How to Block Outgoing Traffic to Private Networks Using UFW on Your Server

Introduction: In this tutorial, we'll cover how to secure your server by blocking outgoing traffic to private networks using Uncomplicated Firewall (UFW). This method is particularly useful in environments where you need to ensure that your server does not accidentally or maliciously communicate with specified internal networks, which is a common requirement in many secured deployments. We'll go through the installation of UFW, configuring basic rules, and setting up specific denials for private IP ranges.

Requirements

• A server running Ubuntu or any other Debian-based Linux distribution.
• Administrative access to the server.

Step 1 - Install and Enable UFW

Install UFW:
UFW, or Uncomplicated Firewall, is a user-friendly front-end for managing iptables firewall rules. Its simplicity makes managing a Linux firewall straightforward and less prone to errors. Begin by installing UFW on your server if it isn't already installed:

Enable UFW:
Before configuring any specific rules, enable UFW to ensure it's actively managing network traffic:

Step 2 - Configure UFW Basic Security Settings

Set Default Policies:
First, set the default policies to deny all incoming and outgoing connections, which establishes a secure baseline:

sudo ufw default deny incoming
sudo ufw default deny outgoing​

Allow Necessary Services:
Next, configure the necessary ports for your services like SSH, HTTP, and HTTPS to ensure your server remains accessible as needed:

sudo ufw allow (add your port here)
sudo ufw allow 22    # Allow SSH​

Reload UFW :

sudo ufw reload

Confirm UFW Status:
After configuring your rules, confirm that UFW is running and the rules are applied correctly:

Step 3 - Block Communications to Private Networks

Understanding Private IP Ranges:
Private IP addresses are reserved for use within private networks. They are commonly used for local communications within a network and are not routable on the internet. The blocks we will deny are:

• 10.0.0.0/8
• 172.0.0.0/8
• 192.0.0.0/8
• 100.0.0.0/8
• 198.0.0.0/8
• 169.0.0.0/8
• 102.0.0.0/8 
• 185.234.0.0/14

Block Outgoing Communications:
To block outgoing communications to these networks, use the following UFW commands:

sudo ufw deny out from any to 10.0.0.0/8
sudo ufw deny out from any to 172.0.0.0/8
sudo ufw deny out from any to 192.0.0.0/8
sudo ufw deny out from any to 100.0.0.0/8
sudo ufw deny out from any to 198.0.0.0/8
sudo ufw deny out from any to 169.0.0.0/8
sudo ufw deny out from any to 102.0.0.0/8
sudo ufw deny out from any to 185.234.0.0/14

Check and Verify:
After setting these rules, verify your firewall configuration:

You might also want to verify the rules with:

Testing the Configuration:
Test your firewall settings by attempting to ping a device within the blocked ranges, for example:

Conclusion: Implementing firewall rules to block outgoing traffic to private networks is a critical security measure, particularly when you don't have full control over the software installed on your server. Using UFW simplifies this process and ensures that your server adheres to network access policies, protecting your systems from potential internal threats.