UFW (Firewall) Cheat Sheet

ufw ⇒ Uncomplicated FireWall

Display Rules in force

root@s6-mc:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    83.244.144.48/28
[ 2] 11211                      ALLOW IN    192.168.177.183
[ 3] 11211                      ALLOW IN    192.168.145.140
[ 4] 11211                      ALLOW IN    192.168.129.71
[ 5] 11211                      ALLOW IN    83.244.144.48/28
[ 6] 11211                      ALLOW IN    192.168.130.221
[ 7] 11211/tcp                  ALLOW IN    84.45.105.145

root@s6-mc:~#

Allow packets from source to specific port

root@host:~# ufw allow from 84.45.105.145 to any port 11211
Rule added
root@host:~#

Specify protocol

root@host:~# ufw allow proto tcp from 84.45.105.145 to any port 11211
Rule added                                                                                                                                      
root@host:~#

Delete Rule by number position

root@host02:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    83.244.144.48/28
[ 2] 22/tcp                     ALLOW IN    84.45.114.216/29
[ 3] 22/tcp                     ALLOW IN    84.45.105.128/26
[ 4] 22/tcp                     ALLOW IN    31.54.202.43
[ 5] 22/tcp                     ALLOW IN    86.163.124.91
[ 6] 22/tcp                     ALLOW IN    109.170.140.10
[ 7] 22/tcp                     ALLOW IN    79.77.60.164
[ 8] 161/udp                    ALLOW IN    83.244.144.52
[ 9] Anywhere                   DENY IN     185.130.5.180
[10] Anywhere                   DENY IN     185.130.5.181
[11] Anywhere                   DENY IN     185.130.5.209
[12] 80/tcp                     ALLOW IN    Anywhere
[13] 443/tcp                    ALLOW IN    Anywhere
[14] 443/tcp                    ALLOW IN    Anywhere (v6)

root@host02:~# ufw delete 14
Deleting:
 allow 443/tcp
Proceed with operation (y|n)? y
Rule deleted (v6)

Show ufw activity

root@host:~# tail -f /var/log/ufw.log
May 27 15:37:56 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:69:a0:d7:84:78:ac:0d:8f:41:08:00 SRC=84.45.105.145 DST=212.71.251.190 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=27358 DF PROTO=TCP SPT=58028 DPT=11211 WINDOW=14600 RES=0x00 SYN URGP=0 
May 27 15:37:58 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:69:a0:d7:84:78:ac:0d:8f:41:08:00 SRC=84.45.105.145 DST=212.71.251.190 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=27359 DF PROTO=TCP SPT=58028 DPT=11211 WINDOW=14600 RES=0x00 SYN URGP=0 

Blocking one IP address - At the end of the rules set

The below rules, add a deny rule at the end of the ufw numbered rules.

root@host02:~# ufw deny from 185.130.5.180
Rule added
root@host02:~# ufw deny from 185.130.5.209
Rule added

But the IP addresses were not blocked because there was a precedent rule allowing all traffic to port 80 (rule #4):

root@host02:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    83.244.144.48/28
[ 2] 22/tcp                     ALLOW IN    84.45.114.216/29
[ 3] 22/tcp                     ALLOW IN    84.45.105.128/26
[ 4] 80                         ALLOW IN    Anywhere
[ 5] 443                        ALLOW IN    Anywhere
[ 6] 22/tcp                     ALLOW IN    31.54.202.43
[ 7] 22/tcp                     ALLOW IN    86.163.124.91
[ 8] 22/tcp                     ALLOW IN    109.170.140.10
[ 9] 22/tcp                     ALLOW IN    79.77.60.164
[10] 161/udp                    ALLOW IN    83.244.144.52
[11] Anywhere                   DENY IN     185.130.5.180
[12] Anywhere                   DENY IN     185.130.5.209

This can be done removing the Allow 80 and 443 rules and adding them again, but a better solution is the below, insert the new rule in the right position:

Blocking one IP address - Inserting rule in a specific position / order

The below command insert a new rule in a specific position.

### before:

root@host02:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    83.244.144.48/28
[ 2] 22/tcp                     ALLOW IN    84.45.114.216/29
[ 3] 22/tcp                     ALLOW IN    84.45.105.128/26
[ 4] 22/tcp                     ALLOW IN    31.54.202.43
[ 5] 22/tcp                     ALLOW IN    86.163.124.91
[ 6] 22/tcp                     ALLOW IN    109.170.140.10
[ 7] 22/tcp                     ALLOW IN    79.77.60.164
[ 8] 161/udp                    ALLOW IN    83.244.144.52
[ 9] Anywhere                   DENY IN     185.130.5.180
[10] Anywhere                   DENY IN     185.130.5.209
[11] 80/tcp                     ALLOW IN    Anywhere
[12] 443/tcp                    ALLOW IN    Anywhere
[13] 80/tcp                     ALLOW IN    Anywhere (v6)
[14] 443/tcp                    ALLOW IN    Anywhere (v6)


### command
root@host02:~# ufw insert 10 deny from 185.130.5.181
Rule inserted


### After
root@host02:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    83.244.144.48/28
[ 2] 22/tcp                     ALLOW IN    84.45.114.216/29
[ 3] 22/tcp                     ALLOW IN    84.45.105.128/26
[ 4] 22/tcp                     ALLOW IN    31.54.202.43
[ 5] 22/tcp                     ALLOW IN    86.163.124.91
[ 6] 22/tcp                     ALLOW IN    109.170.140.10
[ 7] 22/tcp                     ALLOW IN    79.77.60.164
[ 8] 161/udp                    ALLOW IN    83.244.144.52
[ 9] Anywhere                   DENY IN     185.130.5.180
[10] Anywhere                   DENY IN     185.130.5.181
[11] Anywhere                   DENY IN     185.130.5.209
[12] 80/tcp                     ALLOW IN    Anywhere
[13] 443/tcp                    ALLOW IN    Anywhere
[14] 80/tcp                     ALLOW IN    Anywhere (v6)
[15] 443/tcp                    ALLOW IN    Anywhere (v6)

Extra documentation


rb/ufw-cheet-sheet.txt · Last modified: 08/09/2018 00:43 by andrew