Firewalls
Firewalls#
Prerequisite: A firewall filters network traffic based on rules. It decides which incoming and outgoing connections to allow or block. Think of it as a bouncer for your network ports.
Concepts#
Linux Firewalls — The Stack#
Linux has a built-in firewall in the kernel. The tools to manage it form a stack:
User-friendly → ufw (Ubuntu)
↓
Mid-level → nftables (modern) / iptables (legacy)
↓
Kernel → netfilter (the actual firewall engine)
- netfilter — the kernel framework that does the actual filtering
- nftables — the modern userspace tool to configure netfilter (replaces iptables)
- iptables — the legacy tool (still works, uses nftables backend on modern systems)
- ufw — “Uncomplicated Firewall” — a simple frontend for iptables/nftables
Ubuntu: Ships with
ufw(disabled by default). Simple and recommended for most users. Debian: Ships withnftables. No high-level frontend by default. You can installufw.
ufw — Uncomplicated Firewall#
Enable/Disable#
sudo ufw status # check status
sudo ufw enable # enable the firewall
sudo ufw disable # disable the firewall
sudo ufw status verbose # detailed status
sudo ufw status numbered # rules with numbers
Default Policies#
# Deny all incoming, allow all outgoing (recommended starting point)
sudo ufw default deny incoming
sudo ufw default allow outgoing
BE CAREFUL NOT TO LOCK YOU OUT IF YOU’RE CONNECTED THROUGH SSH!!!
Allow Rules#
sudo ufw allow 22 # allow SSH (port 22, TCP+UDP)
sudo ufw allow 22/tcp # allow SSH (TCP only)
sudo ufw allow 80/tcp # allow HTTP
sudo ufw allow 443/tcp # allow HTTPS
sudo ufw allow 8080/tcp # allow custom port
# Allow by service name
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
# Allow from a specific IP
sudo ufw allow from 192.168.1.50
sudo ufw allow from 192.168.1.50 to any port 22
# Allow from a subnet
sudo ufw allow from 192.168.1.0/24 to any port 22
Deny and Reject Rules#
sudo ufw deny 3306/tcp # block MySQL
sudo ufw deny from 10.0.0.5 # block a specific IP
sudo ufw reject 23/tcp # reject (sends back an error to the client)
The difference: deny silently drops the packet (the sender gets no response). reject sends back an error (the sender knows it was blocked).
Delete Rules#
sudo ufw status numbered # list rules with numbers
sudo ufw delete 3 # delete rule #3
sudo ufw delete allow 80/tcp # delete by rule specification
Reset#
sudo ufw reset # remove all rules and disable
nftables — The Modern Firewall#
nftables is the replacement for iptables. It uses a cleaner syntax and better performance. Configuration file: /etc/nftables.conf.
Basic nftables Commands#
# List current rules
sudo nft list ruleset
# Flush all rules
sudo nft flush ruleset
# Load rules from file
sudo nft -f /etc/nftables.conf
Basic nftables Configuration#
# /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Accept loopback
iif "lo" accept
# Accept established/related connections
ct state established,related accept
# Accept ICMP (ping)
ip protocol icmp accept
# Accept SSH
tcp dport 22 accept
# Accept HTTP/HTTPS
tcp dport { 80, 443 } accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Apply:
sudo nft -f /etc/nftables.conf
sudo systemctl enable nftables
iptables — Legacy (Still Works)#
You will encounter iptables in older documentation. On modern Ubuntu/Debian, iptables is a compatibility layer on top of nftables.
# List rules
sudo iptables -L -n -v
# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Block an IP
sudo iptables -A INPUT -s 10.0.0.5 -j DROP
# Delete a rule (by number)
sudo iptables -D INPUT 3
# Save rules (Debian/Ubuntu)
sudo apt install iptables-persistent
sudo netfilter-persistent save
For new setups, prefer ufw or nftables over raw iptables.
Lab#
Exercise 1: Check Firewall Status#
# Check ufw status
sudo ufw status
# Check nftables rules
sudo nft list ruleset 2>/dev/null | head -20
# Check iptables rules
sudo iptables -L -n | head -20
Exercise 2: Set Up ufw (Ubuntu or Debian)#
# Install if not present (Debian)
sudo apt install -y ufw
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (IMPORTANT: do this before enabling if connected via SSH!)
sudo ufw allow ssh
# Enable the firewall
sudo ufw enable
# Check status
sudo ufw status verbose
Exercise 3: Add and Remove Rules#
# Allow HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Allow from your local network only
sudo ufw allow from 192.168.1.0/24
# View rules with numbers
sudo ufw status numbered
# Delete a rule
sudo ufw delete allow 80/tcp
# Check again
sudo ufw status numbered
Exercise 4: Test the Firewall#
# Check what ports are actually open
sudo ss -tlnp
# From another machine (or using nc locally):
# nc -zv your_ip 22 # should succeed (SSH allowed)
# nc -zv your_ip 80 # depends on your rules
Exercise 5: Reset and Clean Up#
# If you want to remove the firewall rules:
sudo ufw reset
# Or disable:
sudo ufw disable
Review#
1. What is the relationship between netfilter, nftables, and ufw?
netfilter is the kernel firewall engine. nftables is the modern userspace tool to configure it. ufw is a simplified frontend that generates nftables/iptables rules. They are layers: ufw → nftables → netfilter.
2. What are the recommended default policies for a firewall?
Deny all incoming, allow all outgoing. Then explicitly allow the services you need (SSH, HTTP, etc.). This is the “whitelist” approach.
3. Why must you allow SSH before enabling the firewall on a remote server?
If you enable the firewall without allowing SSH (port 22), you will be locked out — you cannot connect to the server to fix the rules.
4. What is the difference between `deny` and `reject` in ufw?
deny silently drops the packet (the sender gets no response and eventually times out). reject sends an error back to the sender (the sender immediately knows the connection was refused).
5. Which firewall tool is default on Ubuntu vs Debian?
Ubuntu ships with ufw (disabled by default). Debian ships with nftables (no high-level frontend). You can install ufw on Debian.
Previous: Network Diagnostics | Next: Block Devices and Partitions