SECURITY RESEARCH, TOOLS, TUTORIAL |

Firewalling Ubuntu with UFW for IPv4 + IPv6

Under Ubuntu, you can quickly build an iptables based firewall using the handy built-in firewall configuration tool UFW - Uncomplicated Firewall.

Network architectures will vary, but if you are deploying Internet facing Servers you generally should be configuring a host-based firewall. It can protect listening services that don't need to be Internet accessible. In addition, a firewall can make life more difficult for an attacker who does gain a foothold. For example, making it tougher to create a backdoor listener.

When deploying an Ubuntu host-based firewall, consider using the excellent open source HIDS (Host-based Intrusion Detection System) software OSSEC.

The Ubuntu documentation portal has a good rundown on implementing UFW.

A summary of UFW and Ubuntu Firewalls

Set the default rule, in case you are wondering this should be default DENY.

sudo ufw default deny

Logging is generally another good idea, lets enable it.

sudo ufw logging on

If you are connected over SSH then set your SSH allow rule now.

sudo ufw allow 22/tcp

HackerTarget.com runs SSH on 2222 to avoid brute forcing SSH bots. The command is:

sudo ufw allow 2222/tcp

Turn the firewall on (this applies the iptables commands).

sudo ufw enable

Turn the firewall off.

sudo ufw disable

Allow port 80 (for your webserver to server HTTP).

sudo ufw allow 80/tcp

Allow port 443 (as we have SSL enabled for our clients security).

sudo ufw allow 443/tcp

Allow port 25 (for your Email SMTP)

sudo ufw allow 25/tcp

You get the idea. It is also possible to enable rules that allow and block from specific IP addresses. After all, it is just a script for iptables. See the Ubuntu Docs for details on this.

This command shows the firewall running and configured. Now do a port scan and test it for real.

sudo ufw status

Since we run VPS servers on Linode and have configured dual stack IPv4 and IPv6 addresses, our web server is happily serving on both protocols. iptables and ip6tables are two separate commands for the configuration of IPv4 and IPv6 firewalls. The excellent thing about UFW is the above commands enable the firewall on both IP stacks.

Note When configuring firewalls remotely,i.e. your remotely hosted webserver, it is a good idea to take care and have an out of band access method as a backup in case you break your connection. Many a firewall administrator encounters a period of elevated heartbeats while connected remotely to a device... You push the new firewall configuration and suddenly your RDP or SSH session pauses...... of course you don't make mistakes and it was just a temporary hiccup with the session now restored. Right?