Installing a firewall on a Linux host, quick and dirty, with UFW

A ha! First step in setting my home lab!

In this post I will explain how to install and configure, in a fast and easy way, a firewall on a Linux Debian 10 system, to allow only two things:

  • web browsing traffic to the Internet
  • Incoming SSH connections

So, let's begin. We will

  • Set a static IP for our host
  • Install UFW as firewall and configure it

Setting a static IP for our host

For further configuration we will change our network address to be a static one. In my recent installed Debian 10 system the ip address is dinamic. In my particular case the IP asigned by the router is the

We can verify the IP addresses with the command ip a

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 2c:41:38:ae:bc:14 brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic noprefixroute eno1
       valid_lft 587730sec preferred_lft 587730sec
    inet6 fe80::2e41:38ff:feae:bc14/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

So to et as our IP we will add the following lines to the /etc/network/interfaces to s.

# Static IP for our Ethernet interface
iface eth0 inet static

Notice that as DNS name servers and search values I have set those told by my Internet provider, and normally set in /etc/resolv.conf file in a default dynamic IP address assignation

And this line in /etc/hosts (hppro3300 is my host name and my domain name) hppro3300

Setting up a firewall with UFW to allow outgoing traffic only in the port 80

UFW, or "Uncomplicated Firewall", is a simple interface to iptables, so it should be an easy way to set our firewall.

So, first, we install (as user root) the firewall and Gufw, a graphical interface to configure it.

apt install ufw gufw

After installation the firewall is enabled by default. The commands to set the rules to allow outgoing HTTP traffic and ingoing connections using SSH will be:

ufw default deny incoming
ufw default deny outgoing
ufw allow out http
ufw allow out https
ufw allow out ssh
ufw allow out dns
ufw allow in ssh

They are clear:

  • first we deny everything
  • then allow outgoing traffic for HTTP, HTTPS, DNS and SSH (ports 80, 443, 53 and 22). DNS (port 53) is needed!, if we dont allow it then no URL will be found 🙂
  • allow SSH connections to our host to allow opening terminals from another computers in our network

To verify our firewall status the command line will be:

$ ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
22/tcp (v6)                ALLOW IN    Anywhere (v6)             

80/tcp                     ALLOW OUT   Anywhere                  
443/tcp                    ALLOW OUT   Anywhere                  
22/tcp                     ALLOW OUT   Anywhere                  
53 (DNS)                   ALLOW OUT   Anywhere                  
80/tcp (v6)                ALLOW OUT   Anywhere (v6)             
443/tcp (v6)               ALLOW OUT   Anywhere (v6)             
22/tcp (v6)                ALLOW OUT   Anywhere (v6)             
53 (DNS (v6))              ALLOW OUT   Anywhere (v6)

We could easily enable and disable the firewall with the commands:

ufw enable
ufw disable

I have installed a graphical interface, but I prefer to use the command line when it's not too hard, as in this case 🙂

If we run Gufw we can see the rules recently set, as shown here (the screenshot shows the interface in Spanish, but it's clear anyway)

UGFW rules screenshot
Simple configuration example of UFW firewall

Well, it's done!

Next step, setting an HTTP Proxy with user authentication, but that is another story ...

This post is part of a serie of posts: "DevOps home lab". You can read them in the following links: