Do I need a Firewall in Linux?

What is a firewall? Do I need a firewall in Linux? How to set up and configure a firewall in Linux. All these questions are answered in this post.

What is a firewall in Linux?

Firewall is a set of software filters that controls incoming and outgoings traffic in your computer. In simple words, it is a sort of wall between your computer and the outside world.

Do you need a firewall in Linux?

Many new users ask me this question almost every day. A short answer, you do not need it but it is better to have. Let me explain why.

Almost all Linux distributions come without a firewall by default. To be more correct, they have an inactive firewall. Because the Linux kernel has a built-in firewall and technically all Linux distros have a firewall but it is not configured and activated. I believe it is because using a firewall require some expertise.

But don’t worry, your Linux is still secure even without an active firewall. By default, most of the distributions such as Ubuntu and Linux Mint have no open ports so your computer cannot be accessed by intruders.

Nevertheless, I recommend to activate a firewall. It is better to be safe than sorry. A firewall does not use many resources, but it adds an extra layer of security. An inexperienced user can accidentally open some ports without knowing it, for example, by installing samba, ssh, apache. In this case, the firewall will still protect the system from outside access.

How to set up a firewall in Linux?

There are several programs you can use to configure and run a firewall in Linux. But I will show you only two programs which I believe are the most worthy.

• UFW – it is probably the most user-friendly firewall available in Linux. If you are a complete newbie or you just want to use your Linux without going to deep into its settings, use UFW.
• iptables - which is a more advanced but probably a proper way to configure the Linux Firewall. If you really want to learn Linux and you aim to become a Linux expert, you need to learn iptables.

UFW - the uncomplicated firewall

As I said above, UFW is the most simple and the most user-friendly way to get firewall running in Linux. It can be used with a graphical front end as well as from the command line only. In the first case, you need to install the program GUFW from your software manager. In the latter case, install only UFW, that is without G and thus without GUI.

GUFW

So, let’s start with the graphical interface. Simply install GUFW, open it, and enable.

That’s it. Your firewall is active and the default settings to deny incoming and allow outgoing connections is fine for most of the users. No one will be able to connect to your computer, while any application in your computer would be able to reach the outside world.

If you need to open some ports to be able to connect to your computer from the outside, you go to the rules tab and open ports for a specific application.

For example, if you need to access your computer remotely through ssh, you select ssh in the Application option. You can also define the firewall rules for an application in this window. If you are unsure, keep the default settings. Just make sure you ssh is secured with at least with a password.

UFW

GUFW is a very simple and effective firewall application. However, it may not always work well in some distros. For example, I encountered problems in GUFW in Manjaro. So, if you are not afraid of the command line, I recommend the command line UFW. It is as simple and it never failed in any Linux distro I tried.

Install UFW from the terminal or the software manager. In Debian or Debian-based distros such as Ubuntu, Linux Mint, elementary etc, you would run this command to install it:

sudo apt install ufw

To activate the UFW firewall, run:

sudo ufw enable

Next, check its status:

sudo ufw status verbose

By default, it has the same rules to deny incoming and allow outgoing.

If you need to open some ports, you just need to run one command. For example, to open ssh port, run:

sudo ufw allow ssh

If you check the status again:

You will see the ssh port 22 is open.

You can read more about settings of UFW in its man page, simply run man ufw.

I believe 99% of users will be happy with using GUFW or UFW because this uncomplicated firewall provides a reliable security layer with easy configuration. However, if you want some hardcore Linux experience, you need to try to configure the iptables.

Iptables - advanced Linux firewall

Iptables is rather aimed for server use where one need to configure complicated network routing. For a regular desktop user, the iptables firewall is not easy to understand. Honestly, I tried to use iptables many times on my system, and I always come back to UFW. You need to read a lot to understand how iptables works and how to configure it for your needs. For example, this is the iptables process flow.

Quite complicated, isn’t it?

Without going too deep into this chart, I will just say that for beginners it is important to know that the input filter is used to control the behavior for incoming connections. This is where you mostly deny connections. The output filter controls the chain for outgoing connections. It is used to access the internet, so you mostly keep the filter open. There is also a forward chain, but unless you are doing some kind of routing or something else on your system that requires forwarding, you w ll not even use this chain.

But I will keep things simple for iptables too and I will show you only a Simple stateful firewall configuration I learned from the Arch Linux wiki. I believe it is a good start to learn iptables.

First, create the necessary chains

sudo iptables -N TCPsudo iptables -N UDP

Next, if you use Arch Linux, enable iptables in the systemd, so it starts automatically with your system:

sudo systemctl enable iptables.service

Next, according to the Arch wiki, you need to add these rules:

iptables -P FORWARD DROPiptables -P OUTPUT ACCEPTiptables -P INPUT DROPiptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m conntrack --ctstate INVALID -j DROPiptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPTiptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDPiptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCPiptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachableiptables -A INPUT -p tcp -j REJECT --reject-with tcp-resetiptables -A INPUT -j REJECT --reject-with icmp-proto-unreachableiptables -t raw -I PREROUTING -m rpfilter --invert -j DROPiptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-resetiptables -D INPUT -p tcp -j REJECT --reject-with tcp-resetiptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-resetiptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachableiptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachableiptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable

To help you a bit, I have copied all these commands to a shell script iptables_ArchLinux.sh. So, you only need to download it, extract, and make it executable:

wget http://averagelinuxuser.com/wp-content/uploads/2019/02/iptables_ArchLinux.zipunzip iptables_ArchLinux.zipchmod +x iptables_ArchLinux.sh

Finally, run it to apply all the rules of a simple stateful firewall:

sudo ./iptables_ArchLinux.sh

After the script is executed, a Simple stateful firewall is configured. Again, I recommend you to go to the Arch Linux wiki page and read more about it there.

Conclusion

If you have not used a firewall in your Linux, I recommend you to start using it. You can at least install and configure the UFW firewall. And if you are too serious about learning Linux, you can go with configuring iptables, but be ready to struggle with it sometimes :-)

If you like this article, you may also like a similar post about Linux swap.