Ubuntu 20.04 Server firewall setup

One of the important things on any server is to prevent unnecessary access as much as possible. On ubuntu ufw, or uncomplicated Firewall, should already be installed by default. ufw is easy and takes away the more complicated tasks of using things like iptables.

If for some reason ufw is not installed or removed you can install it with the following command.

$ sudo apt install ufw

It is however usually not active when you installed a new server. You can always check the status of ufw if needed. Just execute the ufw status command.

$ sudo ufw status verbose
Status: inactive

Before you enable it is a good idea to allow ssh access, to prevent you are locked out if you are connecting to your Ubuntu server using ssh.

The ufw configuration file is located at /etc/default and is called; ufw. Open the file and have look.

$ sudo vi /etc/default/ufw

The default setup of ufw will not allow any incoming traffic (DEFAULT_INPUT_POLICY=”DROP”) and allow all outgoing traffic (DEFAULT_OUTPUT_POLICY=”ACCEPT”), which would be a good setup when running Ubuntu Desktop. But not very logical when running a server with Grafana, node-red or InfluxDB, in that case you do want to allow incoming traffic, to allow access to node-red or Grafana. Lets first allow incoming ssh connections, run the following command.

$ sudo ufw allow ssh
Rules updated
Rules updated (v6)

OR

$ sudo ufw allow 22
Rules updated
Rules updated (v6)

Both options will work and allows ssh access to your server. The only difference is that the first command checks the /etc/services file to figure out which port ssh is using on your Ubuntu server.

Now we are ready to enable ufw. There will be a warning that existing ssh connections will be disrupted. Which is oke, as we have allowed ssh access.

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

And if you check the status you notice that the ssh rules are now added. You also notice that ssh is allowed from Anywhere. Meaning any system which is able to get to the server IP-address will be able to access the ssh prompt.

Allow other connections

When I try to connect to Grafana or node-red running on my Ubuntu server the connection times out, as the firewall blocks the connection.

To allow access run the following command to allow access to Grafana. As Grafana is also protected by user/password I allow access from Anywhere. After adding the rule check the status again. If you provide the [numbered] argument you will notice that the rules are now numbered. This will be useful if you need to remove rules.

$ sudo ufw allow 3000

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 22                         ALLOW IN    Anywhere                  
[ 3] 3000                       ALLOW IN    Anywhere                  
[ 4] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
[ 5] 22 (v6)                    ALLOW IN    Anywhere (v6)             
[ 6] 3000 (v6)                  ALLOW IN    Anywhere (v6)  

Now push the “Try Again” button in your browser to try to connect to Grafana. And if all went well you should be presented with the Grafana login screen.

Limit access based on source address

I also want to allow access to the node-red configuration web-page. However I have not setup any user/password protection, to provide some extra protection to node-red I will limit the systems which are allowed to connect to it. So I need to allow access to port 1880, but want to limit the access to my Laptop which will has IP-address: 192.168.2.10

$ sudo ufw allow from 192.168.2.10 to any port 1880
Rule added

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 22                         ALLOW IN    Anywhere                  
[ 3] 3000                       ALLOW IN    Anywhere                  
[ 4] 1880                       ALLOW IN    192.168.2.10              
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
[ 6] 22 (v6)                    ALLOW IN    Anywhere (v6)             
[ 7] 3000 (v6)                  ALLOW IN    Anywhere (v6)   

I also want to add a rule for http access to the InfluxDB (port 8086), but only from within my private sub-net.

$ sudo ufw allow from 192.168.2.0/24 to any port 8086
Rule added

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 22                         ALLOW IN    Anywhere                  
[ 3] 3000                       ALLOW IN    Anywhere                  
[ 4] 1880                       ALLOW IN    192.168.2.10              
[ 5] 8086                       ALLOW IN    192.168.2.0/24            
[ 6] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
[ 7] 22 (v6)                    ALLOW IN    Anywhere (v6)             
[ 8] 3000 (v6)                  ALLOW IN    Anywhere (v6)    

Deleting firewall rules

There are 2 ways to remove firewall rules, by using the real rule or by using the rule number. First lets remove the allow Grafana rules by using the real rule.

$ sudo ufw delete allow 3000
Rule deleted
Rule deleted (v6)

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 22                         ALLOW IN    Anywhere                  
[ 3] 1880                       ALLOW IN    192.168.2.10              
[ 4] 8086                       ALLOW IN    192.168.2.0/24            
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
[ 6] 22 (v6)                    ALLOW IN    Anywhere (v6) 

Using the second option is more simple, you need to check the rule number and execute the delete command as follows to remove rule number 3.

$ sudo ufw delete 3
Deleting:
 allow from 192.168.2.10 to any port 1880
Proceed with operation (y|n)? y
Rule deleted

disable & ENABLE ufw

If you do not want to use UFW anymore you can just disable it. This will leave all the rules as created but no longer being enforced until you enable ufw again. And the final option, reset everything back to the default state you can execute the reset command. This will remove eveything configured and you can start from zero.

$ sudo ufw disable

$ sudo ufw enable

$ sudo ufw reset

There are much more options available but what I have explained is enough to get your firewall up and running and your system is a bit more secure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s