Proper firewall configuration is critical for securing Linux servers, controlling network traffic, and preventing unauthorised access.
Linux provides multiple tools like UFW, firewalld, and iptables; each is designed for different levels of control and flexibility.
This guide walks through configuration examples for all three, based on industry best practices and real-world administration experience.
Table of Contents:
UFW (Uncomplicated Firewall)
UFW is a user-friendly front-end for managing firewall rules, available by default on Ubuntu and Debian-based distributions. It simplifies configuration for administrators who prefer straightforward commands.
Steps to Configure UFW:
- Enable and Verify UFW
sudo ufw enable sudo ufw status verbose
The verbose flag displays detailed information about active rules and default policies.
- Allow or Deny Services:
sudo ufw allow 22/tcp # Allow SSH sudo ufw allow 80/tcp # Allow HTTP sudo ufw allow 443/tcp # Allow HTTPS sudo ufw deny 23/tcp # Block Telnet
You can also specify a range or protocol when necessary:
sudo ufw allow 1000:2000/tcp
- Manage and Reset Rules
Pro Tip:
Before enabling UFW on a remote server, ensure that SSH (port 22) is allowed; otherwise, you may lose remote access.
firewalld
firewalld is the default firewall management tool for CentOS, RHEL, and Fedora. It organises rules into zones that define trust levels for different network connections.
Steps to Configure firewalld:
- Enable and Check Status:
sudo systemctl enable firewalld sudo systemctl start firewalld sudo firewall-cmd –state
This confirms whether the firewalld service is running.
- View and Manage Zones
- List all active zones:
sudo firewall-cmd --get-active-zones
- Display rules for a specific zone:
sudo firewall-cmd --zone=public --list-all
- List all active zones:
- Allow or Block Services
- To permanently allow HTTP and HTTPS traffic:
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --add-service=https --permanent sudo firewall-cmd --reload
- To block a specific service:
sudo firewall-cmd --zone=public --remove-service=http --permanent sudo firewall-cmd --reload
- To permanently allow HTTP and HTTPS traffic:
Pro Tip:
Always use the ‘—permanent’ flag for configurations you want to persist after system reboots. Without it, rules apply only until the next restart.
iptables
iptables is a powerful, low-level firewall utility available on most Linux distributions. It provides granular control over network traffic and packet filtering but requires careful rule management.
Steps to Configure iptables:
- List and Inspect Rules:
sudo iptables -L -v -n
This displays all current rules along with packet and byte counters.
- Allow or Block Traffic
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow SSH sudo iptables -A INPUT -p tcp --dport 23 -j DROP # Block Telnet
- Allow Access from Specific IPs
sudo iptables -A INPUT -p tcp -s 192.168.1.10 --dport 22 -j ACCEPT
- Delete and Save Rules:
- To remove a specific rule:
sudo iptables -D INPUT -p tcp --dport 22 -j ACCEPT
- Save the current configuration:
- On Debian/Ubuntu:
sudo iptables-save > /etc/iptables/rules.v4
- On RHEL/CentOS:
sudo service iptables save
- On Debian/Ubuntu:
- To remove a specific rule:
Expert Tip:
Always keep console access (or recovery mode) available when editing iptables remotely; misconfigured rules can lock you out of the server.
Best Practices for Firewall Management
- Test rules in a staging environment before deploying to production.
- Restrict SSH and critical ports to specific trusted IP addresses.
- Use persistent configurations (–permanent in firewalld or saved rules in iptables) to retain rules after reboots.
- Back up configurations regularly:
- Prefer UFW or firewalld for simple use cases; use iptables only for advanced traffic management.
Conclusion
This way, configuring firewall rules in Linux is essential for protecting servers from unauthorised access and maintaining a secure network perimeter.
By using UFW, firewalld, or iptables according to your environment and skill level, you can effectively manage inbound and outbound traffic, reduce vulnerabilities, and maintain a strong security posture.
A Linux VPS Hosting solution provides full root access and the control needed to manage firewalls, services and server security.
Concerned about server security? Learn How to check if your Linux server is under a DDOS attack