ufw-rules.sh:
#!/usr/bin/env bash
# ufw-rules.sh — Minimal AWS-SG style UFW (IPv4)
# Usage: sudo ./ufw-rules.sh
set -euo pipefail
# --- safety -------------------------------------------------------------------
if [ "$EUID" -ne 0 ]; then
echo "Run as root (sudo)." >&2
exit 1
fi
# --- reset & defaults ---------------------------------------------------------
ufw --force reset
ufw logging low
# Default policies: deny everything inbound/routed, allow all outbound
ufw default deny incoming
ufw default deny routed
ufw default allow outgoing
# --- mandatory access (put SSH first to avoid lockout) ------------------------
# Allow SSH (adjust port/CIDRs as needed)
ufw allow 22/tcp comment "SSH"
ufw limit 22/tcp comment "SSH rate limit"
# --- ALLOW LIST (add your rules below; order = final rule order) --------------
# Examples — delete/modify these and add your own:
# Web
# ufw allow 80/tcp comment "HTTP"
# ufw allow 443/tcp comment "HTTPS"
# Scoped to source
# ufw allow from 10.0.0.0/24 to any port 5432 proto tcp comment "Postgres from LAN"
# Specific interface
# ufw allow in on eth0 to any port 8443 proto tcp comment "Admin UI on public iface"
# Any custom ports…
# ufw allow 51820/udp comment "WireGuard"
# --- enable & show ------------------------------------------------------------
ufw --force enable
echo
ufw status numbered verbose$ vim ufw-rules.sh
$ chmod +x ufw-rules.sh
$ sudo ./ufw-rules.sh