How to Set Up a Firewall on Ubuntu Server

The information in this post is based on Ubuntu Server 14.04 x64. It may or may not be valid for other versions. (Update: I can confirm that the information in this post is basically still valid and functional as of Ubuntu Server 24.04, however in the intermediate 10 years, ufw has gotten somewhat "smarter" by having profiles for common server applications (for example, you can enable "Nginx full" instead of ports 80 and 443 separately) and disabling/enabling the entire firewall to get new rules applied is no longer necessary)

When I first started out with GNU/Linux (Ubuntu) servers, setting up a firewall involved manually creating and maintaining a potentially complex configuration file for iptables. However, I have recently discovered ufw, which is short for Uncomplicated Firewall – and it really is :-)

My installation of Ubuntu Server 14.04 already had ufw installed, but if your doesn’t, simply install it from the repositories:

UFW is actually just a tool that simplifies the iptables configuration – behind the scenes, it is still iptables and the Linux kernel firewall that does the filtering, so ufw is neither less nor more secure than these. However, because ufw makes it a lot easier to configure a firewall correctly, it may reduce the risk of human error and is therefore possibly more secure for inexperienced admins.

If your server is configured with IPv6 as well as IPv4, make sure that this is enabled for UFW as well. Edit the file /etc/default/ufw and look for a line saying IPV6=yes. On my installation it was already there, but if it’s not or if it says no, you should edit it

Then simply use the command prompt to enable the ports you want opened. If you are connected to your server via ssh, make sure to allow that as well or it may disrupt your connection and possibly lock you out of your server when you activate it – depending on whether you have physical access to the server or not, this may be kinda inconvenient ;-)

For example, if you use ssh on the standard port 22 and you are configuring a web server that supports both unencrypted (HTTP on port 80) and encrypted (HTTPS on port 443) connections, you would issue the following commands to configure ufw:

If you need more rules, simply add them as above.

If you have a static IP address and only need to be able to connect via ssh from the one location, you can also restrict ssh connections to a single origin address like this:

Of course, enter your own IP address instead.

When done, enable ufw by entering:

And you’re done! The firewall is running and will automatically start up when you reboot your server :-)

If you make changes to the ufw configuration, you may need to disable and enable it again to put them into effect, like this:

To look at the current configuration, simply enter:

If ufw is not enabled, this will simply show an “inactive” message, otherwise it will list the currently defined rules.