Ubuntu Firewall | Ubuntu Open Port | UFW Allow Port
What is UFW
Ufw Allow Port. For Documentation this time we will discuss Ubuntu 20.04 UFW Configuration. UFW or Uncomplicated Firewall, a service in Linux that is used to control incoming and outgoing connections on a server. By using a firewall, an admin can create connection rules that will enter the server, and also refuse connections that are not allowed to enter the server. According to a server, a firewall must use a firewall, and one of the easy and flexible firewalls is UFW. UFW for configuration is very easy, and not too complicated.
Fungsi UFW/Firewall
By using UFW/Firewall, we can control packets or IPs that go into and out of our network. the basic attributes of UFW/Firewall all network communications will pass through the firewall, only traffic is allowed by the firewall, and be able to withstand attacks originating from the network or the internet.
The basic function of UFW / Firewall is as a controller, monitoring the flow of data packets flowing through the network. Firewalls set. filter and control data traffic allowed to access private networks or protected public networks.
Some Rules on Firewall
- IP address of the source computer
- Source TCP/UDP port from source.
- IP address of the destination computer.
- Destination TCP/UDP port of data on destination computer
- Information from headers stored in data packets.
Firewall Advantages (Ufw Allow Port)
- Firewalls can protect confidential and valuable information going in and out of the network, for example blocking FTP access and SSH only allowing to certain networks controlled by the firewall. This is done to prevent users on the network from sending or retrieving confidential files either intentionally or unintentionally.
- Firewall benefits as a filter is also used to prevent certain traffic from flowing into the network subnet. This prevents users from sharing files, and playing around on the network. This type of application is especially useful in the corporate sector
- to modify data packets coming in the fire-wall. This process is called Network Address Translation (NAT). There is a type of NAT called basic NAT, in which the private IP (Internet Protocol) addresses of the computer network are hidden behind one specific IP address. This process is referred to as a pseudo IP. This helps users in a network that includes a system without a public IP address address, to access the Internet
Source : Dixmata UFW Allow Port | Dixmata Labs
Precondition (Konfigurasi UF (Ufw Allow Port)
Untuk dapat mencoba Tutorial Konfigurasi UFW Ubuntu 20.04, anda membutuhkan
- Satu server Ubuntu 20.04, Untuk Tutorial installasi Ubuntu 20.04 dapat dilihat di https://dixmata.com/cara-install-ubuntu-20-04-server/
Step 1: Enabling IPv6 with UFW (Optional)
UFW is installed on Ubuntu 20.04 by default. If it is not installed or has been removed for some reason, you can install it using the command:
apt install ufwThis tutorial is implemented for IPv4, if you want to enable for IPv6, it will work as long as IPv6 configuration is active for UFW. To do this configuration, open UFW configuration can use nano and vi or your favorite editor.
nano /etc/default/ufwThen make sure the value of IPV6 is Yes, as below:
IPV6=yesSave and close the editor. Before enabling UFW and writing IPv4 and IPv6 firewall rules first make sure the firewall is configured for you to log in via SSH. Lets Do It.
Step 2: Setting Ground Rules (Ufw Allow Port)
The basic rule to set is to control and filter traffic from UFW. The basic rule is to deny all incoming connections and allow all outgoing connections. This means that anyone who tries to enter your server will not be allowed or will not be able to log in, and if any outgoing access or any application accessed outside is reachable by the server.
For configuration, follow the command below:
ufw default deny incomingufw default allow outgoing
So using this command, the server will deny incoming connections and allow outgoing access. This is not enough, because we are using a server and of course there is access that must be allowed to enter from the outside network to the server. Therefore we must configure the access that must be allowed, for example for SSH, SFTP, HTTP, HTTPS and so on with several other ports.
Step 3: Allow SSH Connection (Ufw Allow Port)
In the above step, we have rejected all incoming connections, meaning that none of the connections can enter the server. This means we need to create custom rules for some connections for example SSH and HTTP. With this, of course, we as admins need SSH to configure and HTTP ports are also needed for clients or users to see applications on our server.
To configure your server to allow incoming SSH connections, you can use this command
ufw allow sshThis rule makes a firewall allow a connection on port 22, which means it allows an access using SSH, which is a port that the SSH Daemon knows by default. By default the SSH port is listed in /etc/services. Therefore, using allow ssh has allowed port 22 to access our server.
Another command that can be used to allow SSH to access the server is to allow the port itself for example by using port 22.
ufw allow 22But if you use a different port or have changed the SSH port and don’t use the default port, which is port 22. Then you must allow the port that matches the one you changed. For example, your server uses port 2244. You can use the following command
ufw allow 2244Now you can access the server using SSH or your SSH port. Next we can activate the UFW or the Firewall.
Step 4: Enable UFW (Ufw Allow Port)
Since we have allowed SSH, the news is now you are logged into the server using SSH and Enable UFW or Firewall.
ufw enableAfter you use the command, the server will warn you that using the command will interrupt the SSH connection, or you will not be able to log in to the server. This warning applies if you have not allowed SSH to login to the server. Since we’ve already created a firewall rule that allows SSH connections, we can move on. Respond with Y and Press Enter
Now the Firewall is active. you can use the following command to see if the firewall is or not
ufw statusatau
ufw status verboseThis command will show the rules you have defined.
Configuring by using the steps above, your server is guaranteed to be safe from any attack and no user or malicious actor can try to harm your server. Now you can configure your eg you want to put an application on the server.
For the next configuration we configure UFW in more depth such as allowing some other ports eg HTTP, HTTPS and MYSQL because that is very necessary if you put a WEB Application on your server.
Step 4: Allow HTTP and HTTPS (Ubuntu Firewall) Ports
By using the steps above, in other words you can allow or configure HTTP Ports and HTTPS Ports that are allowed to be accessed from outside. Do as follows
- For HTTP using Services
ufw allow httpor by using Port 80
ufw allow 80- For HTTPS using Services
ufw allow httpsor by using Port 443
ufw allow 443Next, restart the UFW service, for configuration on a server or linux, after you make changes to a server, you should restart the service that has been changed. Because the Service will update the configuration you added or replaced. For UFW do the following command
ufw reloadAnd look again with the ufw status command, whether the rules that have been added earlier have been updated by UFW. If it means you can access HTTP and HTTPS ports through connections from outside networks.
Step 5: Allow Other Ports (Ubuntu Firewall)
In addition to the ports and connections above, there are several ports that you might use that the server must respond to. The connections and ports that must be allowed depend on the specific needs of the server and of course it differs for each server usage.
There are several other ways to allow connections or ports, apart from specifying known ports or services.
Allowing Port Ranges (Ubuntu Firewall)
UFW can allow connections with a range of ports, for example if you have an application and use many ports with a certain port range.
For example, the port you are using is 11200–11300, use this command:
ufw allow 11200:11300/tcpufw allow 11300:11300/udp
In contrast to allowing a port or service that has been automated for the protocol used, here we have to specify the protocol used (tcp or udp).
Specific IP Address (Ubuntu Firewall)
Apart from Ports or Services, with UFW you can also allow IP Addresses. For example, you want to remote your server from home or access a file from home, you can allow the IP Address that you use at home to access the server. Ubuntu 20.04 UFW Configuration
To use it, use the command below:
ufw allow from 172.21.10.10In addition, you can also allow the IP to access certain ports. That’s the one above us, that’s all ports or services available on the server, and if you want that IP to be able to access only a few ports or only one port, for example only for the SSH port, you can use the following command.
ufw allow from 172.21.10.10 to any port 22Subnet/Network
Furthermore, if you want some IPs or with certain networks that are allowed to enter the server. Same thing as above, you can do it using the CIDR IP.
What is CIDR, CIDR is a way of writing the subnet mask of a sub network by changing the sub network notation from decimal to binary and then calculating the total number of binary 1 values that exist. Classless Inter Domain Routing (CIDR) is a substitute or alternative way of classifying class A, B, C, D, and E IP addresses. CIDR is also known as SUBNETTING.
Example : 255.255.255.0 /24
Suppose you have an ip with CIDR /24, and want to allow all ip addresses to connect to the server, from ip 172.21.10.1 to 172.21.10.254, you can use the following command
ufw allow from 172.21.10.0/24Likewise, if you specify a specific port on the subnet, we are still using the SSH port here as an example.
ufw allow from 172.21.10.0/24 to any port 22Connection To Network Interface
After we determine to a certain IP Address, UFW can also be applied to certain interfaces, almost the same as to allow IP addresses, the difference is that we are now using an interface for the entry path.
To see the interface on a Server or Linux, you can use the following command:
ip addrOutput
ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
..........
ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
..........
In the output we can see the interface used by Linux. The interface names are ens18 and ens19. Usually for a server will use 2 interfaces, one for the public IP and one for the private IP. For this tutorial we are using ens18 as Public and ens19 as Private.
So, now we will open a connection to a server that uses the public interface, namely ens18, the port we will allow is port 80 or HTTP, follow the following command.
ufw allow in on ens18 to any port 80With this command, your public interface or ens18 server will accept HTTP requests from the public internet.
Usually for a public network an admin server or sysadmin only opens a few ports to enter the server, for example port 80 HTTP and port 443 HTTPS, if you use SSL you only need to change the command above to port 443.
Note: If using Email on your website, you must allow the Mail port to enter your server.
ufw allow in on ens18 to any port 443And then for private networks or private interfaces, usually used for admins as access from a few people, which of course can only be accessed in certain places, for example only at the office, or if you use a VPN, it can only be accessed if you have used the VPN.
For Private ports that are opened or allowed such as FTP, SSH, MYSQL and other access ports that must be secured from attacks or outside networks.
For our example we use MySQL or Port 3306, which can only be accessed by private network interfaces or ens19
ufw allow in on ens19 to port 3306By using a rule like this, other servers that use the private network will also be able to connect to the server you are currently configuring.
Langkah 6 : Menolak Koneksi (Ubuntu Firewall)
There are times when a server admin will refuse connections based on either the IP Address or the source subnet. There are many possibilities, maybe because your server is attacked, or for maintenance reasons that make the server not accessible to anyone, especially temporarily and other possibilities.
For rules denying connections, we can use denny, almost the same as the command described above, you can replace the allow command with deny
For example, to deny HTTP connections, you can use this command:
ufw deny httpOr if you want to reject all connections from a specific IP, for example IP 172.30,20.254, you can use the following command:
ufw deny from 172.30.20.254With this rule, all connections originating from IP 172.30.20.254 will be rejected by the server and will not be allowed in by UFW.
Step 7 : Delete Rules
There are ways to add rules, of course there are also ways to delete these rules, and this is very important for a server admin to know. There are two ways that can be used to delete the rule, first delete by number, that is, we can see the number sequence of the rule ( ufw status ) and delete the sequence number. Second, by deleting the rule itself (same as the command to create the rule)
Delete by rule number
If you want to remove a firewall by using a rule number, the first thing you will want to do is get a list of your firewall rules. You can view the status of UFW to see a list of these rules, follow the following command.
ufw status numberedOUTPUT
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 80 ALLOW IN Anywhere
[ 3] 443 ALLOW IN Anywhere.........
The output above shows a list of rules and their order numbers, you can see which rules to delete are in what order. We decided to remove the rule with sequence number 2 i.e. Port 80 Rule (HTTP). To delete the port, you can follow the following command:
ufw delete 2There will be a confirmation to delete rule 2, i.e. HTTP connection. Also note if you enable firewall with IPv6, if you want to remove for IPv6, you can see the order from IPv6 to port 80 (HTTP)
Delete the same rule command (allow)
The second alternative is to use the same command when creating a rule. For example, when creating a rule you use allow http, you can also delete it using the same command starting with the ufw delete command. You can write like the following:
ufw delete allow httpOr you write initially using the port that is allow 80, not with the name of services.
ufw delete allow 80This method will clear the IPv4 and IPv6 rules.
Step 8 : View UFW Status (Ufw Allow Port)
There are two ways to view the status, this status can be UFW active or inactive and the status of the list of rules that have been created. Use the following command.
ufw statusatau
ufw status verboseIf UFW is disabled, which is by default, you’ll see something like this:
Output
Status: inactiveAnd if UFW is Active, it should display the Active status, and will show all the rules that you have created as below:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skipTo Action From
-- ------ ----
244 ALLOW IN Anywhere
80 ALLOW IN Anywhere
Step 9 — Disable or Reset UFW
If you decide not to use a firewall or UFW, you can turn it off by using the following command:
ufw disableWith UFW or Firewall inactive, any rules you make will no longer be active. To reactivate, you can use the ufw enable command.
If you have configured UFW rules but you decide to restart, you can use the reset command:
ufw resetSo your Firewall is now configured to allow (at least) incoming connections to your Server. Of course with some provisions as described above. With Firewall you can filter which connections are public and which are private and restrict each one.
