Last modified: June 01, 2025
This article is written in: 🇺🇸
A firewall is like a guard for your computer. It keeps your computer safe from others who shouldn't use it. It checks the information going in and out and follows safety rules. In Linux, there are several utilities to manage your firewall, including iptables
, ufw
, and firewalld
.
INTERNET TRAFFIC ---> |--------------------------| ---> INTERNAL NETWORK
[IP:123.45.67.89] | | [Accepted IP: 123.45.67.89]
Port 80 (HTTP) | +----------------+ | Port 80 -> Allowed
| | FIREWALL | |
| | Rules Applied: | |
[IP: 98.76.54.32] | | - Allow HTTP | | [Rejected IP: 98.76.54.32]
Port 22 (SSH) | | - Block SSH | | Port 22 -> Blocked
| +----------------+ |
| |
|--------------------------|
Iptables
is a command-line utility for managing the Linux firewall. It is pre-installed on most Linux systems and lets you configure rules to control incoming and outgoing network traffic.
To view the current rules, use the -L
flag:
iptables -L
An example output might look something like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level debug prefix "iptables denied: "
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.1.0/24 192.168.1.0/24
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Explanation:
I. Chain Names: INPUT
, FORWARD
, OUTPUT
are the default chains in iptables.
II. Policies: Set to ACCEPT
, DROP
, or REJECT
. For example, the default policy for FORWARD
is DROP
.
III. Rules: Listed under each chain.
ACCEPT
, DROP
, LOG
.tcp
, udp
, icmp
, or all
.--
.tcp dpt:ssh
means TCP packets destined for SSH port.LOG
rule can specify logging of packets, including a prefix for log messages.To add a new rule, use the -A
flag followed by the rule itself. For example, to allow incoming traffic on port 80 (used for HTTP), use:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
To delete a rule, use the -D
flag followed by the rule number (as displayed by the -L
flag). For example, to delete the second rule in the INPUT chain, use:
iptables -D INPUT 2
🔴 Caution: Keep in mind that changes to the safety guard's rules with iptables don't last when you restart your computer. To keep the changes, save them in a file and bring them back when your computer starts.
I. On Debian-based systems, you can save the current iptables configuration with:
iptables-save > /etc/iptables/rules.v4
And ensure they are reloaded on boot by installing the iptables-persistent
package.
II. On Red Hat-based systems, you can save the configuration with:
service iptables save
UFW (Uncomplicated Firewall) is a user-friendly alternative to iptables for managing the Linux firewall. It is pre-installed on many Linux distributions, including Ubuntu.
To view the configured rules, use the status numbered command:
ufw status numbered
An example output of this command might look something like this:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
[ 4] 1000:2000/tcp ALLOW IN 192.168.1.0/24
[ 5] 22/tcp ALLOW IN Anywhere (v6)
[ 6] 80/tcp ALLOW IN Anywhere (v6)
[ 7] 443/tcp ALLOW IN Anywhere (v6)
Explanation:
I. Status: Indicates whether the firewall is active or inactive. In this case, it's active
.
II. Columns in the Output:
22/tcp
) for which the rule is applied.ALLOW IN
, DENY
, etc.) taken by the firewall for matching traffic.Anywhere
.III. Numbered Rules: Each rule is prefixed with a number in square brackets (e.g., [ 1]
). This numbering is crucial for modifying or deleting specific rules, as it allows you to reference them easily.
IV. IPv4 and IPv6 Rules: The rules apply to both IPv4 and IPv6 traffic if suffixed with (v6)
.
To allow incoming traffic on a specific port, use the allow command followed by the protocol and port number. For example, to allow incoming SSH
connections (which use port 22 by default), use:
ufw allow ssh
To block incoming traffic on a specific port, use the deny command followed by the protocol and port number. For example, to block incoming HTTP
connections (which use port 80 by default), use:
ufw deny http
To activate the firewall and apply the rules, use the enable command:
ufw enable
You can also set default policies for incoming and outgoing traffic using the default command. For example, to deny all incoming traffic and allow all outgoing traffic, use:
ufw default deny incoming
ufw default allow outgoing
ufw enable
Firewalld is a more advanced firewall used by Fedora and other Linux distributions. It lets you configure firewalls using zones, which are collections of rules that apply to specific types of network interfaces.
To view the currently configured rules, use the --list-all flag
:
firewall-cmd --list-all
An example output might look something like this:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http https
ports: 8080/tcp 9090/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.0.0/24" accept
rule family="ipv4" source address="10.0.0.0/8" port port="443" protocol="tcp" accept
Explanation:
public
) and its status (active
).eth0
) associated with the zone.ssh
, http
, https
).8080/tcp
, 9090/tcp
).192.168.0.0/24
subnet, and allowing TCP traffic on port 443
from the 10.0.0.0/8
subnet.I. Adding Rules
To add a new rule, use the --add-service
flag followed by the service name. For example, to allow incoming SSH
connections, use:
firewall-cmd --permanent --add-service=ssh
II. Removing Rules
To remove a rule, use the --remove-service
flag followed by the service name. For example, to block incoming HTTP
connections, use:
firewall-cmd --permanent --remove-service=http
III. Applying Changes
To apply the changes and reload the firewall, use the --reload
flag:
firewall-cmd --reload
To make the changes persistent across reboots, restart the firewalld.service
using systemctl. For example:
systemctl restart firewalld.service