UFW - Uncomplicated Firewall ---------------------------------- --------------------------------- When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That's at least the goal of the Ubuntu developers. In short, all 'incoming' is being denied, with some exceptions to make things easier for home users. ** install ufw : # apt-get install ufw -y ** Enable and Disable To turn UFW on with the default set of rules: # sudo ufw enable To check the status of UFW: # sudo ufw status verbose Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command: # sudo ufw show raw You can also read the rules files in /etc/ufw (the files whose names end with .rules). To disable ufw use: # sudo ufw disable Allow and Deny (specific rules): -------------------------------- # sudo ufw allow / allow incoming packet on port 22 sudo ufw allow 22 allow incoming tcp packets on port 53 sudo ufw allow 53/tcp allow incoming udp packets on port 53 sudo ufw allow 53/udp for testing you have to install telnet : # apt-get install telnet -y let your collage test your ssh port : # telnet pcX.sse.ws.afnog.org 22 **Deny: ----- # sudo ufw deny / deny tcp and udp packets on port 53 # sudo ufw deny 53 deny incoming tcp packets on port 53 # sudo ufw deny 53/tcp deny incoming udp packets on port 53 # sudo ufw deny 53/udp ** Delete Existing Rule: ----------------------- To delete a rule, simply prefix the original rule with delete. For example, if the original rule was: # ufw deny 80/tcp Use this to delete it: # sudo ufw delete deny 80/tcp Services: ---------- You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services: # less /etc/services Allow by Service Name # sudo ufw allow allow ssh by name # sudo ufw allow ssh Deny/reject by Service Name # sudo ufw deny deny ssh by name # sudo ufw deny ssh let your partner test youe ssh connection: # telnet pcX.sse.ws.afnog.org 22 # sudo ufw reject ssh let your partner test youe ssh connection and see the diffrence between deny and reject: # telnet pcX.sse.ws.afnog.org 22 Status: ------- Checking the status of ufw will tell you if ufw is enabled or disabled and also list the current ufw rules that are applied to your iptables. To check the status of ufw: # sudo ufw status ** Logging To enable logging use: # sudo ufw logging on To disable logging use: # sudo ufw logging off you can find ufw log file at /var/log/ufw.log Advanced Syntax: ---------------- You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols. Allow Access by Specific IP # sudo ufw allow from allow packets from 196.200.219.XX: # sudo ufw allow from 196.200.219.XX Allow by Subnet You may use a net mask : # sudo ufw allow from 196.200.219.0/24 Allow by specific port and IP address # sudo ufw allow from to port allow IP address 196.200.212.115 access to port 22 for all protocols sudo ufw allow from 196.200.212.115 to any port 22 Allow by specific port, IP address and protocol # sudo ufw allow from to port proto allow IP address 196.200.212.115 access to port 80 using TCP # sudo ufw allow from 196.200.212.115 to any port 80 proto tcp ------------------------------------------------------------------------ Deny by specific IP # sudo ufw deny from To block packets from 196.200.219.XX: # sudo ufw deny from 196.200.219.XX Deny by specific port and IP address # sudo ufw deny from to port deny ip address 196.200.219.XX access to port 22 for all protocols # sudo ufw deny from 196.200.219.XX to any port 22 Working with numbered rules: ----------------------------- You may use status numbered to show the order and id number of rules: # sudo ufw status numbered Editing numbered rules: ---------------------- ** Delete numbered rule You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list. # sudo ufw status numbered # sudo ufw delete 1 ** Insert numbered rule: # sudo ufw insert 1 allow from # sudo ufw status numbered # sudo ufw insert 1 reject from 196.200.219.XX flush you rules table: ---------------------- # ufw reset # ufw disable && ufw enable don't forget to enable ssh port so next time you can login to your VM ^_^ # ufw allow ssh # ufw disable && ufw enable