Linux firewalls are essential for system security, providing network protection through packet filtering, stateful inspection, and access control. This comprehensive guide covers the three main firewall systems: ufw (Uncomplicated Firewall) for simplicity, iptables for granular control, and firewalld for dynamic management. Learn how to configure, manage, and troubleshoot firewalls to secure your Linux systems effectively.
Linux Firewall Systems Comparison
| Firewall System | Distributions | Complexity | Use Case | Persistence |
|---|---|---|---|---|
| ufw | Ubuntu, Debian | Beginner | Simple setups, desktop | Automatic |
| iptables | All Linux | Advanced | Complex rules, servers | Manual/scripts |
| firewalld | RHEL, CentOS, Fedora | Intermediate | Dynamic environments | Automatic |
| nftables | Modern Linux | Advanced | Future replacement | Manual/scripts |
Quick Reference:
• Check firewall status:
• View iptables rules:
• Test port accessibility:
• Save iptables rules:
• Always test firewall rules before applying to production
• Use deny-by-default and allow specific services only
• Keep firewall rules documented and version controlled
• Check firewall status:
sudo ufw status or sudo firewall-cmd --state• View iptables rules:
sudo iptables -L -n -v• Test port accessibility:
telnet host port or nc -zv host port• Save iptables rules:
sudo iptables-save > /etc/iptables/rules.v4• Always test firewall rules before applying to production
• Use deny-by-default and allow specific services only
• Keep firewall rules documented and version controlled
Firewall Configuration Workflow
Systematic Firewall Configuration Process
Assess Needs
→
Choose Tool
→
Default Policy
→
Allow Services
→
Test Rules
→
Enable & Save
Essential Firewall Concepts
| Concept | Description | Example | Importance |
|---|---|---|---|
| Chains | Rule containers (INPUT, OUTPUT, FORWARD) | INPUT chain for incoming traffic | High |
| Rules | Individual filtering instructions | Allow SSH on port 22 | High |
| Policies | Default actions (ACCEPT, DROP, REJECT) | DROP all incoming by default | High |
| State | Connection state tracking | Allow ESTABLISHED,RELATED | Medium |
| Zones | Network trust levels (firewalld) | public, trusted, internal | Medium |
| Services | Predefined port groups | ssh, http, https | Medium |
ufw - Uncomplicated Firewall
Basic ufw Configuration
Simple firewall management for Ubuntu/Debian systems.
ufw [command] [rules]
Basic Operations:
sudo ufw enable- Enable firewallsudo ufw disable- Disable firewallsudo ufw status- Show status and rulessudo ufw reset- Reset all rules
Examples:
# Enable UFW
sudo ufw enable
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH
sudo ufw allow ssh
sudo ufw allow 22/tcp
# Allow HTTP and HTTPS
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Allow from specific IP
sudo ufw allow from 192.168.1.100
sudo ufw allow from 192.168.1.0/24
# Allow specific port range
sudo ufw allow 8000:8010/tcp
# Deny specific service
sudo ufw deny mysqlAdvanced ufw Rules
Advanced rule configuration and management.
ufw advanced rule syntax
Advanced Rules:
# Allow specific interface
sudo ufw allow in on eth0 to any port 22
sudo ufw allow out on eth0 to any port 80
# Limit SSH connections (anti-brute force)
sudo ufw limit ssh
# Allow specific protocol
sudo ufw allow 53/udp
sudo ufw allow 123/udp
# Complex rules with direction
sudo ufw allow in proto tcp from 192.168.1.0/24 to any port 22
sudo ufw allow out proto tcp to any port 80
# Delete rules
sudo ufw delete allow ssh
sudo ufw delete allow 80/tcp
# Show numbered rules
sudo ufw status numbered
# Delete by number
sudo ufw delete 1ufw Monitoring & Logging
Monitor and log firewall activity.
ufw logging and monitoring
Monitoring Commands:
# Enable logging
sudo ufw logging on
sudo ufw logging medium
# Check logging level
sudo ufw status verbose
# View logged events
sudo tail -f /var/log/ufw.log
# Show application profiles
sudo ufw app list
# Show specific app info
sudo ufw app info 'Apache Full'
# Allow application profile
sudo ufw allow 'Apache Full'
# Custom application profile
sudo nano /etc/ufw/applications.d/custom
# Reset and start over
sudo ufw reset
sudo ufw disable
sudo ufw enableiptables - Advanced Firewall Control
Basic iptables Commands
Granular firewall control with iptables.
iptables [options] [chain] [rules]
Basic Operations:
iptables -L- List rulesiptables -F- Flush rulesiptables -A- Append ruleiptables -I- Insert rule
Examples:
# List all rules
sudo iptables -L -n -v
# Flush all rules
sudo iptables -F
# Set default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPTAdvanced iptables Rules
Advanced filtering and rule management.
iptables advanced rule syntax
Advanced Rules:
# Allow specific IP range
sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
# Allow from specific interface
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# Rate limiting for SSH
sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min -j ACCEPT
# Block specific IP
sudo iptables -A INPUT -s 192.168.1.100 -j DROP
# Port forwarding
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80
# MAC address filtering
sudo iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
# Time-based rules
sudo iptables -A INPUT -p tcp --dport 22 -m time --timestart 09:00 --timestop 17:00 -j ACCEPTiptables Persistence
Save and restore iptables rules.
iptables persistence management
Persistence Methods:
# Save current rules
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6
# Restore rules
sudo iptables-restore < /etc/iptables/rules.v4
sudo ip6tables-restore < /etc/iptables/rules.v6
# Install persistence package (Debian/Ubuntu)
sudo apt install iptables-persistent
# For systemd systems
sudo systemctl enable netfilter-persistent
sudo systemctl start netfilter-persistent
# Manual service script
sudo nano /etc/rc.local
# Add: iptables-restore < /etc/iptables/rules.v4
# Check if rules loaded
sudo iptables -Lfirewalld - Dynamic Firewall Management
Basic firewalld Commands
Dynamic firewall management for RHEL/CentOS/Fedora.
firewall-cmd [options]
Basic Operations:
firewall-cmd --state- Check statusfirewall-cmd --reload- Reload rulesfirewall-cmd --list-all- Show all rulesfirewall-cmd --get-zones- List zones
Examples:
# Check firewalld status
sudo firewall-cmd --state
# Start and enable firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
# List all zones
sudo firewall-cmd --get-zones
# Get default zone
sudo firewall-cmd --get-default-zone
# List services in default zone
sudo firewall-cmd --list-services
# Add service to zone
sudo firewall-cmd --zone=public --add-service=ssh
sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --add-service=https
# Make changes permanent
sudo firewall-cmd --runtime-to-permanentfirewalld Zones & Services
Zone-based configuration and service management.
firewalld zone and service management
Zone Configuration:
# Change default zone
sudo firewall-cmd --set-default-zone=internal
# List all services
sudo firewall-cmd --get-services
# Add custom port
sudo firewall-cmd --zone=public --add-port=8080/tcp
sudo firewall-cmd --zone=public --add-port=3000-3010/tcp
# Remove service
sudo firewall-cmd --zone=public --remove-service=ssh
# Rich rules for complex scenarios
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port port="22" protocol="tcp" accept'
# Port forwarding
sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080
# Masquerading (NAT)
sudo firewall-cmd --zone=public --add-masqueradefirewalld Configuration Files
Persistent configuration and custom services.
firewalld configuration files
File-based Configuration:
# Custom service definition
sudo nano /etc/firewalld/services/myapp.xml
# Example custom service
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>My Application</short>
<description>My custom application service</description>
<port protocol="tcp" port="9000"/>
<port protocol="udp" port="9001"/>
</service>
# Reload firewalld
sudo firewall-cmd --reload
# Add custom service
sudo firewall-cmd --zone=public --add-service=myapp
# Zone configuration files
sudo nano /etc/firewalld/zones/public.xml
# Direct rules (iptables passthrough)
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 3306 -j ACCEPTFirewall Rules Comparison
| Action | ufw Command | iptables Command | firewalld Command |
|---|---|---|---|
| Allow SSH | ufw allow ssh |
iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
firewall-cmd --add-service=ssh |
| Allow HTTP | ufw allow http |
iptables -A INPUT -p tcp --dport 80 -j ACCEPT |
firewall-cmd --add-service=http |
| Allow from IP | ufw allow from 192.168.1.100 |
iptables -A INPUT -s 192.168.1.100 -j ACCEPT |
firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.100 accept' |
| Port Range | ufw allow 8000:8010/tcp |
iptables -A INPUT -p tcp --dport 8000:8010 -j ACCEPT |
firewall-cmd --add-port=8000-8010/tcp |
| Deny Service | ufw deny mysql |
iptables -A INPUT -p tcp --dport 3306 -j DROP |
firewall-cmd --remove-service=mysql |
Practical Firewall Examples
Real-World Firewall Configuration Scenarios
# 1. Web Server Firewall (ufw)
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow from 192.168.1.0/24 # Internal network
sudo ufw status verbose
# 2. Database Server (iptables)
sudo iptables -F
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 3306 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables-save > /etc/iptables/rules.v4
# 3. Application Server (firewalld)
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --set-default-zone=public
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --add-port=3000/tcp --permanent
sudo firewall-cmd --add-port=5432/tcp --permanent
sudo firewall-cmd --add-source=192.168.1.0/24 --permanent
sudo firewall-cmd --reload
# 4. Docker Host Firewall
# UFW with Docker requires additional configuration
sudo nano /etc/ufw/after.rules
# Add after *filter section:
# *nat
# :POSTROUTING ACCEPT [0:0]
# -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
# COMMIT
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
# 5. Development Environment
sudo ufw enable
sudo ufw allow ssh
sudo ufw allow 3000:3010/tcp # Development ports
sudo ufw allow 5432/tcp # PostgreSQL
sudo ufw allow 6379/tcp # Redis
sudo ufw allow 27017/tcp # MongoDB
# 6. Home Server with Multiple Services
sudo ufw enable
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 32400/tcp # Plex
sudo ufw allow 8080/tcp # Additional web service
sudo ufw allow 9090/tcp # Monitoring
sudo ufw allow from 192.168.1.0/24 to any port 445 # SMB
# 7. Secure SSH Configuration
# Rate limiting and IP restrictions
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
sudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP
# 8. Port Knocking for SSH Security
# Sequence: 1000,2000,3000 opens SSH port for 30 seconds
sudo iptables -A INPUT -m recent --name SSH --remove -j DROP
sudo iptables -A INPUT -p tcp --dport 1000 -m recent --name SSH --set -j DROP
sudo iptables -A INPUT -p tcp --dport 2000 -m recent --name SSH --update -j DROP
sudo iptables -A INPUT -p tcp --dport 3000 -m recent --name SSH --update -j ACCEPT
# 9. Load Balancer Configuration
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.11:80
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.10 --dport 80 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.11 --dport 80 -j MASQUERADE
# 10. VPN Server Firewall Rules
sudo ufw allow OpenSSH
sudo ufw allow 1194/udp # OpenVPN
sudo ufw allow 51820/udp # WireGuard
sudo ufw allow from 10.8.0.0/24 # VPN clients
# 11. Gaming Server
sudo ufw allow 25565/tcp # Minecraft
sudo ufw allow 27015/tcp # Steam/CS:GO
sudo ufw allow 2456:2458/udp # Valheim
sudo ufw allow 7777/udp # Ark
# 12. Monitoring Server
sudo ufw allow ssh
sudo ufw allow 9090/tcp # Prometheus
sudo ufw allow 3000/tcp # Grafana
sudo ufw allow 9100/tcp # Node Exporter
sudo ufw allow 9093/tcp # Alertmanager
# 13. Mail Server
sudo ufw allow 25/tcp # SMTP
sudo ufw allow 587/tcp # Submission
sudo ufw allow 465/tcp # SMTPS
sudo ufw allow 993/tcp # IMAPS
sudo ufw allow 995/tcp # POP3S
# 14. DNS Server
sudo ufw allow 53/tcp
sudo ufw allow 53/udp
sudo ufw allow 953/tcp # rndc
# 15. Backup Server
sudo ufw allow ssh
sudo ufw allow 873/tcp # Rsync
sudo ufw allow from 192.168.1.0/24 to any port 445 # SMB
# 16. Firewall Testing Script
#!/bin/bash
echo "Testing common ports:"
for port in 22 80 443 3306 5432; do
nc -zv localhost $port 2>&1 | grep -E "(succeeded|open)"
done
# 17. Firewall Reset Script
#!/bin/bash
# Reset to default state
sudo ufw --force reset
sudo ufw disable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
# 18. Firewall Monitoring Script
#!/bin/bash
# Monitor firewall activity
echo "=== UFW Status ==="
sudo ufw status verbose
echo -e "\n=== Active Connections ==="
sudo netstat -tuln
echo -e "\n=== Failed Connections ==="
sudo grep -i "denied" /var/log/ufw.log | tail -10Common Use Cases
Web Servers
- Basic Web Server: Allow HTTP/HTTPS, SSH, block everything else
- Load Balancer: Port forwarding, health checks, backend communication
- Application Server: Specific application ports, database access
- CDN Edge: Rate limiting, geographic restrictions
Database Servers
- Internal Database: Restrict to application servers only
- Replication: Allow replication traffic between database nodes
- Backup Access: Temporary access for backup systems
- Monitoring: Allow monitoring systems to collect metrics
Development & Testing
- Development Environment: Open ports for various services
- CI/CD Pipeline: Temporary access for deployment
- Testing Environment: Isolated network segments
- Container Hosts: Docker and Kubernetes networking
Advanced Firewall Configuration
Security Hardening
Advanced security configurations and best practices.
Security hardening techniques
Hardening Measures:
# Block common attack vectors
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Prevent SSH brute force
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
# Block port scanning
sudo iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/s -j ACCEPT
# Geo-blocking (requires geoip database)
sudo iptables -A INPUT -m geoip --src-cc CN,RU -j DROPMonitoring & Logging
Monitor firewall activity and log analysis.
Monitoring and logging setup
Monitoring Setup:
# Enable detailed logging
sudo ufw logging high
# Monitor iptables rules
sudo iptables -L -n -v --line-numbers
# Log specific traffic
sudo iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH Attempt: "
# Monitor firewalld
sudo firewall-cmd --list-all-zones
sudo journalctl -u firewalld -f
# Real-time monitoring
sudo watch -n 1 'iptables -L -n -v'
# Log analysis script
sudo grep -i "drop" /var/log/ufw.log | awk '{print $3}' | sort | uniq -c | sort -nrPerformance Optimization
Optimize firewall performance for high-traffic systems.
Performance optimization techniques
Optimization Tips:
# Use connection tracking for established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Place frequently matched rules first
sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
# Use IP sets for large IP lists
sudo ipset create whitelist hash:ip
sudo ipset add whitelist 192.168.1.100
sudo iptables -A INPUT -m set --match-set whitelist src -j ACCEPT
# Limit rule complexity
# Avoid too many individual rules, use groups
Important Considerations:
• Always test firewall rules in a non-production environment first
• Be extremely careful when configuring firewalls remotely - you can lock yourself out
• Keep backup access methods available (console access, out-of-band management)
• Document all firewall rules and their purposes
• Regularly review and update firewall rules
• Use version control for firewall configurations
• Monitor firewall logs for suspicious activity
• Have a rollback plan for failed firewall changes
• Always test firewall rules in a non-production environment first
• Be extremely careful when configuring firewalls remotely - you can lock yourself out
• Keep backup access methods available (console access, out-of-band management)
• Document all firewall rules and their purposes
• Regularly review and update firewall rules
• Use version control for firewall configurations
• Monitor firewall logs for suspicious activity
• Have a rollback plan for failed firewall changes
Pro Tips:
• Start with a deny-all policy and allow only what's necessary
• Use ufw for simplicity, iptables for granular control, firewalld for dynamic environments
• Always allow established and related connections for stateful filtering
• Use rate limiting to protect against brute force attacks
• Regularly audit and clean up unused firewall rules
• Use application profiles when available for consistency
• Test firewall rules from both internal and external perspectives
• Keep firewall rules organized and well-documented
• Start with a deny-all policy and allow only what's necessary
• Use ufw for simplicity, iptables for granular control, firewalld for dynamic environments
• Always allow established and related connections for stateful filtering
• Use rate limiting to protect against brute force attacks
• Regularly audit and clean up unused firewall rules
• Use application profiles when available for consistency
• Test firewall rules from both internal and external perspectives
• Keep firewall rules organized and well-documented
Key Takeaways
Mastering Linux firewalls is essential for system security and network protection. Understanding the different firewall systems - from the simplicity of ufw to the granular control of iptables and the dynamic management of firewalld - allows you to choose the right tool for each scenario. Remember that effective firewall management involves not just creating rules, but also monitoring, testing, and maintaining them over time. Whether you're securing a personal server or an enterprise infrastructure, these skills ensure your systems are protected while maintaining necessary accessibility.
Next Step: Explore advanced firewall topics like intrusion detection systems (IDS), application-level firewalls, network segmentation, and automated firewall management with tools like Ansible.