Lessons
Start
Start learning
CodeGym /Courses /Docker SELF /Setting up the firewall (`ufw`, `iptables`)

Setting up the firewall (`ufw`, `iptables`)

Docker SELF
Level 5 , Lesson 1
Available

Setting up the firewall ufw, iptables

1. UFW: Uncomplicated Firewall

Why do you need a firewall?

Imagine your server is a house full of valuable stuff (data, of course). If you leave the doors wide open, anyone can come in, snack on your data, and then leave dirty dishes (or worse). A firewall is like those doors that you can control: who can come in, through which gates, and under what conditions.

Linux provides two main tools for setting up a firewall: ufw (Uncomplicated Firewall) and iptables. Let’s figure out how they work and how they differ.

What is UFW?

UFW is a tool for setting up a firewall, created with the idea of "let’s make this simple". It’s perfect for those who want to quickly configure basic access rules without delving into complex details.

Installing and enabling UFW

UFW is usually pre-installed on most Debian/Ubuntu-based distributions. If it’s not, install it:

sudo apt update
sudo apt install ufw

Enable UFW:

sudo ufw enable

Check the status:

sudo ufw status

The first time you run it, the status will likely be "inactive." Once enabled, it will change to "active."

Java university

Configuring UFW rules

Now the fun part — setting up rules to determine which traffic to allow and which to block.

Allow SSH access (port 22):

sudo ufw allow 22

Allow access to the web server (port 80):

sudo ufw allow 80

Allow HTTPS (port 443):

sudo ufw allow 443

Deny access to an unnecessary port (e.g., 8080):

sudo ufw deny 8080

Delete a rule:

If you change your mind, delete the rule by its number, shown by the sudo ufw status numbered command. For example:

sudo ufw delete 1

Checking and testing

To make sure everything is working as expected, you can check the status again:

sudo ufw status

You’ll see a list of all active rules.

2. IPTABLES: more control, more possibilities

What is iptables?

If UFW is a "simple door with a lock," then iptables is a "smart security guard" that lets you configure everything. It provides full control over traffic, including routing, filtering based on different criteria, and even the ability to modify packets.

Main iptables concepts

  1. Tables — sets of functions for processing network packets.
    • filter: processing and filtering packets (e.g., allow or block).
    • nat: address/port translation (for routers, for example).
  2. Chains — rules applied to packets.
    • INPUT: for incoming traffic.
    • OUTPUT: for outgoing traffic.
    • FORWARD: for forwarded traffic.
  3. Targets — actions performed on a packet.
    • ACCEPT: accept the packet.
    • DROP: drop the packet.
    • REJECT: drop the packet and send a notification.

Let's take a look at how to configure iptables rules.

Viewing current rules

To see what rules are already set up, run:

sudo iptables -L

You can also add -v or -n for detailed info about packets and IP addresses.

Creating rules with iptables

Simple rule: allow SSH (port 22):

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Block access to port 8080:

sudo iptables -A INPUT -p tcp --dport 8080 -j DROP

Restrict access by IP address:

If you want only a specific computer with a particular IP to connect to your server, while blocking others:

sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

Deleting rules

To delete a rule, you need its number. Find it using:

sudo iptables -L --line-numbers

Then delete it like this:

sudo iptables -D INPUT <rule_number>

Saving rules

iptables rules are usually "forgotten" after a system reboot. To avoid this, save them like this:

sudo iptables-save > /etc/iptables/rules.v4

You can restore the rules like this:

sudo iptables-restore < /etc/iptables/rules.v4

3. UFW vs IPTABLES: what to choose?

UFW and iptables serve the same purpose — they protect your server. So, which tool should you pick?

  • UFW — this is a simple tool for basic security setup. If you don't want to dive into low-level details or just want to quickly set up a firewall, go with UFW.
  • Iptables — this is a powerful tool for more complex configurations. If you have a sophisticated infrastructure (like NAT or routing), you'll need iptables.

By the way, UFW actually works "on top" of iptables. It just generates iptables rules for you. So, if you've mastered iptables, you automatically understand UFW's inner workings.

4. Practical Examples: Server Protection

Example 1: Protecting SSH and Web Server with UFW

  1. Make sure UFW is installed and enabled:
sudo ufw enable
  1. Allow access to SSH and the web server:
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
  1. Check active rules:
sudo ufw status

Example 2: Blocking Unnecessary Traffic with iptables

  1. Allow SSH access:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  1. Allow web traffic:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  1. Block everything else:
sudo iptables -A INPUT -j DROP

Today you learned how to protect a server using UFW and iptables. Both tools are powerful and useful, just remember that UFW is your "everyday buddy," while iptables is like a "power tool in a pro's hands." Configure your firewall, study your settings, and let your server remain a fortress, not a revolving door.

1
Task
Docker SELF, level 5, lesson 1
Locked
Installing and basic configuration of UFW
Installing and basic configuration of UFW
Open
1
Task
Docker SELF, level 5, lesson 1
Locked
Allowing and blocking ports with UFW
Allowing and blocking ports with UFW
Open
1
Task
Docker SELF, level 5, lesson 1
Locked
Setting up security rules with iptables
Setting up security rules with iptables
Open
Comments
TO VIEW ALL COMMENTS OR TO MAKE A COMMENT,
GO TO FULL VERSION