Tools
Tools: Linux Firewall Configuration with UFW and iptables (2026)
Why a Linux Firewall Matters
Understanding the Basics: Ports and Protocols
UFW: The Uncomplicated Firewall
Installing UFW
Enabling and Disabling UFW
Setting Default Policies
Allowing Specific Ports and Services
Allowing SSH (Crucial for Remote Access)
Allowing Web Traffic
Allowing Other Common Services
Denying Traffic
Denying a Specific IP Address
Denying Traffic to a Specific Port
Deleting Rules
Advanced UFW Features
Checking UFW Status
iptables: The Powerhouse Firewall
Basic iptables Commands
Setting Default Policies
Allowing Established Connections
Allowing SSH
Allowing HTTP and HTTPS
Allowing Loopback Interface Traffic
Saving iptables Rules
Listing iptables Rules
Deleting iptables Rules
A Note on UFW and iptables
Practical Scenarios and Recommendations Protecting your servers from unauthorized access is a fundamental responsibility for any developer or system administrator. This article will guide you through configuring Linux firewalls using two powerful tools: UFW (Uncomplicated Firewall) and iptables. You'll learn how to set up basic rules, manage common ports, and understand the underlying concepts to secure your applications and data. Imagine your server is a house. Without a firewall, every door and window is wide open, inviting anyone to come in, see what they want, or even cause damage. A firewall acts as a security guard, controlling who can enter and leave your server, ensuring only legitimate traffic gets through. This is crucial for preventing data breaches, service disruptions, and unauthorized modifications to your systems. Before diving into configuration, it's essential to grasp a couple of key concepts. Ports are like specific doors on your server, each assigned a number. Different services use different ports. For example, web servers typically listen on port 80 for HTTP traffic and port 443 for HTTPS traffic. SSH, used for remote command-line access, commonly uses port 22. Protocols are the languages traffic speaks. The two most common are: UFW is designed to be a user-friendly front-end for iptables. It simplifies common firewall tasks, making it an excellent choice for beginners and those who want quick, effective protection. UFW is often pre-installed on Debian-based systems like Ubuntu. If it's not, you can install it with: Before you start adding rules, it's a good idea to disable UFW if it's already running to avoid locking yourself out. Once you've configured your rules, you can enable it: When you enable UFW, it will prompt you to confirm. Type y and press Enter. It's crucial to have SSH access allowed before enabling UFW if you're connected remotely. The first step in hardening your server is to set default policies. This determines what happens to traffic that doesn't match any specific rules. Now, let's open up the necessary doors. If you're managing your server remotely, you must allow SSH traffic before enabling UFW. The default SSH port is 22. Or, if SSH is running on a different port (e.g., 2222): For a web server, you'll need to allow HTTP (port 80) and HTTPS (port 443) traffic. Alternatively, using port numbers: FTP (Port 21): While generally discouraged due to security concerns, you might need it for legacy systems. SMTP (Port 25): For sending emails. MySQL/MariaDB (Port 3306): If your application needs to connect to a database on the same server. You can also explicitly deny traffic. This is useful for blocking specific IP addresses or ports. If you make a mistake or no longer need a rule, you can delete it. First, list the rules with numbers: Then, delete the rule by its number: For example, to delete rule number 5: Rate Limiting: Protect against brute-force attacks by limiting the number of connection attempts from a single IP address. This is excellent for SSH. This rule allows SSH connections but denies them if an IP address attempts to initiate 6 or more connections within 30 seconds. Allowing Specific IP Ranges: This allows SSH access from any IP address within the 192.168.1.x subnet. Application Profiles: UFW can manage rules for specific applications if they provide profiles. Always verify your configuration: This command shows you the current status of UFW, its default policies, and all applied rules. While UFW is fantastic for its simplicity, iptables is the underlying Linux firewall mechanism. It offers granular control but has a steeper learning curve. Understanding iptables can be beneficial for complex scenarios or when you need fine-tuned control that UFW might not directly expose. iptables works with tables (e.g., filter, nat, mangle) and chains (e.g., INPUT, OUTPUT, FORWARD). Let's look at some fundamental iptables commands. Similar to UFW, setting default policies is crucial. This is a vital rule. It allows packets that are part of an already established connection to pass through. Without this, even your own outgoing requests wouldn't get responses back. The loopback interface (lo) is used for communication within the server itself. It's important to allow traffic on this interface. iptables rules are volatile; they are lost upon reboot. You need to save them. The method varies slightly between distributions. During the installation of iptables-persistent, you'll be asked if you want to save current IPv4 and IPv6 rules. Choose "Yes." On CentOS/RHEL (using iptables-services): To see your current rules: You can delete rules by specifying the exact rule with -D or by line number (similar to UFW). To delete by line number: Remember, UFW is a front-end for iptables. If you enable UFW, it will manage iptables rules for you. It's generally best to stick to one or the other to avoid conflicts. If you need the fine-grained control of iptables and want to manage it directly, disable UFW first. When setting up a new server, whether it's a small VPS from PowerVPS or a more robust cloud instance from Immers Cloud, your first step after initial setup should be firewall configuration. Scenario 1: A Simple Web Server You're deploying a basic website. Scenario 2: A Development Server with Database Access You need to host a web application and its database. iptables:
(Similar to Scenario 1, but add the database port rule) Important Consideration: If your database is on a separate server, you should not open port 3306 to the entire internet. Instead, you'd restrict access to only the IP addresses of your application servers. **Scenario 3: Securing SSH with Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse
