Configuring a basic firewall under Ubuntu 14.04
Under any operating system firewalls provide a basic level of security for any server. These applications are responsible for denying traffic to your server with exceptions for ports/services you have approved.
Ubuntu 14.04 ships with a tool called Uncomplicated Firewall aka UFW. ufw is an interface to iptables that simplifies the procedure for configuring your firewall.
This article provides the steps necesary to set up a firewall with UFW.
UFW is installed by default under Ubuntu 14.04. If for some reason it has been uninstalled, you can simply reinstall it with apt-get
# sudo apt-get install ufw
Firewall status
By default UFW is disabled so you should see something like the following:
% sudo ufw status verbose Status: inactive
If UFW is active the output will list all rules that have been set
Default policies
By default UFW is set to deny all incoming connections and allow all outgoing connections. If you have already set certain rules and wish to return to the default, you simple execure the following commands:
% sudo ufw default deny incoming % sudo ufw default allow outgoing
Configuring a basic firewall
Before we enable or reload our firewall, we will create the rules that define the exceptions to our policy. First, we need to create an exception for SSH connections so that we can maintain access for remote administration.
Allowing ssh
The SSH daemon runs on port 22 by default and ufw can implement a rule by name if the default has not been changed. So if you have not modified SSH port, you can enable the exception by typing:
% sudo ufw allow ssh
If you have modified the port that the SSH daemon is listening on, you must specify the new port number, for example if you use port 9999:
% sudo ufw allow 9999/tcp
This is the bare minimum firewall configuration. It will only allow traffic on your SSH port and all other services will be inaccessible. If you plan on running additional services, you will need to open the firewall at each port required.
Access for a web server
If you plan on running a conventional HTTP web server, you will need to allow access to port 80:
% sudo ufw allow http
If you plan to run a web server with SSL/TLS enabled, you should allow traffic to that port as well:
% sudo ufw allow https
Allowing mail services
To allow your server to accept SMTP connections, port 25 will need to be opened:
% sudo ufw allow 25
Allowing for IMAP/IMAPS, port 143 and 993 are needed:
% sudo ufw allow 143 % sudo ufw allow 993
If POP3/POP3S connections are required, then port 110/995 needs to be opened:
% sudo ufw allow 110 % sudo ufw allow 995
FTP services
General unencrypted ftp sessions require port 21, so to enable we'll add the rule:
% sudo ufw allow ftp
Transmission
Transmission is a fast, easy, and free multi-platform BitTorrent client. Transmission sets initial preferences so things "just work", but certain ports need to be added
% sudo ufw allow 6969 % sudo ufw allow 9091 % sudo ufw allow 51413
Enabling firewall
To active your firewall, simple enable ufw using the following command:
% sudo ufw enable
NOTE: You will be asked to confirm your selection, so type "y" if you wish to continue. This will apply the exceptions you made, block all other traffic, and configure your firewall to start automatically at boot.
Remember that you will have to explicitly open the ports for any additional services that you may configure later.