🛡️ Ubuntu UFW Complete Usage Tutorial

2025-05-01

廣告

UFW (Uncomplicated Firewall) is Ubuntu’s default firewall management tool that simplifies iptables configurations. This guide covers installation, basic commands, advanced usage, logging, and more, helping you secure your Ubuntu server effectively.

1. Install and Enable UFW

On Ubuntu 20.04+ UFW is usually pre-installed. If not, install it:

sudo apt update
sudo apt install ufw -y

Enable UFW:

sudo ufw enable

Note: By default, UFW denies all incoming connections and allows all outgoing connections. Define your rules before enabling to avoid locking yourself out.

2. Check Status and Default Policies

View UFW status:

sudo ufw status verbose

Example output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
  • Default incoming policy: Controls how incoming traffic is handled.
  • Default outgoing policy: Controls how outgoing traffic is handled.

To change default policies:

sudo ufw default deny incoming    # Default: deny all incoming
sudo ufw default allow outgoing   # Default: allow all outgoing

3. Basic Allow and Deny Rules

3.1 Allow Rules

# Allow SSH (port 22)
sudo ufw allow ssh

# Allow HTTP (port 80)
sudo ufw allow http

# Allow HTTPS (port 443)
sudo ufw allow https

# Allow a specific port, e.g., 8080
sudo ufw allow 8080/tcp

# Allow from a specific IP range to port 22
sudo ufw allow from 192.168.1.0/24 to any port 22

3.2 Deny Rules

# Deny all traffic from a specific IP
sudo ufw deny from 203.0.113.42

# Deny a specific port, e.g., MySQL
sudo ufw deny 3306/tcp

3.3 Rate Limiting

Prevent brute-force attacks on SSH:

sudo ufw limit ssh/tcp

This allows 6 attempts in 30 seconds per IP, blocking further attempts.

4. Using Service Names and Application Profiles

UFW loads application profiles from /etc/ufw/applications.d/. List available applications:

sudo ufw app list

Show details for an application profile:

sudo ufw app info "Nginx Full"

Use application names in rules:

sudo ufw allow "OpenSSH"
sudo ufw allow "Nginx HTTP"

5. Logging and Monitoring

5.1 Enable UFW Logging

sudo ufw logging on          # Enable logging (low by default)

Set log level to low, medium, high, or full:

sudo ufw logging medium

Logs are stored at:

/var/log/ufw.log

5.2 Monitor Logs

sudo tail -f /var/log/ufw.log

6. Listing and Deleting Rules

6.1 List Numbered Rules

sudo ufw status numbered

6.2 Delete Rules

Delete by number:

sudo ufw delete 3   # Deletes rule #3

Or delete by rule specification:

sudo ufw delete allow 80/tcp

7. Advanced Usage

7.1 IPv6 Support

Edit /etc/default/ufw, set:

IPV6=yes

Reload UFW:

sudo ufw reload

7.2 Routing Rules

Allow routing between interfaces:

sudo ufw route allow in on eth0 out on eth1 to 10.0.0.0/24

7.3 GUI Management with GUFW

For a graphical interface:

sudo apt install gufw -y

8. Reset and Disable

Warning: This removes all rules and disables UFW.

sudo ufw reset

Re-enable UFW:

sudo ufw enable
廣告