🎁 New User? Get 20% off your first purchase with code NEWUSER20 Register Now →
Menu

Categories

Linux Tutorials

Linux Firewall Configuration: UFW, iptables & firewalld Guide (2026)

Dorian Thorne | March 28, 2026 | Updated: April 7, 2026 | 21 min read | 2 views
firewall linux networking security sysadmin
Linux Firewall Configuration: UFW, iptables & firewalld Guide (2026)
Linux Firewall Configuration Guide

A properly configured firewall is your first line of defense against unauthorized access. Linux offers multiple firewall solutions — from the simple UFW frontend to the powerful iptables and modern nftables framework. This guide covers all major Linux firewall tools with production-ready configurations and security best practices.

📥 Free Cheat Sheet

Download our Linux Firewall Cheat Sheet PDF — UFW, iptables, and firewalld commands at your fingertips.

UFW (Uncomplicated Firewall)

UFW is the default firewall management tool on Ubuntu and Debian-based distributions. It provides a simplified interface for iptables:

Basic UFW Operations

# Install UFW
sudo apt install ufw

# Check status
sudo ufw status verbose

# Enable/disable
sudo ufw enable
sudo ufw disable

# Set default policies (CRITICAL — do this first!)
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Reset all rules
sudo ufw reset

Port and Service Rules

# Allow by port number
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Allow by service name
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

# Allow port range
sudo ufw allow 8000:8100/tcp

# Deny specific port
sudo ufw deny 3306/tcp

# Allow from specific IP
sudo ufw allow from 192.168.1.100

# Allow from subnet to specific port
sudo ufw allow from 10.0.0.0/8 to any port 22

# Allow specific IP to specific port
sudo ufw allow from 192.168.1.50 to any port 3306

# Delete a rule
sudo ufw delete allow 80/tcp
# Or by rule number:
sudo ufw status numbered
sudo ufw delete 3

# Insert rule at position (higher priority)
sudo ufw insert 1 deny from 10.0.0.5

UFW Application Profiles

# List available app profiles
sudo ufw app list

# View app profile details
sudo ufw app info "Nginx Full"

# Allow application
sudo ufw allow "Nginx Full"
sudo ufw allow "OpenSSH"

iptables — The Classic Firewall

iptables is the traditional Linux firewall tool. While complex, it offers fine-grained control over every packet:

Viewing and Managing Rules

# List all rules with line numbers
sudo iptables -L -n -v --line-numbers

# List specific chain
sudo iptables -L INPUT -n -v

# Flush all rules (CAUTION!)
sudo iptables -F

# Set default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

Common iptables Rules

# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP and HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow from specific IP
sudo iptables -A INPUT -s 192.168.1.100 -j ACCEPT

# Allow from subnet
sudo iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 3306 -j ACCEPT

# Rate limiting SSH (prevent brute force)
sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 5 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

# Log dropped packets
sudo iptables -A INPUT -j LOG --log-prefix "IPT-DROP: " --log-level 4

# Drop everything else (should be last rule)
sudo iptables -A INPUT -j DROP

NAT and Port Forwarding

# Enable IP forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

# Source NAT (masquerading)
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Port forwarding (forward port 8080 to internal server)
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.50:80
sudo iptables -A FORWARD -p tcp -d 192.168.1.50 --dport 80 -j ACCEPT

Saving iptables Rules

# Debian/Ubuntu
sudo apt install iptables-persistent
sudo netfilter-persistent save

# RHEL/CentOS
sudo service iptables save
# Or:
sudo iptables-save > /etc/iptables/rules.v4

firewalld — Zone-Based Firewall

firewalld is the default firewall on RHEL, CentOS, Fedora, and AlmaLinux. It uses zones to manage different trust levels:

# Check status
sudo firewall-cmd --state

# List all zones
sudo firewall-cmd --get-zones

# View active zone
sudo firewall-cmd --get-active-zones

# List current zone configuration
sudo firewall-cmd --zone=public --list-all

# Add service
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent

# Add port
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

# Remove service
sudo firewall-cmd --zone=public --remove-service=http --permanent

# Allow from specific source
sudo firewall-cmd --zone=trusted --add-source=192.168.1.0/24 --permanent

# Port forwarding
sudo firewall-cmd --zone=public --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.1.50 --permanent

# Rich rules (complex rules)
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" port port="3306" protocol="tcp" accept' --permanent

# Reload to apply permanent changes
sudo firewall-cmd --reload

nftables — The Modern Framework

nftables is the successor to iptables, offering cleaner syntax and better performance:

# List all rules
sudo nft list ruleset

# Create a table
sudo nft add table inet filter

# Create chains
sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
sudo nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }
sudo nft add chain inet filter output { type filter hook output priority 0 \; policy accept \; }

# Add rules
sudo nft add rule inet filter input iif lo accept
sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input tcp dport { 22, 80, 443 } accept

# Rate limiting
sudo nft add rule inet filter input tcp dport 22 limit rate 3/minute accept

# Save rules
sudo nft list ruleset > /etc/nftables.conf

Production Web Server Firewall Template

# UFW example for a typical web server:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp comment "SSH"
sudo ufw allow 80/tcp comment "HTTP"
sudo ufw allow 443/tcp comment "HTTPS"
sudo ufw allow from 10.0.0.0/8 to any port 3306 comment "MySQL from private network"
sudo ufw enable

# Verify
sudo ufw status verbose

📚 Master Linux Security

Share this article:
Dorian Thorne
About the Author

Dorian Thorne

Cloud Infrastructure, Cloud Architecture, Infrastructure Automation, Technical Documentation

Dorian Thorne is a cloud infrastructure specialist and technical author focused on the design, deployment, and operation of scalable cloud-based systems.

He has extensive experience working with cloud platforms and modern infrastructure practices, including virtualized environments, cloud networking, identity and acces...

Cloud Computing Cloud Networking Identity and Access Management Infrastructure as Code System Reliability
View all books

Related Articles

Stay Updated

Subscribe to our newsletter for the latest tutorials, tips, and exclusive offers.