iptables — the classic netfilter tool
iptables operates on the netfilter module in the Linux kernel and filters packets through INPUT, OUTPUT, and FORWARD chains. Rules are checked sequentially for each packet. iptables gives administrators full control over ports, IPs, and protocols, but has complex syntax prone to errors.
A basic rule set: allow all outgoing traffic, trust localhost, preserve established connections, open SSH and HTTP/HTTPS, deny remaining incoming traffic. This approach is called the "default deny" policy and represents the safest configuration.
UFW — simplicity first
UFW is an iptables wrapper developed by the Ubuntu team. The command ufw allow 22/tcp opens the SSH port, while ufw deny from 1.2.3.4 blocks a specific IP. UFW is ideal for beginners and small projects, significantly reducing configuration mistakes.
Before enabling UFW, always allow the SSH port, or you'll lose server access. Use ufw allow OpenSSH or ufw allow 22, then activate the firewall with ufw enable. Check status via ufw status verbose.
Essential rules
Production servers require these rules: change the default SSH port 22 or use key authentication, open only necessary ports (80 and 443 for web servers), bind MySQL and Redis to localhost only, limit brute-force attacks through rate limiting. This is the minimum protection layer.
For extra protection, use fail2ban with iptables or UFW. Fail2ban monitors log files and automatically blocks suspicious activity. For example, after 5 failed SSH password attempts, the IP is blocked for 1 hour.
NAT and port forwarding
If multiple services run on the server and you need to forward ports to the internal network, use the PREROUTING chain in iptables. In UFW, NAT rules are added by editing /etc/ufw/before.rules. This is important when working with containers and virtual machines.
Sayt.uz Practice
Sayt.uz hosting servers come with UFW enabled by default, with only ports 22, 80, and 443 open. For VPS customers, we set up initial firewall rules and activate fail2ban for free. For complex rules or custom ports, contact our technical support team.