How to setup a UFW on an Ubuntu or Debian Cloud Server?

Overview

The best way to protect your server is by using a good security solution that has a lot of features and will make it hard for attackers to get in. Therefore, you must use a tool like Uncomplicated Firewall (UFW) so that you can block all types of traffic coming into your server. UFW is a firewall application that is mainly used to manage your firewall capabilities, which will help you with troubleshooting and maintaining your server's security. It also allows you to create custom rules, which will help you control traffic on your server.

This tutorial will demonstrate how to build up a UFW for Ubuntu 20.04 or Debian 11 Cloud Server.

Prerequisites

There are certain prerequisites that need to be met before you begin.

• Ubuntu 20.04 or Debian 11 server configured with non-root sudo user privileges.

• Stable internet connection.

Get Started

Step 1: Configure UFW with IPv6

Virtual Private Servers (VPS) are designed to provide a high level of performance and stability. However, the best way to protect them is by ensuring your firewall is open for both IPv4 and IPv6 connections. In case your VPS is designed for IPv6, check if it supports IPv6 by navigating to the firewall's configuration file using the following command.

sudo nano /etc/default/ufw

Make sure that IPv6 value is 'yes', save the file changes and exit.

Now, to restart the firewall, you need to disable it first:

sudo ufw disable

Output:

Turn back the firewall on:

sudo ufw enable

Output:

The UFW firewall is successfully set up and configured to support IPv4 as well as IPv6. The next step is to set up some default connections rules for your firewall.

Step 2: Define UFW default rules

Adding firewall rules for incoming and outgoing connections is a good practice to improve security and make your server more efficient. With the default UFW rules set in place, any external identity trying to reach your server will not be able to link to it. However, any internal application can connect externally. In a nutshell, these rules prevent incoming connections and allow outgoing connections.

To block all incoming connections, use the following command:

sudo ufw default deny incoming

To allow outgoing connections, use the following command:

sudo ufw default allow outgoing

Step 3: Open the Firewall to Connections

To allow connections to your server, you need to be able to communicate with it which requires changing the firewall rules. For instance, if your firewall is enabled, it would block all incoming connections. And, if you are using SSH to connect to your server, it would create an obstacle as you'd be locked out of the server. To avoid this issue, enable SSH connections to your server.

sudo ufw allow ssh

UFW allows you to make changes to your firewall by using the command which comes with some defaults such as ssh. It also lets you allow incoming connection to port 22/tcp instead of using the ssh command.

You can either allow incoming connections to port 22/tcp or the ssh command (as in the previous example).

$ sudo ufw allow 22/tcp

If you try and add this rule after you've already run ssh, you'll get the following output since the rule already exists:

In case your SSH server is configured and running on custom port 2222, you can allow connections using the following command. You can use the same syntax as above but substitute it with port 2222.

sudo ufw allow 2222/tcp

a. Ensure Web Server security

To secure your web server, SSH is considered as the primary solution. However, one another effective method to certify security is with File Transfer Protocol (FTP) access which allows you to access a server remotely.

For this, you need to authorize connections for port 80. This is useful if you have a web server application running such as Apache or Nginx that listens to connection requests over HTTP.

sudo ufw allow 80/tcp

b. Set Up Port Ranges

With UFW, you can allow or deny communication for a certain port or range of ports. To allow access to specific range of ports, use the following syntax. To accomplish this, you must specify the port at the low end of the range and the high end of the range, separated by a colon (:).

The following command will authorize TCP or UDP access to ports ranging from 3000 to 4005.

sudo ufw allow 3000:4005/tcp
sudo ufw allow 3000:4005/udp

c. Set up IP Addresses

Access to certain IP addresses can be authorized within your firewall settings which means that you can allow connections from a specific IP address, for instance, 192.168.0.170 or 172.16.254.10. Make sure to substitute the IP address with the one you wish to set up.

sudo ufw allow from specific_server_ip_address

Step 4: Invalidating connections to specific ports

Denying access to a specific port can stop an external application to attack, or help you quickly restrict port usage. You can use the following command to restrict access to any port.

sudo ufw deny port_number/tcp

Step 5: Delete rules

If you wish to eliminate any rule, you can use the delete command and specify the rule after it.

sudo ufw delete allow port_number/tcp

If there are multiple rules, you can use the numbered list approach in which you can inspect the list of rules that are currently allowed.

sudo ufw status numbered

You can then mention the rule number to delete that specific rule.

sudo ufw delete number

The output diplays the deletion of rule number 23.

Step 6: Enable UFW

Now, that you have set up all the rules for your firewall, you can enable UFW so that the changes can propagate to your firewall.

sudo ufw enable

Output:

Verify your changes by checking the status that will display all the defined rules.

sudo ufw status

Output:

Now, to disable the firewall, run this command.

sudo ufw disable

Output:

Step 7: Restoring default server rules

If you wish to reset the rules to their default setting, run the following command. Press y if prompted to proceed with the reset.

sudo ufw reset

Conclusion

In this tutorial, we've delved into the concept of Uncomplicated Firewall. You can use it lock down or restrict access any inbound connection to your cloud server. Regardless of its uses, the commands are fairly simple and easy to understand if you follow the above steps as stated.