UFW is the default firewall configuration tool for Ubuntu. It was developed to ease iptables configuration. By default the ufw is disabled, so the first thing we need to do is to enable it:
$ sudo ufw enableThen we can start adding rules and opening ports
# SSH
$ sudo ufw allow 22
# HTTP
$ sudo ufw allow 80Similarly, to close an open port
$ sudo ufw deny 22
# To remove a rule just use delete followed by the rule
$ sudo ufw delete deny 22After opening some ports and adding rules we can check the ufw’s status
$ sudo ufw statusMore details: Ubutnu Server Guide
The purpose of this post is to configure UFW to prevent flood traffic or DoS. The easy way to configure our firewall is modifying the rules with a text editor:
sudo vim /etc/ufw/before.rulesThen add the following lines near to the *filter at the beginning:
:ufw-http - [0:0]
:ufw-http-logdrop - [0:0]
EX:
*filter
:ufw-http - [0:0]
:ufw-http-logdrop - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]Add these lines before COMMIT
### start ###
# Enter rule
-A ufw-before-input -p tcp --dport 80 -j ufw-http
-A ufw-before-input -p tcp --dport 443 -j ufw-http
# Limit connections per Class C
-A ufw-http -p tcp --syn -m connlimit --connlimit-above 50 --connlimit-mask 24 -j ufw-http-logdrop
# Limit connections per IP
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --set
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 10 --hitcount 20 -j ufw-http-logdrop
# Limit packets per IP
-A ufw-http -m recent --name pack_per_ip --set
-A ufw-http -m recent --name pack_per_ip --update --seconds 1 --hitcount 20 -j ufw-http-logdrop
# Finally accept
-A ufw-http -j ACCEPT
# Log
-A ufw-http-logdrop -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW HTTP DROP] "
-A ufw-http-logdrop -j DROP
### end ###With the above rules we are limiting the connections per IP at 20 connections / 10 seconds / IP and the packets to 20 packets / second / IP.
Finally we need to reload our firewall
sudo ufw reload