Only allow SSH connection from private network on ufw


So you created a new VPS instance. It happens to be on the same VPC as some bastion server that you set up. This is great.

You may want to take full advantage of this fact, by banning all packets except for TCP/80, TCP/443, and SSH connections from inside the VPC. Ubuntu has a firewall management tool called ufw, which serves as an abstraction over iptables.

In the case of DigitalOcean, all VPS instances have two networking interfaces: one for the publicly facing Internet, and the other for other machines inside the VPC.

You can see a list of all interfaces by invoking the ifconfig command.

How do you know which of the interfaces is connected to the VPC? You can find that information from your VPS' dashboard, wherein they will show you the public IP address (for the Internet), and the private IP address (for the VPC).

So from that, you will be able to get the interface name (often called eth0, eth1, eth2, etc.). Jot down the name of the interface that is associated with the VPC.

And then, from there, we will now want to establish a firewall rule that will allow SSH connections to that interface. To do that, invoke the following commamd:

ufw allow in on eth1 from any to any proto tcp port 22

Let's break it down.

  • ufw is the ufw program's name. All the space-delimited strings after it are the arguments that we will be passing in
  • allow tells ufw that we want to add a new allow rule
  • in on eth1 states that our rule is exclusively for packets that are meant for the eth1 interface
  • from any states that we are allowing packets from any IP addresses (in the case of interface filtering, this rule is fine. But if we can't filter by interface, then we should ideally replace any with either an IP address, or an IP address range using the CIDR subnet mask notation)
  • to any states that we are allowing all packets to go to any of the IP addresses that is assigned to the VPS. We could, if we wanted to, replace any with a either an IP address, or an IP address range using the CIDR subnet mask notation
  • proto tcp means that the allow rule is for TCP packets. And finally‚Ķ
  • port 22 indicates what port are the packets allowed to be sent to

Depending on what you want to achieve with the VPS, and how the VPS was set up, you may also want to consider deleting some pre-existing rules.

To do that, you will first want to list all rules:

ufw status numbered

And you should see the list of rules that you want to delete.

To delete the rule, invoke the following command:

ufw delete $RULE_NUMBER

Where $RULE_NUMBER is the rule that you want deleted.

Edit this page
Want to make your own site like this? Try gatsby-theme-code-notes by Zander Martineau.
Notes on code. My second brain, by Sal Rahman.