UFW

From StdOut

Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use. It uses a command-line interface consisting of a small number of simple commands, and uses iptables for configuration. UFW is available by default in all Ubuntu installations after 8.04 LTS. (source: Wikipedia)

Basic usage

A very simplistic configuration which will deny all by default, allow any protocol from inside a 192.168.0.1-192.168.0.255 LAN, and allow incoming Deluge and rate limited SSH traffic from anywhere.

$ sudo ufw default deny
$ sudo ufw allow from 192.168.0.0/24
$ sudo ufw allow Deluge
$ sudo ufw limit SSH

Examples

$ sudo ufw allow proto udp from 1.2.3.4 to any port 9115

$ sudo ufw allow 21/tcp
$ sudo ufw allow 6000:6007/udp

$ sudo ufw enable
$ sudo ufw status
$ sudo ufw show raw

$ sudo ufw delete allow Deluge

$ sudo ufw logging off

Applications

$ sudo ufw app list

/etc/ufw/applications.d/custom

[Deluge-my]
title=Deluge
description=Deluge BitTorrent client
ports=20202:20205/tcp
ports=10000:10002/tcp|10003/udp
ports=10000:10002/tcp|10003,10009/udp

Forward ports

/etc/ufw/sysctl.conf

net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
$ sudo sysctl -p

/etc/ufw/before.rules

1 # nat Table rules (place above *filter)
2 *nat
3 :PREROUTING ACCEPT [0:0]
4 
5 -A PREROUTING -i eth0 -d 1.2.3.4 -p tcp --dport 123 -j DNAT --to-destination 192.168.1.1:123
6 -A PREROUTING -i eth0 -d 1.2.3.4 -p udp --dport 123 -j DNAT --to-destination 192.168.1.1:123
7 
8 COMMIT

/etc/ufw/before6.rules

1 # nat Table rules (place above *filter)
2 *nat
3 :PREROUTING ACCEPT [0:0]
4 
5 -A PREROUTING -i eth0 -d 2001:db8:0:1:5054:ff:fe01:2345 -p tcp --dport 123 -j DNAT --to-destination [fec0::5054:ff:fe01:2345]:123
6 -A PREROUTING -i eth0 -d 2001:db8:0:1:5054:ff:fe01:2345 -p udp --dport 123 -j DNAT --to-destination [fec0::5054:ff:fe01:2345]:123
7 
8 COMMIT
$ sudo ufw reload

Resources