Installing a firewall (UFW)

One important thing to secure your server is installing a firewall. I’ll showing here how to install an easy one, like UFW. UFW stands for Uncomplicated Firewall. It’s a good alternative that won’t make us sweat blood to make it fully operative.

First of all, install the necessary software (I’m using Ubuntu Server 12.04 for this guide, some things will be fully compatible with your system, but others won’t, if you have another distribution):

$ sudo apt-get install ufw

First of all, make sure the firewall is disabled, so we will set up all the needed rules, and enable them all at a time.

$ sudo ufw status

If it’s active, we have to disable it by doing:

$ sudo ufw disable

We will allow all outgoing connections (from our server to outside), but will allow only some connections from outside to our server, so first we will configure rules to allow all outgoing connections and restrict ingoing connections:

$ sudo ufw default allow outgoing

$ sudo ufw default deny incomig

Then we have to specify the ports we will allow:

  • If we want to have ssh access, usually we have to allow 22/tcp or “ssh” (if we’ve changed the ssh port, then allow your ssh port.
  • If we have a web server allow 80/tcp or “http” and 443/tcp or “https” for secure connections.
  • If we have a mail server allow 25/tcp or “smtp” and 143/tcp or “imap”, optionally 110/tcp or “pop3”
  • and so on. We can find the alias of the ports in /etc/services

Let’s see an example:

$ sudo ufw allow ssh

$ sudo ufw allow http

$ sudo ufw allow smtp

$ sudo ufw allow imap

$ sudo ufw allow mysql

Remember it’s not needed to allow mysql if you are not going to connect mysql from outside. For example, if your websites are connecting mysql with “localhost”, it’s recommended to have mysql denied.

Then, if we are done:

$ sudo ufw enable

Then if we request the status, we will get something like this:

$ sudo ufw status

Status: active

To                         Action      From
—                         ——      —-
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
25/tcp                     ALLOW       Anywhere
143                        ALLOW       Anywhere
110                        ALLOW       Anywhere
22                         ALLOW       Anywhere (v6)
80                         ALLOW       Anywhere (v6)
25/tcp                     ALLOW       Anywhere (v6)
143                        ALLOW       Anywhere (v6)
110                        ALLOW       Anywhere (v6)

 

 
That’s it, but we can do something more:

Allow port ranges

If you want to open or close a port range just do:

$ sudo ufw allow 5080:10000/tcp

or

$ sudo ufw close 5080:10000/tcp

Allow a port by one IP

If we want to enable a service for a certain IP, for example, if this is a database server and our web server is in another instance or host, we must open mysql port only for our http server, like that:

$ sudo ufw allow from 123.123.123.123 to any port mysql

and our ufw status will have this line:

3306 ALLOW 123.123.123.123

Allow IP range

If we want to enable some ips within the same subnetwork, for example, all IPs within a local network:

$ sudo ufw allow from 192.168.0.0/24 to any port ssh

So we will enable ssh for all IPs starting with 192.168.0.x.

Leave a Reply

Your email address will not be published. Required fields are marked *