The complicated process for removing the “uncomplicated firewall”

If your new to linux, ufw is very useful tool. Really simple to install with ubuntu.

However, should you choose to get rid of it for some reason, it leaves behind quite a mess.
Here is a quick script to clean up the mess.

Here is the whole process as a bash script:

#!/usr/bin/bash
iptables -P INPUT ACCEPT
iptables -X ufw-user-output

iptables -X ufw-user-logging-output

iptables -X ufw-user-logging-input

iptables -X ufw-user-logging-forward

iptables -X ufw-user-limit-accept

iptables -X ufw-user-limit

iptables -X ufw-user-input

iptables -X ufw-user-forward

iptables -X ufw-track-output

iptables -X ufw-track-input

iptables -X ufw-skip-to-policy-output

iptables -X ufw-skip-to-policy-input

iptables -X ufw-skip-to-policy-forward

iptables -X ufw-reject-output

iptables -X ufw-reject-input

iptables -X ufw-reject-forward

iptables -X ufw-not-local

iptables -X ufw-logging-deny

iptables -X ufw-logging-allow

iptables -X ufw-before-output

iptables -X ufw-before-logging-output

iptables -X ufw-before-logging-input

iptables -X ufw-before-logging-forward

iptables -X ufw-before-input

iptables -X ufw-before-forward

iptables -X ufw-after-output

iptables -X ufw-after-logging-output

iptables -X ufw-after-logging-input

iptables -X ufw-after-logging-forward

iptables -X ufw-after-input

iptables -X ufw-after-forward

apt-get remove ufw

#As a basic firewall I’d recommend the following:

iptables -F

iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT

iptables -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT

iptables -A INPUT -p tcp -m tcp –dport 13160-j ACCEPT

iptables -A INPUT -d XX_REPLACE_WITH_YOUR_SERVER_IP/32 -p icmp -m icmp –icmp-type 8 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -d XX_REPLACE_WITH_YOUR_SERVER_IP/32 -p icmp -m icmp –icmp-type 0 -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

This will:

Reset the default policy of INPUT to ACCEPT so we don’t get locked out of our box.
Then remove the custom ufw chains, flush all existing rules, accept established connections, accept all connections on loopback device, accept all connects to ports 80(http),443(https), and 22(sshd)

It will also accept pings from machines which have established a connection. With large packet support now enabled by default in the linux kernel, its important to allow some pings to be accepted. Then we set the default policys of input and forward to drop and output to accept.

Make sure you replace XX_REPLACE_WITH_YOUR SERVER_IP with your servers ip address.

4 responses to “The complicated process for removing the “uncomplicated firewall””

Sam

September 16, 2014

Extremely useful stuff, just had to clean up a confused UFW install and this saved me a bundle of time. Many thanks for sharing!
Eric

January 31, 2015

This saved me a lot of time too. I'm running Linux Mintz and I had to add:

iptables -X ufw-track-forward

Many thanks!
jarl

April 16, 2016

I use this:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

To remove all rules in fw, put in a loop bash this:

ufw –force delete $(ufw status numbered |(grep 'on' | awk -F"[][]" '{print $2}'))

Regards.
1. derak
  
  May 2, 2016
  
  At the time I didn’t have a lot of experience with bash. Your loop to remove looks like a better deal. Thanks for posting.