Share your love
Configure Firewall with UFW on Debian 12 Bookworm
In this guide, we want to teach you to Configure a Firewall with UFW on Debian 12 Bookworm. UFW is a firewall tool that allows you to block or allow incoming and outgoing connections to and from the server, block ports, IPs, or even entire subnets. It is a good option for basic operations. Now follow the steps below to configure UFW on Debian 12.
How To Configure Firewall with UFW on Debian 12 Bookworm?
To complete this guide, you must have access to your server as a non-root user with sudo privileges. To do this, you can follow this guide on Initial Server Setup with Debian 12 Bookworm.
Step 1 – Install UFW Firewall on Debian 12
First, you need to check that you have UFW installed on your server. To do this, you can use the command below:
sudo ufw status
If it is not installed, you will get the following output:
Output
-bash: ufw: command not found
To install the UFW firewall, you can run the command below:
sudo apt install ufw -y
Step 2 – How To Enable UFW Firewall?
When your installation is completed, check your UFW status again:
sudo ufw status
In your output, you will see that your UFW firewall is inactive.
Output
Status: inactive
To enable UFW, you can use the following command on Debian 12:
sudo ufw enable
Enter Y and you will get the following output:
Output
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Finally, verify your UFW firewall is active:
sudo ufw status
Output
Status: active
Step 3 – Allow OpenSSH and SSH Through UFW Firewall
SSH (Secure Shell) is a tool for secure system administration, file transfers, and other communication across the Internet or other untrusted network. OpenSSH is an open-source implementation of the SSH protocol.
As you know, SSH uses port 22. To allow port 22 through the UFW firewall, you can use the command below:
sudo ufw allow ssh
Note: If you are running SSH on TCP port 2222 or TCP port 2323, you can use the following command:
# sudo ufw allow 2222/tcp
# sudo ufw allow 2323/tcp
Note: If you have a Static IP address and you only want to allow SSH from your static IP to another server, you can use the following command:
sudo ufw allow proto tcp from static-ip-address to desired-server-ip port 22
Also, you can Limit your SSH rule, for more security. When a limit rule is used, ufw will normally allow the connection but will deny connections if an IP address attempts to initiate six or more connections within thirty seconds.
To limit SSH, you can run the command below:
sudo ufw limit ssh
To allow OpenSSH, you can use the command below:
sudo ufw allow openssh
Step 4 – Allow Specific Incoming Connections or Port Thourgh UFW Firewall
At this point, if you want to open a specific port you can follow the steps below.
Allow TCP and UDP Ports with UFW Firewall
To allow a TCP port such as port 80, you can use the following UFW command on Debian 12:
sudo ufw allow 80/tcp
And for UDP connections, you can use the command below: For example:
sudo ufw allow 1194/udp
Allow Port Ranges with UFW Firewall
At this point, you can allow port ranges through the UFW firewall with TCP and UDP connections. To do this, you can use the commands below:
For example, allow port ranges between 3000 and 4000:
# sudo ufw allow 3000:4000/tcp
# sudo ufw allow 3000:4000/udp
Allow Services through UFW
There are some network services that UFW can enforce. For example, HTTP requires that port 80 is available. To do this, you can use the command below:
sudo ufw allow http
Allow All Connections from an IP Address with UFW Firewall
If you want to allow all connections from an IP address, you can use the command below:
sudo ufw allow from your-desired-ip
Also, you can allow all connections from an IP address to a specific TCP port. To do this, you can use the command below:
sudo ufw allow from desired-ip-address to any port port-number proto tcp
Allow Connections on Specific Interface with UFW Firewall
At this point, you can allow connections for interfaces. For example, allow connection for wg0 to port 22 by using the command below:
sudo ufw allow in on wg0 to any port 22
You can allow connection for a TCP port on an interface from a specific IP address by using the command below:
sudo ufw allow in on interface-name from ip-address to any port port-number proto tcp
Also, you can use a subnet instead of a single IP address in the above command:
sudo ufw allow in on interface-name from subnet to any port port-number proto tcp
Step 5 – Deny Incoming Connections and Ports through UFW Firewall
If you want to close a port or IP address, you can use the ufw deny command. For example, close port 25 TCP with the following command:
sudo ufw deny 25/tcp
You can deny all connections from a specific IP address, to do this, you can use the command below:
sudo ufw deny from ip-address
Also, you can deny access to an IP address on a specific port with the command below:
sudo ufw deny from ip-address to any port port-number proto tcp
Step 6 – Delete UFW Firewall Rules on Debian 12 Bookworm
To delete firewall rules with UFW, you can use the numbered option. This will list your firewall rules and you can easily delete them by using the rule numbers. To do this, run the command below:
sudo ufw status numbered
Example Output
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] OpenSSH ALLOW IN Anywhere
[ 3] 80/tcp ALLOW IN Anywhere
[ 4] 1194/udp ALLOW IN Anywhere
[ 5] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] OpenSSH (v6) ALLOW IN Anywhere (v6)
[ 7] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 8] 1194/udp (v6) ALLOW IN Anywhere (v6)
For example, we want to delete rule number 8, to do this, run the command below:
sudo ufw delete 8
Output
Deleting:
allow 1194/udp
Proceed with operation (y|n)? y
Rule deleted (v6)
If you check your UFW status, the rule must be deleted.
sudo ufw status numbered
Step 7 – Commands To Configure UFW Firewall on Debian 12
At this point, we want to show you some important UFW commands.
To reset the UFW firewall, you can run the command below:
sudo ufw reset
Every time you make changes to the UFW firewall, you need to reload it to apply the changes. To do this, you can use the following command:
sudo ufw reload
By default, all UFW entries are logged into /var/log/ufw.log file. You can view this file by using the command below:
# sudo more /var/log/ufw.log
# sudo tail -f /var/log/ufw.log
Then, you can use the command below to show the listening rules:
sudo ufw show listening
Example Output
tcp:
22 * (sshd)
[ 1] allow 22/tcp
[ 2] allow OpenSSH
tcp6:
22 * (sshd)
[ 5] allow 22/tcp
[ 6] allow OpenSSH
Also, you can list the added rules with the following command:
sudo ufw show added
Example Output
Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp
ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 1194/udp
Step 8 – Configure IP Masquerading with UFW Firewall
IP masquerading is a process where one computer acts as an IP gateway for a network.
To enable IP masquerading with UFW, follow the steps below:
- First, open the following file with your favorite text editor, here we use vi editor:
sudo vi /etc/default/ufw
In the file, change the following line as shown below:
DEFAULT_FORWARD_POLICY="ACCEPT"
When you are done, save and close the file.
- Then, open the following file:
sudo vi /etc/ufw/sysctl.conf
Uncomment the line below by removing the “#” from the beginning of the line:
net.ipv4.ip_forward=1
When you are done, save and close the file.
- Reload the settings with the following commands:
# sudo sysctl -p
# sudo ufw reload
- Next, add rules that computers in the Internal network can connect to an external network or the internet as a gateway.
Open the following file:
sudo vi /etc/ufw/before.rules
Add the following lines at the end of the file before the COMMIT line:
# NAT
*nat
-F
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o wg0 -j MASQUERADE
COMMIT
When you are done, save and close the file.
- Finally, add the ufw route to allow the traffic. For example:
sudo ufw route allow in on eth0 out on wg0 from 10.0.0.0/24
Reload the firewall to apply the changes:
sudo ufw reload
Conclusion
At this point, you have learned to Configure a Firewall with UFW on Debian 12 Bookworm. You have learned to allow and deny incoming connections and ports, the most useful UFW commands, and configure IP masquerading.
Hope you enjoy it. Also, you may be interested in these articles:
How To Install and Use Iptables on Ubuntu 22.04