Firewalling Ubuntu with UFW for IPv4 + IPv6

Under Ubuntu you can quickly build an iptables based firewall using the handy built in firewall configuration tool UFW.

Network architectures will vary but if you are deploying Internet facing Servers you generally should be configuring a host based firewall. It can provide protection to listening services that don’t need to be Internet accessible, in addition a firewall can make life more difficult for an attacker who does gain a foothold. Making it more difficult to create a backdoor listener for example.

When deploying an Ubuntu host based firewall you should also consider using the excellent open source HIDS software OSSEC.

The Ubuntu documentation portal has a good run down on implementing UFW.

Here is my shorter summary of UFW and Ubuntu Firewalls

Set the default rule, in case you are wondering this should be default DENY.

sudo ufw default deny

Logging is generally another good idea, lets enable it.

sudo ufw logging on

If you are connected over SSH then set your SSH allow rule now.

sudo ufw allow 22/tcp

HackerTarget.com runs SSH on 2222 to avoid brute forcing SSH bots. So the command is:

sudo ufw allow 2222/tcp

Now turn the firewall on (this applies the iptables commands).

sudo ufw enable

To turn the firewall off.

sudo ufw disable

Allow port 80 (for your webserver to server HTTP).

sudo ufw allow 80/tcp

Allow port 443 (as we have SSL enabled for our clients security).

sudo ufw allow 443/tcp

Allow port 25 (for your Email SMTP)

sudo ufw allow 25/tcp

You get the idea, it is also possible to enable rules that allow and block from specific IP addresses, after all it is just a script for iptables. See the Ubuntu Docs for details on this.

sudo ufw status

This command shows that the firewall is running and configured, now you should do a port scan and test it for real.

Since we run VPS servers on Linode and have configured dual stack IPv4 and IPv6 addresses our web server is happily serving on both protocols. iptables and ip6tables are two separate commands for the configuration of IPv4 and IPv6 firewalls. The excellent thing about UFW is the above commands enables the firewall on both IP stacks.

Note that when configuring firewalls remotely (ie your remotely hosted webserver) it is a good idea to take care and have an out of band access method as backup in case you break your connection. Many a firewall administrator encounters a period of elevated heart beats while connected remotely to a device… You push the new firewall configuration and suddenly your RDP or SSH session pauses…… of course you don’t make mistakes and it was just a temporary hiccup with the session now restored. Right?

, , ,

  • Malik