Only allow SSH connection from private network on ufw
So you created a new VPS instance. It happens to be on the same VPC as some bastion server that you set up. This is great.
You may want to take full advantage of this fact, by banning all packets except for TCP/80, TCP/443, and SSH connections from inside the VPC. Ubuntu has a firewall management tool called
ufw, which serves as an abstraction over iptables.
In the case of DigitalOcean, all VPS instances have two networking interfaces: one for the publicly facing Internet, and the other for other machines inside the VPC.
You can see a list of all interfaces by invoking the
How do you know which of the interfaces is connected to the VPC? You can find that information from your VPS' dashboard, wherein they will show you the public IP address (for the Internet), and the private IP address (for the VPC).
So from that, you will be able to get the interface name (often called eth0, eth1, eth2, etc.). Jot down the name of the interface that is associated with the VPC.
And then, from there, we will now want to establish a firewall rule that will allow SSH connections to that interface. To do that, invoke the following commamd:
ufw allow in on eth1 from any to any proto tcp port 22
Let's break it down.
ufwprogram's name. All the space-delimited strings after it are the arguments that we will be passing in
ufwthat we want to add a new
in on eth1states that our rule is exclusively for packets that are meant for the
from anystates that we are allowing packets from any IP addresses (in the case of interface filtering, this rule is fine. But if we can't filter by interface, then we should ideally replace
anywith either an IP address, or an IP address range using the CIDR subnet mask notation)
to anystates that we are allowing all packets to go to any of the IP addresses that is assigned to the VPS. We could, if we wanted to, replace
anywith a either an IP address, or an IP address range using the CIDR subnet mask notation
proto tcpmeans that the
allowrule is for TCP packets. And finally…
port 22indicates what port are the packets allowed to be sent to
Depending on what you want to achieve with the VPS, and how the VPS was set up, you may also want to consider deleting some pre-existing rules.
To do that, you will first want to list all rules:
ufw status numbered
And you should see the list of rules that you want to delete.
To delete the rule, invoke the following command:
ufw delete $RULE_NUMBER
$RULE_NUMBER is the rule that you want deleted.