Enable UFW on Debian/Ubuntu and Allow only port 22

Written by Paris Nakita Kejser on the 22nd Aug 2021

Exported on 28-Sep-2021 11:58:51

Using Attune to install and configure UFW on Debian / Ubuntu

This blueprint is used to install and configure UFW firewall on a host.

The UFW (uncomplicated firewall) is an interface to IPTables, which is supposed to simplify the process of configuring a firewall. The aim of UFW is a straightforward command-line-based front-end for the very powerful, but not exactly easy to configure IPTables to offer.

This has been test on Debian 11.0.0 / Ubuntu 20.04.2 LTS

Known issues
  1. In cases when Debian 11.0 is installed with a DVD, it happens that /etc/apt/sources.list mainly reference the DVD source(maybe it's because we chose not to update packages from network, in the Debian installer). In this case, even after running 'apt update', 'apt install ufw' still fails with "Package 'ufw' has no installation candidate". So we need to upload a more suitable sources.list(content depends on where you live, the official sources may be too slow to you)
Pre-Blueprint Attune setup
  1. On the Inputs tab, create a Linux node for the host you wish to configure the UFW.
  2. On the Inputs tab, create a Linux credential to connect to the host you wish to configure the UFW(needs to set Sudo To root).
Blueprint Steps
  1. Deploy the Debian sources.list file to a temporary directory.
  2. Copy the sources.list from temp dir to /etc/apt/
  3. Download package information from all configured sources.
  4. Install the UFW package.
  5. Enable UFW.

Parameters

Name Type Script Reference Default Value Comment
Linux Node Linux / Unix Server linuxNode
Linux User Linux OS Credential linuxUser

1 - CU Push sources.list File

Deploy the Debian sources.list file to a temporary directory.

The connection details have changed from the last step.

Login as user on node

Connect via SSH 
ssh user@hostname
Deploy archive Debian 11.0 Apt Sources(Aliyun Mirror) File - sources.list.zip to remote path /tmp/
  1. Locate Files archive "Debian 11.0 Apt Sources(Aliyun Mirror) File - sources.list.zip", This can be downloaded from Attune
  2. Copy the Files archive to the server
  3. Extract the root of the Files archive to /tmp/
  4. Check that the files are in the correct location

2 - CU Overwrite sources.list

Determine the distro, if it's Debian 11.0 then copy the sources.list from temp dir to /etc/apt/, otherwise do nothing. Sudo to root is needed for the credential.

Login as user on node

Connect via SSH 
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session 
# check if it's Debian 11.0
if lsb_release -d | grep bullseye >/dev/null 2>&1; then
    # make a backup
    cp -f /etc/apt/sources.list{,.backup}
    cp -f /tmp/sources.list /etc/apt/
fi

3 - CU Apt Update

Download package information from all configured sources. Sudo to root is needed for the credential.

Login as user on node

Connect via SSH 
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session 
apt update

4 - CU Install UFW

Install the UFW package. Sudo to root is needed for the credential.

Login as user on node

Connect via SSH 
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session 
apt install -y ufw

5 - CU Configure UFW

Make initial configuration to UFW. Sudo to root is needed for the credential.

Login as user on node

Connect via SSH 
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session 
# only allows SSH(port 22) for incoming traffic
ufw default deny incoming
ufw default allow outgoing
ufw allow 22

6 - CU Enable UFW

After installation, UFW remains inactive. So we need to enable UFW, which reloads firewall and enables firewall on boot. Sudo to root is needed for the credential.

Login as user on node

Connect via SSH 
ssh user@hostname
This is a Bash Script make sure you run it with bash -l from a terminal session 
echo 'y' | ufw enable