Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use. It uses a command-line interface consisting of a small number of simple commands, and uses iptables for configuration. UFW is available by default in all Ubuntu installations after 8.04 LTS. — Wikipedia
Basic usage
A very simplistic configuration which will deny all by default, allow any protocol from inside a 192.168.0.1-192.168.0.255 LAN, and allow incoming Deluge and rate limited SSH traffic from anywhere.
$ sudo ufw default deny
$ sudo ufw allow from 192.168.0.0/24
$ sudo ufw allow Deluge
$ sudo ufw limit SSH
Examples
$ sudo ufw allow proto udp from 1.2.3.4 to any port 9115
$ sudo ufw allow 21/tcp
$ sudo ufw allow 6000:6007/udp
$ sudo ufw enable
$ sudo ufw status
$ sudo ufw show raw
$ sudo ufw delete allow Deluge
$ sudo ufw logging off
Applications
$ sudo ufw app list
/etc/ufw/applications.d/custom
[Deluge-my]
title=Deluge
description=Deluge BitTorrent client
ports=20202:20205/tcp
ports=10000:10002/tcp|10003/udp
ports=10000:10002/tcp|10003,10009/udp
Forward ports
/etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
$ sudo sysctl -p
/etc/ufw/before.rules
# nat Table rules (place above *filter)
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -d 1.2.3.4 -p tcp --dport 123 -j DNAT --to-destination 192.168.1.1:123
-A PREROUTING -i eth0 -d 1.2.3.4 -p udp --dport 123 -j DNAT --to-destination 192.168.1.1:123
COMMIT
/etc/ufw/before6.rules
# nat Table rules (place above *filter)
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -d 2001:db8:0:1:5054:ff:fe01:2345 -p tcp --dport 123 -j DNAT --to-destination [fec0::5054:ff:fe01:2345]:123
-A PREROUTING -i eth0 -d 2001:db8:0:1:5054:ff:fe01:2345 -p udp --dport 123 -j DNAT --to-destination [fec0::5054:ff:fe01:2345]:123
COMMIT
$ sudo ufw reload