How to Configure UFW Firewall Rules by Network Interface (eth0/eth1) for Port Access Control


2 views

Yes, UFW (Uncomplicated Firewall) can absolutely handle interface-based rules. This powerful feature is often overlooked but crucial for multi-homed servers. Let's break down how to implement interface-specific rules properly.

The core syntax for interface-specific rules follows this pattern:

sudo ufw allow in on <interface> to <address> port <port> proto <protocol>

For allowing all traffic on eth1 to port 80 (HTTP):

sudo ufw allow in on eth1 to any port 80 proto tcp

If you need to restrict to a specific IP range on that interface:

sudo ufw allow in on eth1 to 192.168.1.0/24 port 80 proto tcp

To check your existing rules with interface specifications:

sudo ufw status verbose

Sample output showing interface-specific rules:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp on eth1             ALLOW       Anywhere

For more complex setups like VLAN interfaces:

sudo ufw allow in on eth1.100 to any port 3306 proto tcp

Combining interface and direction:

sudo ufw allow in on eth1 out on eth2

While UFW covers most cases, sometimes you need raw iptables. Here's the equivalent:

sudo iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT

To make this persistent with UFW:

# Add to /etc/ufw/before.rules
-A ufw-before-input -i eth1 -p tcp --dport 80 -j ACCEPT

Watch for these issues when working with interface rules:

  • Interface names might change after reboot (use udev rules to persist names)
  • Rules won't apply if the interface is down
  • Virtual interfaces (like Docker bridges) need special consideration

UFW's interface capabilities are robust enough for most deployments. The syntax is cleaner than Shorewall for simple cases, though Shorewall might be better for extremely complex network topologies. Always test new firewall rules with ufw --dry-run before applying.

Yes, UFW (Uncomplicated Firewall) can absolutely handle interface-specific rules. While simpler than Shorewall in many aspects, UFW provides sufficient granularity for most interface-based filtering needs through its underlying iptables/nftables framework.

The key syntax pattern for interface-specific rules follows this structure:

sudo ufw allow in on <interface> to any port <port>

For your specific case allowing HTTP on eth1:

sudo ufw allow in on eth1 to any port 80

After adding rules, verify with:

sudo ufw status numbered

To delete a specific rule (replace X with rule number):

sudo ufw delete X

You can combine interface rules with other conditions. Example allowing SSH only from eth0:

sudo ufw allow in on eth0 to any port 22

For outgoing traffic restriction on an interface:

sudo ufw reject out on eth1 to any port 53

While Shorewall offers more complex network zoning capabilities, UFW provides sufficient interface control for:

  • Single-homed servers
  • Multi-interface DMZ setups
  • Basic network segmentation

If rules don't apply as expected:

  1. Check interface naming with ip a
  2. Verify UFW is active: sudo ufw enable
  3. Inspect raw rules: sudo iptables -L -n -v