Complete Guide to Ubuntu Firewall: UFW and IPTables

A firewall is one of the essential tools for protecting servers and devices connected to a network. In Ubuntu, there are several options for managing packet filtering, with UFW (Uncomplicated Firewall) and IPTables being the most commonly used.

This guide explains how they work, how to configure them, and best practices for strengthening security on an Ubuntu-based system.

1. Netfilter and IPTables: The Core of Linux Firewall

The Linux kernel includes the Netfilter subsystem, which manages network traffic. This system allows users to accept, modify, or reject packets based on defined rules.

To administer these rules, Linux uses IPTables, which enables defining security policies for incoming, outgoing, and forwarded packets. While powerful, IPTables can be complex to configure, so Ubuntu provides UFW, a simpler interface to manage firewall rules without direct IPTables usage.

2. UFW: Uncomplicated Firewall, the Default Ubuntu Firewall

UFW is a front-end for IPTables designed to simplify firewall management. It offers an intuitive way to configure traffic filtering rules for both IPv4 and IPv6.

Enable and Disable UFW

By default, UFW is disabled in Ubuntu. To enable it:

sudo ufw enable

To disable it:

sudo ufw disable

Opening and Closing Ports with UFW

To allow connections on a specific port, for example, port 22 (SSH):

sudo ufw allow 22

To block it:

sudo ufw deny 22

You can also specify the protocol:

sudo ufw allow 22/tcp
sudo ufw allow 22/udp

Adding and Removing Rules

To add a rule in a specific position:

sudo ufw insert 1 allow 80

To delete a rule:

sudo ufw delete allow 80

Allowing Access from Specific IPs

To allow SSH access only from a specific IP, like 192.168.0.2:

sudo ufw allow proto tcp from 192.168.0.2 to any port 22

To allow access from an entire subnet:

sudo ufw allow from 192.168.0.0/24 to any port 22

Testing Rules with –dry-run

To preview rules before applying them, use:

sudo ufw --dry-run allow http

This will display the generated rules without applying them.

Checking Firewall Status

To check the current status of UFW:

sudo ufw status

For a more detailed view:

sudo ufw status verbose

3. Application Profiles in UFW

Some applications install profiles in /etc/ufw/applications.d/, specifying the ports and protocols they use.

To list applications with a UFW profile:

sudo ufw app list

To allow traffic for a specific application:

sudo ufw allow "Apache Full"

To restrict access to a specific IP:

sudo ufw allow from 192.168.0.0/24 to any app Samba

To view details about a specific application:

sudo ufw app info "Apache Full"

4. IP Masquerading: Sharing Internet Connection

IP Masquerading allows devices on a local network to access the Internet using a single public IP.

To enable it in Ubuntu using UFW:

1. Enable packet forwarding in /etc/default/ufw:

DEFAULT_FORWARD_POLICY="ACCEPT"

2. Edit /etc/ufw/sysctl.conf and uncomment:

net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1

3. Add rules to /etc/ufw/before.rules:

# NAT Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

# Do not delete the COMMIT line
COMMIT

4. Restart UFW:

sudo ufw disable && sudo ufw enable

5. Advanced Configuration with IPTables

If you prefer to use IPTables instead of UFW, enable IP Masquerading with:

sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE

To allow forwarded traffic:

sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT

To make these rules persistent after a reboot, add them to /etc/rc.local.

6. Configuring Firewall Logs

Logs help detect unauthorized access attempts and troubleshoot connectivity issues.

To enable logging in UFW:

sudo ufw logging on

To disable logging:

sudo ufw logging off

For IPTables, to log HTTP connections:

sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "HTTP_CONN: "

Logs are stored in /var/log/syslog or /var/log/kern.log.

7. Additional Tools for Firewall Management

If IPTables and UFW are not sufficient, other tools can help manage firewalls:

• Shorewall: Ideal for advanced network configurations.
• Firewalld: A modern alternative to IPTables used in Fedora.
• Fail2Ban: Protects servers by blocking suspicious IPs attempting brute-force attacks.

8. Best Practices for Securing Your Firewall

• Minimize exposed services: Only allow necessary ports.
• Use whitelists and blacklists: Restrict access to specific IPs.
• Enable logging to audit network activity.
• Test rules before applying them using --dry-run in UFW or temporary rules in IPTables.

By implementing these configurations and best practices, you can effectively secure your Ubuntu server against unauthorized access and maintain strong network security control.