🛡️ Beginner’s Guide to Linux Firewalls: iptables & UFW
Whether you’re running a VPS, a dev box, or a personal server, setting up a firewall is essential. In this guide, we’ll show you how to secure your Linux machine using iptables and UFW, along with some simple but powerful default rules to block bad traffic while keeping your services online.
🧙♂️ Option 1: UFW (Uncomplicated Firewall – beginner-friendly)
✅ Quick Setup (Good Defaults)
# Install UFW (usually pre-installed on Ubuntu)
sudo apt install ufw
# Set default policy: deny all incoming, allow all outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH so we don't lock ourselves out
sudo ufw allow ssh
# Allow web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable UFW
sudo ufw enable
# Check status
sudo ufw status verbose
🔥 Option 2: iptables (for advanced users)
iptables is the built-in firewall tool in Linux. It’s powerful, but less user-friendly than UFW. Here’s how to set up safe, common defaults:
🧱 Basic Ruleset for Web Servers
# Clear all existing rules
sudo iptables -F
sudo iptables -X
# Default deny all incoming and forwarding traffic
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT # Allow outgoing traffic
# Allow loopback interface (localhost)
sudo iptables -A INPUT -i lo -j ACCEPT
# Allow existing connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (port 22)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP and HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
💾 Make iptables Rules Persistent
Once you’ve configured your iptables rules, they will be lost on reboot unless you save them.
On Ubuntu/Debian:
sudo apt install iptables-persistent
sudo netfilter-persistent save
This will prompt you to save current IPv4 and IPv6 rules. Say “yes”.
To verify that your rules are saved and persistent across reboots:
sudo iptables -L -v
sudo reboot
sudo iptables -L -v # Should still show your custom rules
If you need to update your rules later, just re-run your modified iptables commands and then:
sudo netfilter-persistent save
📦 Tip: Backing Up Your iptables Rules Manually
Before making changes, it’s a good idea to back up your current iptables rules. This helps you roll back if something breaks.
🧷 Save current rules to a file:
sudo iptables-save > ~/iptables-backup.rules
This will save all current IPv4 rules to a readable text file.
To also back up IPv6 rules:
sudo ip6tables-save > ~/ip6tables-backup.rules
♻️ Restore from backup:
If you ever need to restore those rules:
sudo iptables-restore < ~/iptables-backup.rules
For IPv6:
sudo ip6tables-restore < ~/ip6tables-backup.rules
🧰 Use case: Scripted Recovery
You can include these backups in your server provisioning or recovery scripts:
#!/bin/bash
iptables-restore < /etc/firewall/iptables.rules
ip6tables-restore < /etc/firewall/ip6tables.rules
Then add to /etc/rc.local (or better, use a systemd unit) to restore automatically on boot if you’re not using iptables-persistent.
🛡️ Bonus: Logging Dropped Packets (Optional but Useful)
If you’re troubleshooting or want visibility into blocked connections:
sudo iptables -A INPUT -j LOG --log-prefix "iptables-drop: " --log-level 4
Then check your logs with:
sudo journalctl -k | grep iptables-drop
Or for older systems using syslog:
tail -f /var/log/kern.log
⚠️ Don’t leave logging wide open on production servers — it can fill logs fast under brute force or scanning attacks.
🧠 Final Reminder
Saving and backing up your rules ensures:
- You don’t lose your firewall setup after a reboot.
- You can version control or share rules across systems.
- You protect yourself from accidental lockouts.
Always test firewall changes locally before applying them on a remote server — especially SSH rules!