Complete Guide to Linux Firewall Security with UFW and iptables

📅 Published on September 29, 2025 👤 by admin ⏱️ 5 min read
Linux Security

Introduction

A properly configured firewall is your first line of defense against cyber threats. This comprehensive guide covers both UFW (Uncomplicated Firewall) and iptables to help you secure your Linux system effectively.

Understanding Linux Firewalls

Linux firewalls work at the network layer to filter incoming and outgoing traffic based on predefined rules. The kernel’s netfilter framework provides the foundation, while tools like iptables and UFW offer user-friendly interfaces.

Key Concepts:

  • Chains: INPUT (incoming), OUTPUT (outgoing), FORWARD (routed)
  • Tables: filter, nat, mangle, raw
  • Targets: ACCEPT, DROP, REJECT, LOG
  • Policies: Default actions for unmatched packets

Method 1: Using UFW (Recommended for Beginners)

Installing UFW

Most Ubuntu systems have UFW installed by default. For other distributions:

# Debian/Ubuntu
sudo apt update && sudo apt install ufw

# CentOS/RHEL/Fedora
sudo dnf install ufw

Basic UFW Configuration

1. Check current status:

sudo ufw status

2. Set default policies (deny incoming, allow outgoing):

sudo ufw default deny incoming
sudo ufw default allow outgoing

3. Allow SSH before enabling (important!):

sudo ufw allow ssh
# or specific port
sudo ufw allow 22

4. Enable the firewall:

sudo ufw enable

Common UFW Rules

# Allow HTTP and HTTPS
sudo ufw allow 80
sudo ufw allow 443

# Allow specific service
sudo ufw allow nginx

# Allow from specific IP
sudo ufw allow from 192.168.1.100

# Allow specific IP to specific port
sudo ufw allow from 192.168.1.100 to any port 22

# Deny specific IP
sudo ufw deny from 192.168.1.200

# Allow port range
sudo ufw allow 6000:6007/tcp

Managing UFW Rules

# List rules with numbers
sudo ufw status numbered

# Delete rule by number
sudo ufw delete 3

# Delete specific rule
sudo ufw delete allow 80

# Reset all rules
sudo ufw --force reset

Method 2: Advanced Configuration with iptables

Basic iptables Commands

1. View current rules:

sudo iptables -L -n -v

2. Set default policies:

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

3. Allow loopback traffic:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

4. Allow established connections:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Common iptables Rules

# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP and HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow from specific IP
sudo iptables -A INPUT -s 192.168.1.100 -j ACCEPT

# Block specific IP
sudo iptables -A INPUT -s 192.168.1.200 -j DROP

# Rate limiting (prevent brute force)
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

Saving iptables Rules

# Debian/Ubuntu
sudo iptables-save > /etc/iptables/rules.v4

# CentOS/RHEL
sudo service iptables save

# Or use iptables-persistent
sudo apt install iptables-persistent

Advanced Security Configurations

DDoS Protection

# Limit ping requests
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Limit new connections
sudo iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT

# Drop invalid packets
sudo iptables -A INPUT -m state --state INVALID -j DROP

Port Knocking

Create a sequence of ports that must be accessed before opening SSH:

# Create chains for port knocking
sudo iptables -N STAGE1
sudo iptables -N STAGE2
sudo iptables -N STAGE3

# Stage 1: Knock on port 1234
sudo iptables -A INPUT -p tcp --dport 1234 -m recent --name STAGE1 --set -j DROP

# Stage 2: Knock on port 2345 within 30 seconds
sudo iptables -A INPUT -p tcp --dport 2345 -m recent --name STAGE1 --rcheck --seconds 30 -m recent --name STAGE2 --set -j DROP

# Stage 3: Knock on port 3456 within 30 seconds
sudo iptables -A INPUT -p tcp --dport 3456 -m recent --name STAGE2 --rcheck --seconds 30 -m recent --name STAGE3 --set -j DROP

# Allow SSH after successful port knocking
sudo iptables -A INPUT -p tcp --dport 22 -m recent --name STAGE3 --rcheck --seconds 30 -j ACCEPT

Monitoring and Logging

Enable UFW Logging

sudo ufw logging on
# View logs
sudo tail -f /var/log/ufw.log

iptables Logging

# Log dropped packets
sudo iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: "

# View logs
sudo tail -f /var/log/syslog | grep IPTables

Best Practices

  1. Start with deny-all policy and only allow necessary traffic
  2. Always allow SSH before enabling the firewall
  3. Use specific rules instead of overly permissive ones
  4. Regularly review and update firewall rules
  5. Test thoroughly before deploying to production
  6. Document your rules for future reference
  7. Use fail2ban for additional intrusion prevention
  8. Monitor logs regularly for suspicious activity

Troubleshooting Common Issues

Locked Out of SSH

If you have physical access:

# Disable UFW
sudo ufw disable

# Or flush iptables rules
sudo iptables -F

Service Not Accessible

Check if the service is blocked:

# UFW
sudo ufw status | grep service_port

# iptables
sudo iptables -L | grep service_port

Integration with Fail2Ban

Install and configure fail2ban for automatic IP blocking:

sudo apt install fail2ban

# Create local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit configuration
sudo nano /etc/fail2ban/jail.local

Conclusion

Proper firewall configuration is essential for Linux security. UFW provides simplicity for basic needs, while iptables offers advanced control. Regular monitoring and maintenance ensure your firewall remains effective against evolving threats.

Remember: A firewall is just one component of a comprehensive security strategy. Combine it with regular updates, strong authentication, and security monitoring for maximum protection.

Add Comment