Protecting your servers from unauthorized access is a fundamental responsibility for any developer or system administrator. This article will guide you through configuring Linux firewalls using two powerful tools: UFW (Uncomplicated Firewall) and iptables. You'll learn how to set up basic rules, manage common ports, and understand the underlying concepts to secure your applications and data. Imagine your server is a house. Without a firewall, every door and window is wide open, inviting anyone to come in, see what they want, or even cause damage. A firewall acts as a security guard, controlling who can enter and leave your server, ensuring only legitimate traffic gets through. This is crucial for preventing data breaches, service disruptions, and unauthorized modifications to your systems. Before diving into configuration, it's essential to grasp a couple of key concepts. Ports are like specific doors on your server, each assigned a number. Different services use different ports. For example, web servers typically listen on port 80 for HTTP traffic and port 443 for HTTPS traffic. SSH, used for remote command-line access, commonly uses port 22. Protocols are the languages traffic speaks. The two most common are: TCP (Transmission Control Protocol): This is a connection-oriented protocol. Think of it like a phone call where a connection is established before data is sent, and a confirmation is sent back to ensure everything arrived. It's reliable but can be a bit slower. UDP (User Datagram Protocol): This is a connectionless protocol. It's like sending a postcard – you send it and hope it gets there, but there's no guarantee or confirmation. It's faster than TCP but less reliable. UFW is designed to be a user-friendly front-end for iptables. It simplifies common firewall tasks, making it an excellent choice for beginners and those who want quick, effective protection. UFW is often pre-installed on Debian-based systems like Ubuntu. If it's not, you can install it with: sudo apt update sudo apt install ufw Before you start adding rules, it's a good idea to disable UFW if it's already running to avoid locking yourself out. sudo ufw disable Once you've configured your rules, you can enable it: sudo ufw enable When you enable UFW, it will prompt you to confirm. Type y and press Enter. It's crucial to have SSH access allowed before enabling UFW if you're connected remotely. The first step in hardening your server is to set default policies. This determines what happens to traffic that doesn't match any specific rules. Deny incoming traffic: This is the safest default. It means only traffic you explicitly allow will get in. Allow outgoing traffic: This is generally safe, allowing your server to connect to external resources. sudo ufw default deny incoming sudo ufw default allow outgoing Now, let's open up the necessary doors. If you're managing your server remotely, you must allow SSH traffic before enabling UFW. The default SSH port is 22. sudo ufw allow ssh Or, if SSH is running on a different port (e.g., 2222): sudo ufw allow 2222/tcp For a web server, you'll need to allow HTTP (port 80) and HTTPS (port 443) traffic. sudo ufw allow http sudo ufw allow https Alternatively, using port numbers: sudo ufw allow 80/tcp sudo ufw allow 443/tcp FTP (Port 21): While generally discouraged due to security concerns, you might need it for legacy systems. sudo ufw allow ftp SMTP (Port 25): For sending emails. sudo ufw allow smtp MySQL/MariaDB (Port 3306): If your application needs to connect to a database on the same server. sudo ufw allow 3306/tcp You can also explicitly deny traffic. This is useful for blocking specific IP addresses or ports. sudo ufw deny from 192.168.1.100 sudo ufw deny 8080 If you make a mistake or no longer need a rule, you can delete it. First, list the rules with numbers: sudo ufw status numbered Then, delete the rule by its number: sudo ufw delete For example, to delete rule number 5: sudo ufw delete 5 Rate Limiting: Protect against brute-force attacks by limiting the number of connection attempts from a single IP address. This is excellent for SSH. sudo ufw limit ssh This rule allows SSH connections but denies them if an IP address attempts to initiate 6 or more connections within 30 seconds. Allowing Specific IP Ranges: sudo ufw allow from 192.168.1.0/24 to any port 22 This allows SSH access from any IP address within the 192.168.1.x subnet. Application Profiles: UFW can manage rules for specific applications if they provide profiles. sudo ufw app list sudo ufw allow 'Nginx Full' Always verify your configuration: sudo ufw status verbose This command shows you the current status of UFW, its default policies, and all applied rules. While UFW is fantastic for its simplicity, iptables is the underlying Linux firewall mechanism. It offers granular control but has a steeper learning curve. Understanding iptables can be beneficial for complex scenarios or when you need fine-tuned control that UFW might not directly expose. iptables works with tables (e.g., filter, nat, mangle) and chains (e.g., INPUT, OUTPUT, FORWARD). Tables: Different tables handle different types of packet processing. The filter table is used for packet filtering (allowing or denying). The nat table is used for Network Address Translation. Chains: These are sequences of rules that packets traverse. INPUT: For packets destined for the local machine. OUTPUT: For packets originating from the local machine. FORWARD: For packets being routed through the machine to another destination. Let's look at some fundamental iptables commands. Similar to UFW, setting default policies is crucial. sudo iptables -P INPUT DROP # Drop all incoming traffic by default sudo iptables -P FORWARD DROP # Drop all forwarded traffic by default sudo iptables -P OUTPUT ACCEPT # Allow all outgoing traffic by default This is a vital rule. It allows packets that are part of an already established connection to pass through. Without this, even your own outgoing requests wouldn't get responses back. sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT: Appends this rule to the INPUT chain. -m conntrack: Uses the conntrack module to track connection states. --ctstate ESTABLISHED,RELATED: Matches packets that are part of an existing connection (ESTABLISHED) or related to an existing connection (like FTP data transfers) (RELATED). -j ACCEPT: Jumps to the ACCEPT target, meaning the packet is allowed. sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT -p tcp: Specifies the TCP protocol. --dport 22: Specifies the destination port as 22. -j ACCEPT: Accepts the traffic. sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT The loopback interface (lo) is used for communication within the server itself. It's important to allow traffic on this interface. sudo iptables -A INPUT -i lo -j ACCEPT -i lo: Specifies the incoming interface as lo. iptables rules are volatile; they are lost upon reboot. You need to save them. The method varies slightly between distributions. On Debian/Ubuntu: sudo apt install iptables-persistent sudo netfilter-persistent save During the installation of iptables-persistent, you'll be asked if you want to save current IPv4 and IPv6 rules. Choose "Yes." On CentOS/RHEL (using iptables-services): sudo yum install iptables-services sudo systemctl enable iptables sudo systemctl start iptables sudo iptables-save > /etc/sysconfig/iptables To see your current rules: sudo iptables -L -v -n -L: List rules. -v: Verbose output (shows packet and byte counts). -n: Numeric output (shows IP addresses and port numbers instead of trying to resolve names). You can delete rules by specifying the exact rule with -D or by line number (similar to UFW). To delete by line number: sudo iptables -L INPUT --line-numbers sudo iptables -D INPUT Remember, UFW is a front-end for iptables. If you enable UFW, it will manage iptables rules for you. It's generally best to stick to one or the other to avoid conflicts. If you need the fine-grained control of iptables and want to manage it directly, disable UFW first. When setting up a new server, whether it's a small VPS from PowerVPS or a more robust cloud instance from Immers Cloud, your first step after initial setup should be firewall configuration. Scenario 1: A Simple Web Server You're deploying a basic website. UFW: sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw enable iptables: sudo iptables -P INPUT DROP sudo iptables -P FORWARD DROP sudo iptables -P OUTPUT ACCEPT sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Save rules Scenario 2: A Development Server with Database Access You need to host a web application and its database. UFW: sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw allow 3306/tcp # Assuming database is on the same server sudo ufw enable iptables: sudo iptables -A INPUT -p tcp --dport 3306 -j ACCEPT # ... other rules and save Important Consideration: If your database is on a separate server, you should not open port 3306 to the entire internet. Instead, you'd restrict access to only the IP addresses of your application servers. **Scenario 3: Securing SSH with