A firewall filters incoming and outgoing network traffic based on predefined rules. Linux systems use iptables (the kernel firewall) or UFW (Uncomplicated Firewall), a user-friendly wrapper. Both protect your server by controlling which connections are allowed or denied.
Linux firewalls operate at the kernel level through netfilter, which examines every network packet passing through your system. When you send or receive data, it passes through chains of rules that decide whether to accept, drop, or reject the traffic.
There's often confusion between iptables and UFW. Here's the reality: UFW is built on top of iptables. When you use UFW, it's actually writing iptables rules for you behind the scenes. Think of UFW as the user-friendly frontend and iptables as the powerful engine underneath.
Most modern Linux distributions (Ubuntu, Debian) come with UFW, which is simpler for beginners. However, understanding iptables gives you more control for complex setups. We'll cover both approaches so you can choose what works for your environment.
UFW is the recommended starting point for most users. It's straightforward, and its syntax is memorable. Let's install and configure it.
On Ubuntu or Debian systems, UFW is usually pre-installed. Check its status:
sudo ufw status
If it's not installed, grab it with:
sudo apt update && sudo apt install ufw -y
Before enabling the firewall, you must allow SSH (port 22) if you're managing the server remotely. Skipping this step will lock you out:
sudo ufw allow 22/tcp
Now enable the firewall:
sudo ufw enable
Verify it's active:
sudo ufw status verbose
UFW rules follow a simple pattern: allow or deny traffic to specific ports or services. Here are the most common commands:
Allow a specific port:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Allow a service by name:
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ssh
Deny a port:
sudo ufw deny 23/tcp
Allow traffic from a specific IP:
sudo ufw allow from 192.168.1.100 to any port 22
Delete a rule:
sudo ufw delete allow 8080
Check all rules with line numbers:
sudo ufw status numbered
When you need fine-grained control, iptables is your tool. It's more powerful but also more complex. Understand that iptables works with three built-in chains: INPUT (incoming traffic), OUTPUT (outgoing traffic), and FORWARD (traffic passing through).
Every packet is evaluated against rules in a chain. The first matching rule determines the action (ACCEPT, DROP, or REJECT). If no rule matches, the default policy applies.
View current iptables rules:
sudo iptables -L -n
View with more detail:
sudo iptables -L -n -v
Check a specific chain:
sudo iptables -L INPUT -n
Start with a restrictive approach: deny everything by default, then explicitly allow what you need.
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
This blocks all incoming traffic and anything being forwarded through your system, while allowing outgoing traffic. Now allow specific services.
Allow loopback (localhost) traffic — this is essential:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
Allow established connections to continue:
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow SSH (port 22):
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Allow HTTP and HTTPS:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Allow DNS (port 53) for queries:
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
Drop all other incoming traffic (redundant but explicit):
sudo iptables -A INPUT -j DROP
Allow all outgoing traffic (optional — be more restrictive if needed):
sudo iptables -A OUTPUT -j ACCEPT
iptables rules exist in memory and vanish after reboot. Save them persistently using iptables-persistent:
sudo apt install iptables-persistent -y
When prompted, save current rules. To update saved rules later:
sudo netfilter-persistent save
Verify rules are saved in:
cat /etc/iptables/rules.v4
You're running a web server and need to allow HTTP, HTTPS, and SSH:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Your MySQL server should only accept connections from specific application servers:
sudo iptables -A INPUT -p tcp --dport 3306 -s 10.0.1.50 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 3306 -j DROP
This accepts connections from 10.0.1.50 and drops all others trying to reach MySQL.
Prevent brute force attacks on SSH by limiting connection attempts:
sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 5/min --limit-burst 10 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP
This allows a maximum of 5 new connections per minute with a burst of 10, dropping excess attempts.
See which ports are listening and which connections are established:
sudo netstat -tulpn
Or with the modern alternative:
sudo ss -tulpn
From another machine, test if a port is reachable:
nc -zv example.com 22
Or use telnet to check TCP ports:
telnet example.com 80
Enable UFW logging to track blocked connections:
sudo ufw logging on
Set logging level:
sudo ufw logging high
View logs:
sudo tail -f /var/log/ufw.log
For more on protecting your Linux system, check out our guides on securing SSH connections and understanding network protocols. Additionally, learn how fail2ban works for intrusion prevention.
Use UFW if: You're new to firewalls, managing a small number of rules, or need quick setup on Ubuntu/Debian systems.
Use iptables if: You need complex stateful filtering, advanced NAT rules, rate limiting, or managing enterprise environments with many custom rules.
Remember: UFW is iptables underneath anyway, so learning iptables deepens your understanding of what UFW does.
Technically yes, but it's not recommended. UFW manages iptables rules automatically, and manually adding iptables rules can conflict with UFW's rule management. If you need advanced iptables functionality, consider disabling UFW and managing iptables directly.
If you're accessing remotely, you'll lose connection immediately. Always have a recovery plan: use out-of-band access (