How to Allow Outbound Connections to Specific IP Only Using UFW Firewall Rules


2 views

When hardening web servers running applications like vBulletin, many administrators (myself included) default to blocking all outgoing connections via UFW as a security precaution. The rationale is sound - if an attacker compromises your forum software, they shouldn't be able to initiate outbound connections that might expose server details or establish reverse shells.

sudo ufw default deny outgoing

However, this blanket approach breaks legitimate use cases where your application needs to communicate with specific external services. In my case, the vBulletin installation required API calls to a payment processor's whitelisted IP (let's use 203.0.113.45 as our example IP). The solution lies in crafting precise UFW rules before enabling the default deny policy.

Here's the step-by-step approach I implemented:

# First, delete any existing rules that might conflict
sudo ufw delete allow out to any

# Allow DNS resolution (critical for most applications)
sudo ufw allow out 53/tcp
sudo ufw allow out 53/udp

# Allow NTP for time synchronization
sudo ufw allow out 123/udp

# Create our specific IP allowance
sudo ufw allow out to 203.0.113.45 proto tcp
sudo ufw allow out to 203.0.113.45 proto udp

# Finally, enable the default deny
sudo ufw default deny outgoing

After implementing these rules, verify connectivity:

# Test TCP connectivity
nc -zv 203.0.113.45 443

# Check UFW logs for allowed/blocked attempts
sudo tail -f /var/log/ufw.log

# Alternative test using curl if HTTP service
curl --connect-timeout 5 http://203.0.113.45/api/test

Remember that UFW rules persist across reboots by default. However, if you're managing servers via automation tools, consider these additions:

# Add to your provisioning scripts:
echo "PostUp = ufw allow out to 203.0.113.45" >> /etc/wireguard/wg0.conf

# Or for Ansible:
- ufw:
    rule: allow
    direction: out
    to: 203.0.113.45
    proto: tcp

If connections still fail after implementing these rules:

  • Check for conflicting iptables rules: sudo iptables -L
  • Verify the service is actually listening on the expected port at the destination
  • Test with tcpdump: sudo tcpdump -i eth0 host 203.0.113.45
  • Consider whether NAT or routing tables might be interfering

When securing a vBulletin forum server behind CloudFlare, many admins (myself included) take the nuclear approach of blocking all outgoing traffic via UFW:

sudo ufw default deny outgoing

This creates an immediate problem - legitimate services that need to make outbound calls (like license checks, API integrations, or in my case, a custom module querying a remote IP) get blocked.

The solution lies in UFW's ability to create granular outbound rules. Here's how to allow a specific IP (255.255.255.255 in your case) while maintaining the default deny policy:

sudo ufw allow out to 255.255.255.255

For TCP-only connections to port 443:

sudo ufw allow out to 255.255.255.255 port 443 proto tcp

In my production environment, I needed to allow:

  1. CloudFlare IP ranges for origin pulls
  2. A payment gateway API endpoint
  3. SMTP for transactional emails

The ruleset looked like:

# Allow CloudFlare IP ranges
sudo ufw allow out to 173.245.48.0/20
sudo ufw allow out to 103.21.244.0/22

# Payment gateway
sudo ufw allow out to 192.254.112.60 port 443 proto tcp

# SMTP
sudo ufw allow out to 123.456.78.90 port 587 proto tcp

After applying rules, verify connectivity:

# Test basic connectivity
ping -c 4 255.255.255.255

# Test TCP connection
nc -zv 255.255.255.255 443

Check UFW status with verbose output:

sudo ufw status verbose

For scripts or applications making outbound calls, consider:

  • Rate limiting rules to prevent abuse
  • Logging rules for traffic monitoring
  • Port-specific allowances instead of full IP access

Example logging rule:

sudo ufw allow out to 255.255.255.255 port 80 proto tcp log