Enterprise hosting · Built for gamers
Firewalls with iptables and ufw
A firewall protects your server from unwanted access. This guide explains the two most important firewall tools on Linux: ufw (easy) and iptables (advanced). Both are pre-installed on most systems.
Note: Detailed guides on security and network can be found in the left navigation.
ufw vs. iptables – What's the difference?
| Feature | ufw | iptables |
|---|---|---|
| Difficulty | Easy – commands are self-explanatory | Complex – requires precise syntax |
| Recommended for | Beginners and standard setups | Advanced users and complex rules |
| Configuration | Translated into iptables rules | Direct kernel rules |
| Default on | Ubuntu, Debian (can be installed) | All Linux systems |
For 95% of use cases, ufw is completely sufficient. You only need iptables for very specific setups.
ufw – The Easy Firewall
Basic commands
# Show status
sudo ufw status verbose
# Status with numbered rules
sudo ufw status numbered
# Enable / Disable
sudo ufw enable
sudo ufw disable
# Complete reset
sudo ufw reset
Set default policies
# Block all incoming (recommended)
sudo ufw default deny incoming
# Allow all outgoing
sudo ufw default allow outgoing
Opening ports
# Single port with protocol
sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
sudo ufw allow 53/udp
# Without protocol (TCP and UDP)
sudo ufw allow 30120
# Port range
sudo ufw allow 27000:27100/tcp
# From specific IP
sudo ufw allow from 192.168.1.100 to any port 22
# From specific IP with protocol
sudo ufw allow from 192.168.1.0/24 to any port 3306 proto tcp
Closing ports
# By port number
sudo ufw deny 3306/tcp
# By number from "ufw status numbered"
sudo ufw delete 3
# Delete complete rule
sudo ufw delete allow 80/tcp
ufw for specific services
# Allow Apache/Nginx
sudo ufw allow 'Apache Full'
sudo ufw allow 'Nginx Full'
# Allow SSH
sudo ufw allow 'OpenSSH'
# Show available profiles
sudo ufw app list
iptables – The Powerful Firewall
Basic commands
# Show all current rules
sudo iptables -L -v -n
# With line numbers
sudo iptables -L -v -n --line-numbers
# Delete all rules (Caution!)
sudo iptables -F
Set default policies
# Block incoming traffic
sudo iptables -P INPUT DROP
# Allow outgoing traffic
sudo iptables -P OUTPUT ACCEPT
# Block forward traffic (not needed as a server)
sudo iptables -P FORWARD DROP
Opening ports
# Allow SSH (Important: do this first!)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# HTTP and HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# From specific IP
sudo iptables -A INPUT -p tcp -s 192.168.1.100 --dport 3306 -j ACCEPT
# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback (internal communication)
sudo iptables -A INPUT -i lo -j ACCEPT
Closing ports / deleting rules
# By line number
sudo iptables -D INPUT 3
# By rule content
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT
Saving rules (persist across reboot)
# Install iptables-persistent
sudo apt install iptables-persistent -y
# Save rules
sudo netfilter-persistent save
# Restore rules
sudo netfilter-persistent reload
Important ports at a glance
| Port | Service | Protocol |
|---|---|---|
| 22 | SSH | TCP |
| 80 | HTTP (Web Server) | TCP |
| 443 | HTTPS (Web Server SSL) | TCP |
| 3306 | MySQL/MariaDB | TCP |
| 21 | FTP | TCP |
| 25565 | Minecraft | TCP |
| 30120 | FiveM | TCP + UDP |
| 27015 | CS2, ARK Query | TCP + UDP |
| 7777-7778 | ARK Game | UDP |
| 9987 | Teamspeak 3 Voice | UDP |
Typical security setups
Minimal web server (ufw)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Game server with web interface (ufw)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 30120 # FiveM
sudo ufw allow 25565/tcp # Minecraft
sudo ufw allow 9987/udp # Teamspeak
sudo ufw allow 80/tcp # Web interface
sudo ufw enable
Common problems
No SSH access after firewall activation:
- Always allow SSH before enabling:
sudo ufw allow 22/tcp - If locked out: Use the VNC console in the customer panel to disable the firewall
Rules don't apply in expected order:
- iptables processes rules from top to bottom. The first matching rule is applied
- Place specific rules before general rules
ufw is installed but inactive:
- Check with
sudo ufw status - If "inactive":
sudo ufw enable
Detailed guides on network and advanced firewall rules can be found in the articles in the left navigation.
NexoraHost
Your own server
Root access for Linux admins – secure with our VPS/root guides.
nexorahost.com · Maincubes FRA01 · 1 Tbit/s DDoS · 99,9 % Uptime