How to set up a firewall with UFW on Debian 10/11

Introduction

UFW or Uncomplicated Firewall is a program for managing a netfilter firewall designed to be easy to use. It uses a command-line interface consisting of a small number of simple commands, and uses iptables for configuration. Securing a network with an uncomplicated firewall is super easy and highly recommended

In this article, we will show you how to setup a firewall with UFW on Debian 10

Prerequisites

  • an active KVM VPS
  • sudo non-root user

1. Installing UFW

Debian does not install UFW by default. Enter the following command to install the ufw package:

sudo apt update
sudo apt install ufw

2. Enabling IPv6 support

This tutorial is written with IPv4 in mind, but will work for IPv6 as long as you enable it. Make sure the directive IPV6=yes do exists in /etc/default/ufw file.

cat /etc/default/ufw

It should look like this:

IPV6=yes

3. Checking UFW Status

The installation will not activate the firewall automatically to avoid a lockout from the server. You can check the status of UFW by typing:

sudo ufw status verbose

The output will look like this:

Status: inactive

Note: If you see something along the lines of:

ERROR: problem running iptables: iptables v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument

Please run the following:

  • apt install iptables
  • update-alternatives –set iptables /usr/sbin/iptables-legacy
  • update-alternatives –set ip6tables /usr/sbin/ip6tables-legacy

4. UFW Default Policies

By default, UFW blocks all of the incoming connections and allow all outbound connections. This means anyone trying to reach your server would not be able to connect, while any application within the server would be able to reach the outside world.

For reference, the default UFW firewall policies can be found in the location /etc/default/ufw file and can you adjust the rules by typing the following command:

sudo ufw default allow outgoing
sudo ufw default deny incoming

These commands set the defaults to allow outgoing and deny incoming connections. These firewall defaults alone might suffice for a personal computer, but servers typically need to respond to incoming requests from outside users.

5. Allow SSH Connections

Before enabling the UFW firewall first, you need to allow incoming SSH connections.

To configure your VPS/server to allow incoming SSH connections, you can use this command:

sudo ufw allow ssh

This will create firewall rules that will allow all connections on port 22, which is the port that the SSH daemon listens on by default. UFW knows what port allow ssh means because it’s listed as a service in the /etc/services file.

If you are running ssh on TCP port 2222 or TCP port 2233, enter:

sudo ufw allow 2222/tcp
sudo ufw allow 2233/tcp

6. Enable UFW

Now that the UFW firewall is configured to allow incoming SSH connections, enable it by running:

sudo ufw enable

You will be warned that enabling the firewall may disrupt existing ssh connections.

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Respond to the prompt with y and hit ENTER. The firewall is now active.

Firewall is active and enabled on system startup

Run the following command to see the rules that you have set.

sudo ufw status verbose

7. Allowing Other Connections

Depending on the applications that run on your server, you’ll need to open the ports on which the services run. Luckily, you already know how to write rules that allow connections based on a service name or port; we already did this for SSH on port 22. You can also do this for:

  • HTTP on port 80, which is what unencrypted web servers use. To allow this type of traffic, you can use this command
sudo ufw allow http

Instead of the http profile, you can also use the port number, 80: sudo ufw allow 80

  • HTTPS on port 443, which is what encrypted web servers use. To allow this type of traffic, you can use this command
sudo ufw allow https

You can also use the port number, 443: sudo ufw allow 443/tcp: sudo ufw allow 443/tcp

Opening Port Ranges

With UFW, you can also allow access to port ranges. For example, some applications use multiple ports instead of a single port. To allow ports from 5100 to 5200 on both tcp and udp, run the following command:

sudo ufw allow 5100:5200/tcp
sudo ufw allow 5100:5200/udp

When specifying port ranges with UFW, you must specify the protocol (tcp or udp) that the rules should apply to. We haven’t mentioned this before because not specifying the protocol automatically allows both protocols, which is OK in most cases.

Allowing Specific IP Addresses

When working with UFW, you can also specify IP addresses.

For example: to allow access on all ports from a specific IP address, use the ufw allow from command followed by the IP address:

sudo ufw allow from 10.100.100.11

Allowing Specific IP Addresses on Specific port

If you want to allow 10.100.100.11 to connect to port 22 (SSH), use this command:

sudo ufw allow from 10.100.100.11 to any port 22

Allowing Subnets

The command for allowing connection from a subnet of IP addresses is the same as when using a single IP address. The only difference is that you need to specify the netmask.

For example, if you want to allow all of the IP addresses ranging from 10.100.100.1 to 10.100.100.254 you can use this command:

sudo ufw allow from 10.100.100.0/24

if you want to allow access for IP addresses ranging from 10.100.100.1 to 10.100.100.254 to port 22 ( SSH ) you can use this command:

sudo ufw allow from 10.100.100.0/24 to any port 22 

Allow Connections to a Specific Network Interface

If you want to create a firewall rule that only applies to a specific network interface, you can do so by specifying allow in on, followed by the name of the network interface.

You may want to look up your network interfaces before continuing. To do so, use this command:

ip a

The output should be the following:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
.....
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
.....

Your VPS/server has a public network interface called eth0, for example, you could allow HTTP traffic to it with this command:

sudo ufw allow in on eth0 to any port 80

Deny connections

The default policy for all incoming connections is set to deny, which means that UFW will block all incoming connections unless you specifically open the connection.

Sometimes you will want to deny specific connections based on the source IP address or subnet, however, perhaps because you know that your VPS/Server is being attacked from there. Also, if you want to change your default incoming policy to allow (which is not recommended), you would need to create deny rules for any services or IP addresses that you don’t want to allow connections for.

To write deny rules, you can use the commands described above, replacing allow with deny.

For example, to deny HTTP connections, you could use this command:

sudo ufw deny http

To deny all connections from 11.22.33.0/24, use the following command:

sudo ufw deny from 11.22.33.0/24

If you only want to deny access to ports 80 and 443 from 11.22.33.0/24 use:

sudo ufw deny from 11.22.33.0/24 to any port 80
sudo ufw deny from 11.22.33.0/24 to any port 443

Writing deny rules is the same as writing allow rules. You only need to replace allow with deny

Delete UFW Rules

Knowing how to delete firewall rules is just as important as knowing how to create them. There are two different ways to delete UFW rules. By rule number and by specifying the actual rule.

Deleting UFW rules by rule number is easier, especially if you are new to UFW. We’ll start by explaining the delete by rule number method.

  • By Rule Number

To delete a rule by its number first, you need to find the number of the rule you want to delete. To do that run following command:

sudo ufw status numbered
Output
Status: active
      To                     Action      From
      --                     ------      ----
 [ 1] 22/tcp                 ALLOW IN    Anywhere
 [ 2] 443                    ALLOW IN    Anywhere
 [ 3] 80/tcp                 ALLOW IN    Anywhere

If we decide that we want to delete rule 3, which allows HTTP connections on port 80, we can specify this in the following UFW delete command:

sudo ufw delete 3

This will show a confirmation prompt, which you can answer with y/n . Typing y will then delete rule 2

  • By Actual Rule

The alternative to rule numbers is to specify the actual rule to delete. For example, if you want to remove the allow http rule, you could write it like this:

sudo ufw delete allow http

You can also specify the rule with allow 80 instead of the service name:

sudo ufw delete allow 80

This method will delete both IPv4 and IPv6 rules, if they exist.

8. Disabling or Resetting UFW (optional)

If for any reason you want to stop UFW and deactivate all rules run. You can disable it with this command:

sudo ufw disable

Any rules that you created with UFW will no longer be active. Later if you want to re-enable UTF and activate all rules just type:

sudo ufw enable

If you already have UFW rules configured but you decide that you want to start over, you can use the reset command:

sudo ufw reset

This will disable UFW and delete any rules that you have previously defined. Keep in mind that the default policies won’t change to their original settings if you modified them at any point. This should give you a fresh start with UFW.

That’s all! Enjoy GreenCloudVPS services!

Click here to started!!!
On this page