Linux Firewall Essentials
UFW • iptables • nftables
Ubuntu‑based systems
Created: 2026‑03‑17
Mastering Linux Firewalls

A complete, practical guide to securing your Linux server using UFW, iptables, and nftables. Learn real‑world rules, safe defaults, logging, and validation techniques.

UFW iptables nftables Security
ubuntu@server
$ sudo ufw enable
$ sudo ufw allow ssh
$ sudo ufw allow 80/tcp
$ sudo ufw allow 443/tcp
1. Why Firewalls Matter
Security

A hardened Linux system still needs a firewall to prevent port scans, brute‑force attacks, accidental service exposure, and lateral movement inside a network. Firewalls enforce a default‑deny perimeter and give you visibility into unwanted traffic.

2. UFW – Uncomplicated Firewall
Beginner‑friendly

Enable and check status

sudo ufw status
sudo ufw enable
sudo ufw disable

Default policies

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow common services

sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Allow by service name

sudo ufw allow "Apache Full"
sudo ufw allow "Nginx Full"

Rate limiting

sudo ufw limit ssh
3. iptables – Legacy but Everywhere
Advanced

List rules

sudo iptables -L -n -v

Allow SSH

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Drop everything else

sudo iptables -P INPUT DROP

Save rules

sudo iptables-save | sudo tee /etc/iptables.rules
4. nftables – Modern Linux Firewall
Modern

View ruleset

sudo nft list ruleset

Example ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;

        ct state established,related accept
        iif lo accept
        tcp dport { 22, 80, 443 } accept
    }
}

Enable

sudo systemctl enable nftables
sudo systemctl restart nftables
5. Testing & Validation
Verification

From another machine

nc -vz yourserver 22
nc -vz yourserver 80
nc -vz yourserver 443

On the server

sudo ss -tulpn
sudo ufw status verbose
sudo nft list ruleset