Table of Contents

uncomplicated firewall (ufw)

UFW Essentials: Common Firewall Rules and Commands

block IPs

# single IP
ufw insert 1 deny from 192.168.111.123/32
# IP range
ufw insert 1 deny from 192.168.111.123/24

→ you can use ufw deny from instead, but keep in mind the rules are evaluated from first to last, so if you have an allow rule before, the deny rule might not be applied.

port forwarding

/etc/ufw/before.rules
# port forwarding
*nat
:PREROUTING ACCEPT [0:0]
# flush rules so no duplicates are added
-F
# forward :3217 to wireguard listening on :5226
-A PREROUTING -p udp --dport 3217 -j REDIRECT --to-port 5226
COMMIT

after that:

ufw disable && ufw enable

scripts

check if enabled or disabled in bash:

if ! grep ENABLED=no /etc/ufw/ufw.conf>/dev/null; then echo "enabled"; else echo "disabled"; fi