Firewall configuration on your server

Requirements:

Historically, the default firewall on your server is Netfilter with the frontend IPTables, to facilitate its configuration.

However, other tools are existing today, based on IPTables, but easier to configure. This allows you an easy and very fast setup on your server.

There are several types of firewalls, such as an application firewall, which will verify the compliance of a packet according to the destination port, or if it is allowed.

In our case, we will only setup a very basic firewall (but can do much more things than that with the software we use here!).

UFW

UFW, or Uncomplicated FireWall, is a frontend for IPTables to simplify the configuration of your firewall.
It has in particular the advantage to create rules at the same time for IPv4 and for IPv6, wich simplifies the creation.
It is the the software we use in this tutorial.

Let us begin with the installation of it:

sudo apt-get install ufw

Security Policies

The security policy to be applied depends on your needs and on the applications you use.
The most secure is to block all traffic, inbound & outbound, and allow ports on a case by case basis.

In our case, we will use a policy that blocks the inbound packets and authorizes the outbound packets by default.

It remains that we only have to allow the inbound packets case by case.

We will start by defining our policy:

sudo ufw default deny

By default we refuse everything.

sudo ufw default allow outgoing

Then we allow the outgoing traffic.

Establishing rules

To define your rules, you need to know what your server does / which services will be running and their associated ports.

In our example, we have a SSH server, HTTP(S) and a DNS server.

Every known protocol uses an associated port from the Well Known Ports You can verify the port at this list of known ports: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

In our example we use:

  • Port 22 / TCP for SSH
  • Port 80 / TCP for HTTP
  • Port 443 / TCP for HTTPS
  • Port 53 / TCP & UDP for DNS

You need to run the following commands to activate them:

  • Authorization of SSH : sudo ufw allow 22/tcp
  • Authorization of HTTP : sudo ufw allow 80/tcp
  • Authorization of HTTPS : sudo ufw allow 443/tcp
  • Authorization of DNS : sudo ufw allow 53 # Here we don't specfy TCP because we want to authorize TCP and UDP

Now, as our rules are defined, we have to activate them:

sudo ufw enable

To view the result of our configuration, we run now:

sudo ufw status numbered

We can see all configured rules:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 443/tcp                    ALLOW IN    Anywhere
[ 4] 53                         ALLOW IN    Anywhere
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 6] 80/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 7] 443/tcp (v6)               ALLOW IN    Anywhere (v6)
[ 8] 53 (v6)                    ALLOW IN    Anywhere (v6)

Now you have a very basic, but working firewall on your server!

Adding more rules

Now, as your firewall is running, you can easily add more rules to it:

sudo ufw allow 25/TCP

This will allow the connection to port 25 (SMTP) of the server.

Deleting rules

Over the time you may recognize, that some of the rules you defined previously don't match your requirements anymore.
Maybe you remember the list of rules we have viewed previously.

The numbers at the beginning of each row are the number of the rule in UFW.

To delete a rule, find its number and type:

sudo ufw delete NUMBER

Make sure you are deleting the correct rule before deleting it.

Go further

UFW is very practical because it allows you easily and very fast to setup a firewall.

But it is not limited to the blockage of ports. You can, for example, configure a rate-limit with it (limitation of numbers of connections per IP) and a lot of other things.

Don't hesitate to read its manpage:

man ufw

And the official website: https://wiki.ubuntu.com/UncomplicatedFirewall

However, be aware that it also has its limitations, and some advanced actions are currently only available with iptables.