Configure Firewall with UFW on Debian 12 Bookworm

In this guide, we want to teach you to Configure a Firewall with UFW on Debian 12 Bookworm. UFW is a firewall tool that allows you to block or allow incoming and outgoing connections to and from the server, block ports, IPs, or even entire subnets. It is a good option for basic operations. Now follow the steps below to configure UFW on Debian 12.

How To Configure Firewall with UFW on Debian 12 Bookworm?

To complete this guide, you must have access to your server as a non-root user with sudo privileges. To do this, you can follow this guide on Initial Server Setup with Debian 12 Bookworm.

Step 1 – Install UFW Firewall on Debian 12

First, you need to check that you have UFW installed on your server. To do this, you can use the command below:

sudo ufw status

If it is not installed, you will get the following output:

Output
-bash: ufw: command not found

To install the UFW firewall, you can run the command below:

sudo apt install ufw -y

Step 2 – How To Enable UFW Firewall?

When your installation is completed, check your UFW status again:

sudo ufw status

In your output, you will see that your UFW firewall is inactive.

Output
Status: inactive

To enable UFW, you can use the following command on Debian 12:

sudo ufw enable

Enter Y and you will get the following output:

Output
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Finally, verify your UFW firewall is active:

sudo ufw status
Output
Status: active

Step 3 – Allow OpenSSH and SSH Through UFW Firewall

SSH (Secure Shell) is a tool for secure system administration, file transfers, and other communication across the Internet or other untrusted network. OpenSSH is an open-source implementation of the SSH protocol. 

As you know, SSH uses port 22. To allow port 22 through the UFW firewall, you can use the command below:

sudo ufw allow ssh

Note: If you are running SSH on TCP port 2222 or TCP port 2323, you can use the following command:

# sudo ufw allow 2222/tcp
# sudo ufw allow 2323/tcp

Note: If you have a Static IP address and you only want to allow SSH from your static IP to another server, you can use the following command:

sudo ufw allow proto tcp from static-ip-address to desired-server-ip port 22

Also, you can Limit your SSH rule, for more security. When a limit rule is used, ufw will normally allow the connection but will deny connections if an IP address attempts to initiate six or more connections within thirty seconds.

To limit SSH, you can run the command below:

sudo ufw limit ssh

To allow OpenSSH, you can use the command below:

sudo ufw allow openssh

Step 4 – Allow Specific Incoming Connections or Port Thourgh UFW Firewall

At this point, if you want to open a specific port you can follow the steps below.

Allow TCP and UDP Ports with UFW Firewall

To allow a TCP port such as port 80, you can use the following UFW command on Debian 12:

sudo ufw allow 80/tcp

And for UDP connections, you can use the command below: For example:

sudo ufw allow 1194/udp

Allow Port Ranges with UFW Firewall

At this point, you can allow port ranges through the UFW firewall with TCP and UDP connections. To do this, you can use the commands below:

For example, allow port ranges between 3000 and 4000:

# sudo ufw allow 3000:4000/tcp
# sudo ufw allow 3000:4000/udp

Allow Services through UFW

There are some network services that UFW can enforce. For example, HTTP requires that port 80 is available. To do this, you can use the command below:

sudo ufw allow http

Allow All Connections from an IP Address with UFW Firewall

If you want to allow all connections from an IP address, you can use the command below:

sudo ufw allow from your-desired-ip

Also, you can allow all connections from an IP address to a specific TCP port. To do this, you can use the command below:

sudo ufw allow from desired-ip-address to any port port-number proto tcp

Allow Connections on Specific Interface with UFW Firewall

At this point, you can allow connections for interfaces. For example, allow connection for wg0 to port 22 by using the command below:

sudo ufw allow in on wg0 to any port 22

You can allow connection for a TCP port on an interface from a specific IP address by using the command below:

sudo ufw allow in on interface-name from ip-address to any port port-number proto tcp

Also, you can use a subnet instead of a single IP address in the above command:

sudo ufw allow in on interface-name from subnet to any port port-number proto tcp

Step 5 – Deny Incoming Connections and Ports through UFW Firewall

If you want to close a port or IP address, you can use the ufw deny command. For example, close port 25 TCP with the following command:

sudo ufw deny 25/tcp

You can deny all connections from a specific IP address, to do this, you can use the command below:

sudo ufw deny from ip-address

Also, you can deny access to an IP address on a specific port with the command below:

sudo ufw deny from ip-address to any port port-number proto tcp

Step 6 – Delete UFW Firewall Rules on Debian 12 Bookworm

To delete firewall rules with UFW, you can use the numbered option. This will list your firewall rules and you can easily delete them by using the rule numbers. To do this, run the command below:

sudo ufw status numbered
Example Output
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] OpenSSH                    ALLOW IN    Anywhere
[ 3] 80/tcp                     ALLOW IN    Anywhere
[ 4] 1194/udp                   ALLOW IN    Anywhere
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 6] OpenSSH (v6)               ALLOW IN    Anywhere (v6)
[ 7] 80/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 8] 1194/udp (v6)              ALLOW IN    Anywhere (v6)

For example, we want to delete rule number 8, to do this, run the command below:

sudo ufw delete 8
Output
Deleting:
 allow 1194/udp
Proceed with operation (y|n)? y
Rule deleted (v6)

If you check your UFW status, the rule must be deleted.

sudo ufw status numbered

Step 7 – Commands To Configure UFW Firewall on Debian 12

At this point, we want to show you some important UFW commands.

To reset the UFW firewall, you can run the command below:

sudo ufw reset

Every time you make changes to the UFW firewall, you need to reload it to apply the changes. To do this, you can use the following command:

sudo ufw reload

By default, all UFW entries are logged into /var/log/ufw.log file. You can view this file by using the command below:

# sudo more /var/log/ufw.log
# sudo tail -f /var/log/ufw.log

Then, you can use the command below to show the listening rules:

sudo ufw show listening
Example Output
tcp:
  22 * (sshd)
   [ 1] allow 22/tcp
   [ 2] allow OpenSSH

tcp6:
  22 * (sshd)
   [ 5] allow 22/tcp
   [ 6] allow OpenSSH

Also, you can list the added rules with the following command:

sudo ufw show added
Example Output
Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp
ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 1194/udp

Step 8 – Configure IP Masquerading with UFW Firewall

IP masquerading is a process where one computer acts as an IP gateway for a network. 

To enable IP masquerading with UFW, follow the steps below:

  • First, open the following file with your favorite text editor, here we use vi editor:
sudo vi /etc/default/ufw

In the file, change the following line as shown below:

DEFAULT_FORWARD_POLICY="ACCEPT"

When you are done, save and close the file.

  • Then, open the following file:
sudo vi /etc/ufw/sysctl.conf

Uncomment the line below by removing the “#” from the beginning of the line:

net.ipv4.ip_forward=1

When you are done, save and close the file.

  • Reload the settings with the following commands:
# sudo sysctl -p
# sudo ufw reload
  • Next, add rules that computers in the Internal network can connect to an external network or the internet as a gateway.

Open the following file:

sudo vi /etc/ufw/before.rules

Add the following lines at the end of the file before the COMMIT line:

# NAT
*nat
-F
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o wg0 -j MASQUERADE

COMMIT

When you are done, save and close the file.

  • Finally, add the ufw route to allow the traffic. For example:
sudo ufw route allow in on eth0 out on wg0 from 10.0.0.0/24

Reload the firewall to apply the changes:

sudo ufw reload

Conclusion

At this point, you have learned to Configure a Firewall with UFW on Debian 12 Bookworm. You have learned to allow and deny incoming connections and ports, the most useful UFW commands, and configure IP masquerading.

Hope you enjoy it. Also, you may be interested in these articles:

How To Install and Use Iptables on Ubuntu 22.04

FirewallD Configuration on AlmaLinux 9

Open and Close Ports with FirewallD on Rocky Linux 8

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!