Step 4: Configure the firewall

Firewall Overview

Securing your VPS is very important. Configuring a firewall is an easy way to provide a lot of security.

  • A firewall allows you to control incoming and outgoing traffic.

Initially, we will allow outside traffic to enter the VPS using ports 80 (HTTP), 443 (HTTPS), and 22 (SSH). We won’t restrict outgoing traffic to keep the procedure simple. Ultimately, we want to restrict outgoing traffic, as well.

Using nano

We will use a text editor called nano to edit most of the files.

Mouse operations do not work well in a terminal editor. So, we must enter commands using the keyboard.

Tip

Copy and pasting in Nano

  • Clicking right in the text editor will paste the contents in the Windows clipboard directly to the terminal.

  • Selecting the text in editor will copy the selection to the Windows clipboard.

Tip

Saving a document in Nano

  • Press Ctrl+S to save a file

  • Press Ctrl+X to exit Nano

  • If the document is not saved:

    1. Press y to save or press n to exit without saving.

    2. Press Enter to confirm the file name if saving and overwriting.

Optionally, we can use MobaXterm to edit the files using their built-in text editor. Watch this video on how to use MobaXterm.

Caution

MobaXerm uses 8-bit ASCII. Non-ASCII chars outside of 0x0 to 07F hex range will not render correctly.

Configuring the Firewall

Let’s practice straight away using nano!

Verify that IPv6 is enabled

Most VPSs provide an IPv6 address. Furthermore, it should be enabled by default on UFW. But, let’s verify.

To open the file using nano, we must supply the full path or just the file name. The file that we want to open is /etc/default/ufw.

  • /etc/default is the path to the file.

  • ufw is the name of the file.

sudo nano /etc/default/ufw
  • Shell scripts or bash use # for comments.

  • Using your arrow, keys, navigate to line that has the configuration of IPV6=yes.

    • If you see # character in front of it, delete it.

  • Save and exit the file using Ctrl+S Ctrl+X

/etc/default/ufw
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
nano /etc/default/ufw

# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
. . .

Configure UFW

  1. Set the firewall to deny all incoming connection

    sudo ufw default deny incoming
    
  1. Set the firewall to allow all outgoing connections

    sudo ufw default allow outgoing
    
  2. We will restrict the firewall to allow SSH (port 22), HTTP (80), and HTTPS (443) through the firewall. All other ports will be blocked.

    sudo ufw allow ssh
    sudo ufw allow http
    sudo ufw allow https
    
  3. Enable the firewall rules now and also on system restart

    sudo ufw enable
    
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
     root@vps298933:~#
     root@vps298933:~# sudo ufw status verbose
     Status: inactive
     root@vps298933:~#
     root@vps298933:~# sudo ufw default deny incoming
     Default incoming policy changed to 'deny'
     (be sure to update your rules accordingly)
     root@vps298933:~#
     root@vps298933:~# sudo ufw default allow outgoing
     Default outgoing policy changed to 'allow'
     (be sure to update your rules accordingly)
     root@vps298933:~# sudo ufw allow ssh
     Rules updated
     Rules updated (v6)
     root@vps298933:~# sudo ufw allow http
     Rules updated
     Rules updated (v6)
     root@vps298933:~# sudo ufw allow https
     Rules updated
     Rules updated (v6)
     root@vps298933:~#
     root@vps298933:~# sudo ufw enable
     Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
     Firewall is active and enabled on system startup
     root@vps298933:~#
    
  4. Verify the firewall state

    • In particular, verify that your SSH port (22) is open.

    • Otherwise, you might not be able to log back into your VPS

    sudo ufw status verbose
    
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
     root@vps298933:~# sudo ufw status verbose
     Status: active
     Logging: on (low)
     Default: deny (incoming), allow (outgoing), disabled (routed)
     New profiles: skip
    
     To                         Action      From
     --                         ------      ----
     22/tcp                     ALLOW IN    Anywhere
     80/tcp                     ALLOW IN    Anywhere
     443/tcp                    ALLOW IN    Anywhere
     22/tcp (v6)                ALLOW IN    Anywhere (v6)
     80/tcp (v6)                ALLOW IN    Anywhere (v6)
     443/tcp (v6)               ALLOW IN    Anywhere (v6)
    
     root@vps298933:~#
    

Reboot and Verify

On some systems, UFW does not automatically enable on reboot. We should test it.

sudo reboot -n

# after logging back in, verify:
sudo ufw status verbose

If the firewall is disabled, you need to enable it using systemctl (system control)

sudo systemctl enable ufw
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
root@vps298933:~# sudo systemctl enable ufw
Synchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ufw
root@vps298933:~#
root@vps298933:~#
root@vps298933:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)

root@vps298933:~#

Video Walkthrough

Are you stuck? Use this recording to help you.

  • Press the space bar to pause

  • You can copy text from the recording.

  • You can use the arrow keys to advance through the recording

Watch on asciinema.org if the video will not load.