Ubuntu – Configure UFW to allow only established and related conections (on IPv4)

firewalliptablesnetworkingufw

I want to configure ufw to deny everything except the related and established connections. On iptables I usually did :

  -P INPUT DROP
  -P FORWARD DROP
  -P OUTPUT ACCEPT
  -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

I read that the next code on ufw is closely related:

 ufw default deny incoming
 ufw default deny forwarding
 ufw default allow outgoing
 ufw allow 443/tcp
 ufw allow 53/tcp
 ................

The problem is, with that ufw code I'm allowing ALL the traffic incoming from that ports. With iptables, only the established connections were allowed.
How could I configure the same rules on ufw?

Best Answer

Looks like you don't need to do anything to allow RELATED/ESTABLISHED Connections.

In ver. 0.36 of UFW I'm looking at on Ubuntu Core 16.04, the rules to allow RELATED/ESTABLISHED connections are there by default.

Crack-open the before.rules rules, you'll see the job has been done for you:

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Related Question