Securing Webservers - Uncomplicated Firewall
The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an adminstrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.
Installation
Ubuntu / Debian
apt update
apt upgrade
sudo apt install ufw
ufw enable
ufw status verbose
CentOS
dnf install epel-release -y
dnf install ufw -y
ufw enable
ufw status verbose
ufw disable
Arch
pamac install ufw
systemctl disable iptables.service
systemctl enable ufw.service
ufw enable
ufw status verbose
Snap App
sudo pacman -S snapd
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install ufw
Firewall Rules
Default Policies
ufw default deny incoming
ufw default allow outgoing
Adding Services
ufw allow ssh
ufw app list
ufw delete allow ssh
Adding Ports
ufw allow in 8443/tcp
ufw delete allow 8443/tcp
ufw allow 8301,8600/tcp #multiple ports
ufw allow 6000:6007/tcp #port ranges
ufw reload
Removing Rules
ufw status numbered
ufw delete [rule number] #e.g. ufw delete 2
Allowed Hosts
ufw allow from 192.168.1.112
ufw allow from 192.168.1.0/24
ufw allow from 192.168.1.0/24 to any port 22
ufw reload
Blocking Ports or Hosts
ufw deny http
ufw deny from 192.168.2.112
ufw reload
Disabling or Resetting UFW
ufw disable
ufw reset