in the 10.10.10.0/24 range.

# allow forwarding for trusted networ


k

-A ufw-before-forward -s 10.10.10.0/2
4 -j ACCEPT

-A ufw-before-forward -d 10.10.10.0/2
4 -j ACCEPT

Save and close the file. Then restart UFW.

sudo ufw disable

sudo ufw enable

or simply

sudo systemctl restart ufw

Although this is not related to UFW configuration, but in


order to route packets, you also need to set up IP forwarding.
This can be done by setting the following at the end of
/etc/sysctl.conf file.

https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 13/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

net.ipv4.ip_forward = 1

Then apply the changes with the following command.

sudo sysctl -p

How to Set Up Port Forwarding in


UFW

What if you use UFW on your router, and you want to route
packets such as HTTP requests to internal LAN hosts? In this
case, you need to set up port forwarding. Edit the
/etc/ufw/before.rules file.

sudo nano /etc/ufw/before.rules

Then add the following lines in the NAT table, above the
COMMIT line. Replace 12.34.56.78 with your router’s
public IP address.

:PREROUTING ACCEPT [0:0]

# forward 12.34.56.78 port 80 to 19


2.168.1.100:80

# forward 12.34.56.78 port 443 to 19


2.168.1.100:443

-A PREROUTING -i eth0 -d 12.34.56.78


-p tcp --dport 80 -j DNAT --to-destin
ation 192.168.1.100:80

-A PREROUTING -i eth0 -d 12.34.56.78


-p tcp --dport 443 -j DNAT --to-desti
nation 192.168.1.100:443

This tells UFW to use the DNAT target to forward HTTP


and HTTPS requests to the 192.168.100 host in the local
network. 
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 14/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

Hint: DNAT (Destination NAT) changes the


destination IP address. A typical example is port
forwarding. SNAT (Source NAT) changes the source IP
address. A typical example is when a host behind a
Wifi router wants to browse the Internet.

Flush the NAT table rules.

sudo iptables -F -t nat

Restart UFW to process all of the NAT rules.

sudo systemctl restart ufw

You also need to enable IP forwarding in


/etc/sysctl.conf file as mentioned above.

If the 192.168.1.100 host is also running UFW, then you


need to allow port 80 and 443 in UFW.

sudo ufw allow 80/tcp

sudo ufw allow 443/tcp

Note that the 192.168.1.100 LAN host must use the UFW
router as the gateway. If it’s using another IP address as the
gateway, port forwarding won’t work.

How to Block BitTorrent Traffic on


Cloud Servers

If you run a server on the cloud, you probably want to block



BitTorrent traffic on the server, because if you or someone
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 15/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

else accidentally download illegal content (Movies, TV


Shows) via BitTorrent and you are caught, your hosting
provider will likely suspend your account.

Modern BitTorrent clients encrypt traffic between peers, so


it’s not easy to differentiate BitTorrent traffic from other
types of traffic. While there is no perfect way to block
BitTorrent traffic, here is a simple solution.

Block outgoing traffic by default.

sudo ufw default deny outgoing

Then allow specific outgoing ports. For example, you need


to allow the DNS port.

sudo ufw allow out 53

And you need to allow port 80 and 443 to update your


software packages from the repository.

sudo ufw allow out 80/tcp

sudo ufw allow out 443/tcp

If this is your mail server, you need to allow port 25.

sudo ufw allow out 25/tcp

Restart UFW for the changes to take effect.

sudo systemctl restart ufw

Although this is not a perfect solution, because some users


might configure their BitTorrent clients to use port 80 or 443,
in reality, this situation is quite rare. Most users just use the
default settings and my BitTorrent client on the server 
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 16/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

immediately stopped all downloading and uploading when I


enforce the above rules in the firewall. If it doesn’t stop,
restart your BitTorrent client or your server.

Blocking Outgoing Connections to a


Specific IP Address

First, you need to allow outgoing traffic.

sudo ufw default allow outgoing

Then block a specific IP address with:

sudo ufw insert 1 deny out to 12.34.5


6.78

Restart UFW.

sudo systemctl restart ufw

UFW and fail2ban

Fail2ban is a program that uses iptables firewall to prevent


servers from brute-force attacks. UFW and Fail2ban won’t
interfere with each other.

Gufw

Gufw is a graphical user interface for ufw.

How to Install and Use Gufw Firewall on Ubuntu


Desktop

Wrapping Up

That’s it! I hope this article helped you use UFW on Debian,

Ubuntu and Linux Mint. As always, if you found this post
https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 17/18
6/9/22, 10:07 AM How to Use UFW Firewall on Debian, Ubuntu, Linux Mint

useful, then subscribe to our free newsletter to get more tips


and tricks. Take care 🙂

Rate this tutorial

[Total: 9 Average: 5]

You may also like:

How to Set Up Use Set Up


Secur… Unbo… Port… SMTP…

Use How to How to Set Up


Dupli… Set U… Instal… Open…

Debian Debian Server Firewall iptables


Linux Linux Mint Linux Mint Server Ubuntu


Ubuntu Server ufw



https://www.linuxbabe.com/security/ufw-firewall-debian-ubuntu-linux-mint-server 18/18

You might also like