Configure Firewall with UFW on Debian 12 Bookworm: Comprehensive Guide

In this guide, we will walk you through how to Configure Firewall with UFW on Debian 12 Bookworm. UFW (Uncomplicated Firewall) is a user-friendly interface for managing iptables firewall rules, allowing you to easily block or allow incoming and outgoing network connections to and from your server. This is a valuable asset for protecting your Debian 12 Bookworm system. With UFW, you can block specific ports, IP addresses, or even entire subnets. It provides a great option for basic firewall operations. Let’s follow the steps below to learn how to Configure Firewall with UFW on Debian 12 Bookworm effectively.

Before you begin, ensure you have access to your server as a non-root user with sudo privileges. If you haven’t already set this up, you can follow this guide on Initial Server Setup with Debian 12 Bookworm.

Step 1 – Install UFW Firewall on Debian 12

To Configure Firewall with UFW on Debian 12 Bookworm, the first step is to ensure that UFW is installed on your server. To check this, you can use the following command:

sudo ufw status

If UFW is not installed, you will receive the following output:

**Output**
-bash: ufw: command not found

To install the UFW firewall, execute the following command:

sudo apt install ufw -y

Step 2 – How To Enable UFW Firewall?

Once the installation is complete, verify the UFW status again:

sudo ufw status

The output will indicate that the UFW firewall is currently inactive.

**Output**
Status: inactive

To enable UFW on Debian 12, use the following command:

sudo ufw enable

You will be prompted to confirm the action. Enter Y and you will see the following output:

**Output**
Command may disrupt existing ssh connections. Proceed with operation (y|n)? **y**
Firewall is active and enabled on system startup

Finally, confirm that your UFW firewall is active:

sudo ufw status

**Output**
Status: active

Now, proceed to the next steps to Configure Firewall with UFW on Debian 12 Bookworm.

Step 3 – Allow OpenSSH and SSH Through UFW Firewall

SSH (Secure Shell) is a protocol for secure system administration, file transfers, and other communication across the Internet or other untrusted networks. OpenSSH is an open-source implementation of the SSH protocol.

SSH typically uses port 22. To allow connections through port 22 using the UFW firewall, use the following command:

sudo ufw allow ssh

Note: If you are running SSH on a different port, such as TCP port 2222 or TCP port 2323, you can use the following commands instead:

# sudo ufw allow 2222/tcp
# sudo ufw allow 2323/tcp

Note: If you have a static IP address and want to restrict SSH access only from that IP address to your server, use the following command:

sudo ufw allow proto tcp from <your-static-ip-address> to <your-server-ip> port 22

For enhanced security, you can also limit the SSH rule. When a limit rule is applied, UFW will initially allow the connection, but will deny subsequent connections if an IP address attempts to initiate six or more connections within a 30-second interval.

To limit SSH connections, use the following command:

sudo ufw limit ssh

To specifically allow OpenSSH, you can use the command below:

sudo ufw allow openssh

Step 4 – Allow Specific Incoming Connections or Port Through UFW Firewall

At this point, you can open specific ports as needed.

Allow TCP and UDP Ports with UFW Firewall

To allow a TCP port, such as port 80 (HTTP), use the following UFW command on Debian 12:

sudo ufw allow 80/tcp

For UDP connections, use the following command. For example, to allow UDP port 1194:

sudo ufw allow 1194/udp

Allow Port Ranges with UFW Firewall

You can also allow port ranges through the UFW firewall for both TCP and UDP connections. For example, to allow port ranges between 3000 and 4000:

# sudo ufw allow 3000:4000/tcp
# sudo ufw allow 3000:4000/udp

Allow Services through UFW

UFW can enforce rules for some well-known network services. For example, HTTP requires port 80 to be available. To allow HTTP traffic, use the following command:

sudo ufw allow http

Allow All Connections from an IP Address with UFW Firewall

If you want to allow all connections from a specific IP address, use the following command:

sudo ufw allow from <your-desired-ip>

You can also allow all connections from an IP address to a specific TCP port:

sudo ufw allow from <desired-ip-address> to any port <port-number> proto tcp

Allow Connections on Specific Interface with UFW Firewall

You can allow connections on specific network interfaces. For example, to allow connections on the wg0 interface to port 22, use the following command:

sudo ufw allow in on wg0 to any port 22

To allow connections for a TCP port on an interface from a specific IP address, use the following command:

sudo ufw allow in on <interface-name> from <ip-address> to any port <port-number> proto tcp

You can also use a subnet instead of a single IP address in the above command:

sudo ufw allow in on <interface-name> from <subnet> to any port <port-number> proto tcp

Step 5 – Deny Incoming Connections and Ports through the UFW Firewall

To close a port or block an IP address, use the ufw deny command. For example, to block port 25 TCP, use the following command:

sudo ufw deny 25/tcp

To deny all connections from a specific IP address, use the following command:

sudo ufw deny from <ip-address>

You can also deny access to an IP address on a specific port:

sudo ufw deny from <ip-address> to any port <port-number> proto tcp

Step 6 – Delete UFW Firewall Rules on Debian 12 Bookworm

To delete firewall rules with UFW, you can use the numbered option. This will list your firewall rules, and you can easily delete them by using the rule numbers. To do this, run the command below:

sudo ufw status numbered

Output example:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 1194/udp                   ALLOW IN    Anywhere
[ 4] Anywhere                   DENY IN     192.168.1.100

For example, if you want to delete rule number 8, run the command below:

sudo ufw delete 8

You’ll be prompted to confirm. Type y and press Enter.

If you check your UFW status, the rule must be deleted.

sudo ufw status numbered

Step 7 – Commands To Configure UFW Firewall on Debian 12

Here are some important UFW commands:

To reset the UFW firewall to its default state, use the following command:

sudo ufw reset

Whenever you make changes to the UFW firewall rules, you need to reload it to apply the changes. To do this, use the following command:

sudo ufw reload

By default, all UFW logs are written to the /var/log/ufw.log file. You can view this file using the following commands:

# sudo more /var/log/ufw.log
# sudo tail -f /var/log/ufw.log

To display the listening rules (ports that are actively listening for connections), use the following command:

sudo ufw show listening

To list the added rules, use the following command:

sudo ufw show added

Step 8 – Configure IP Masquerading with UFW Firewall

IP masquerading is a process where one computer acts as an IP gateway for a network.

To enable IP masquerading with UFW, follow these steps:

First, open the /etc/default/ufw file:

sudo vi /etc/default/ufw

In the file, change the following line:

DEFAULT_FORWARD_POLICY="DROP"

to:

DEFAULT_FORWARD_POLICY="ACCEPT"

Save and close the file.

Next, open the /etc/ufw/sysctl.conf file:

sudo vi /etc/ufw/sysctl.conf

Uncomment the following line by removing the # at the beginning of the line:

net.ipv4.ip_forward=1

Save and close the file.

Apply the changes and reload UFW:

# sudo sysctl -p
# sudo ufw reload

Open the /etc/ufw/before.rules file:

sudo vi /etc/ufw/before.rules

Add the following lines at the end of the file, before the COMMIT line:

# NAT
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o wg0 -j MASQUERADE
COMMIT

Replace 10.0.0.0/24 with your internal network’s subnet and wg0 with your external interface. Save and close the file.

Allow traffic forwarding:

sudo ufw route allow in on eth0 out on wg0 from 10.0.0.0/24

Replace eth0 with your internal interface, wg0 with your external interface, and 10.0.0.0/24 with your internal network’s subnet.

Reload the firewall to apply the changes:

sudo ufw reload

Conclusion

Now you have successfully learned how to Configure Firewall with UFW on Debian 12 Bookworm. You can now allow and deny incoming connections and ports, use the most useful UFW commands, and configure IP masquerading. UFW simplifies firewall management, enabling you to secure your server with ease.

Hopefully, you found this guide helpful. You may also be interested in these articles:

How To Install and Use Iptables on Ubuntu 22.04

FirewallD Configuration on AlmaLinux 9

Open and Close Ports with FirewallD on Rocky Linux 8

Alternative Solutions for Firewall Management on Debian 12 Bookworm

While UFW is an excellent and user-friendly tool, other approaches to firewall management on Debian 12 Bookworm can offer different advantages in terms of flexibility, granularity, and performance. Here are two alternative solutions:

1. Direct Iptables Configuration

Iptables is the underlying firewall system that UFW uses. Configuring iptables directly gives you the most control over your firewall rules. This approach is more complex, but it allows for highly customized firewall configurations that go beyond what UFW offers.

Explanation:

Iptables uses a series of tables, chains, and rules to filter network traffic. Tables organize the rules based on their function (e.g., filter for general filtering, nat for network address translation). Chains are sequences of rules within a table that are processed in order. Rules specify the criteria for matching traffic and the action to take when a match is found.

Code Example:

Here’s an example of how to allow SSH traffic (port 22) using iptables directly:

# Allow incoming SSH traffic
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow outgoing SSH traffic (optional, but good practice)
sudo iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

# Save the iptables rules to make them persistent across reboots (Debian-specific)
sudo apt install iptables-persistent
sudo netfilter-persistent save

Explanation of the commands:

• sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT: This command adds a rule (-A) to the INPUT chain in the filter table (the default table). It specifies that for TCP traffic (-p tcp) destined for port 22 (--dport 22), the action to take is ACCEPT (allow the traffic).
• sudo iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT: This command does the same as above, but for the OUTPUT chain and the source port (--sport), ensuring that outgoing SSH traffic is allowed.
• sudo apt install iptables-persistent: This installs a package that automatically saves and restores iptables rules on system startup.
• sudo netfilter-persistent save: This command saves the current iptables rules to a file so they are loaded on the next boot.

Advantages:

• Granular control: You can create highly specific rules to match very specific traffic patterns.
• Flexibility: Iptables supports a wide range of matching criteria and actions, allowing you to implement complex firewall policies.

Disadvantages:

• Complexity: Requires a deeper understanding of networking and iptables syntax.
• Error-prone: Mistakes in iptables rules can lead to unintended consequences, such as blocking all network traffic.

2. nftables

nftables is the successor to iptables. It aims to improve upon iptables by providing a more modern, flexible, and efficient firewall system.

Explanation:

nftables uses a simpler and more consistent syntax than iptables. It also supports more advanced features, such as sets and maps, which can be used to create more efficient and scalable firewall rules.

Code Example:

Here’s an example of how to allow SSH traffic (port 22) using nftables:

# Create a table for the firewall
sudo nft add table filter

# Create an input chain
sudo nft add chain filter input { type filter hook input priority 0 ; policy drop ; }

# Create an output chain
sudo nft add chain filter output { type filter hook output priority 0 ; policy accept ; }

# Allow SSH traffic on port 22
sudo nft add rule filter input tcp dport 22 accept

# Enable nftables service
sudo systemctl enable nftables
sudo systemctl start nftables

Explanation of the commands:

• sudo nft add table filter: Creates a new table named "filter" to hold firewall rules.
• sudo nft add chain filter input { type filter hook input priority 0 ; policy drop ; }: Creates a chain named "input" within the "filter" table. type filter specifies it’s for filtering packets. hook input means it’s attached to the input hook. priority 0 sets the order. policy drop sets the default action to drop (block) packets.
• sudo nft add chain filter output { type filter hook output priority 0 ; policy accept ; }: Creates a chain named "output" within the "filter" table with default policy to accept packets.
• sudo nft add rule filter input tcp dport 22 accept: Adds a rule to the "input" chain that allows TCP traffic to destination port 22 (SSH).
• sudo systemctl enable nftables: Ensures the nftables service starts automatically on boot.
• sudo systemctl start nftables: Starts the nftables service immediately.

Advantages:

• Simpler syntax: nftables is generally considered easier to learn and use than iptables.
• Improved performance: nftables can be more efficient than iptables, especially for complex rule sets.
• Advanced features: nftables supports features like sets and maps, which can simplify rule management.

Disadvantages:

• Less widespread adoption: While gaining popularity, nftables is not as widely used as iptables, meaning fewer online resources and community support might be available.
• Potential compatibility issues: Some older tools and scripts might not be compatible with nftables.

Choosing between UFW, direct iptables configuration, and nftables depends on your specific needs and technical expertise. UFW is great for simple setups, while iptables and nftables offer more flexibility and control for complex scenarios.