Overview
A firewall controls which network traffic is allowed into and out of your server. On Linux, you have two main tools for this: iptables and UFW (Uncomplicated Firewall). Both manage the same underlying Linux kernel component — Netfilter — but they work at very different levels of abstraction.
If you’ve just provisioned a VPS or Dedicated Server, one of the first things you should do is verify your firewall is active and configured correctly. A freshly installed Ubuntu or Debian server often has UFW installed but inactive. A CentOS or AlmaLinux server might have firewalld running instead of raw iptables. Either way, you need to know what you’re working with before you start opening ports.
This article covers how iptables and UFW differ, when to use each one, and how to set up basic rules that’ll actually protect your server in production.
Prerequisites
- Root or
sudoaccess to your Linux server - SSH access confirmed and working before you change any firewall rules
- Ubuntu 20.04/22.04/24.04, Debian 11/12, AlmaLinux 8/9, or CentOS Stream 9 (commands in this article are written for these distributions)
- Basic familiarity with the Linux command line
- If you’re on a managed plan, check with Host & Tech support before modifying firewall rules — some managed configurations apply rules at the network edge that interact with on-server firewalls
How iptables Works
iptables is the low-level tool. It talks directly to the Linux kernel’s Netfilter framework and lets you write explicit rules about what to do with packets: accept them, drop them, reject them, log them, or forward them somewhere else.
Rules are organised into tables (filter, nat, mangle) and chains (INPUT, OUTPUT, FORWARD). For most server hardening purposes, you’re working in the filter table and the INPUT chain — that’s the traffic coming into your server.
Here’s a basic iptables rule that allows SSH on port 22:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPTThat’s fairly readable. But once you have 30 rules, the management gets messy fast. iptables rules are also not persistent by default — they vanish on reboot unless you save them explicitly. That’s a gotcha that trips up a lot of people the first time.
To save your iptables rules on Ubuntu/Debian:
sudo apt install iptables-persistent -y
sudo netfilter-persistent saveOn AlmaLinux or CentOS Stream:
sudo service iptables save📝 Note: On systems running firewalld (default on AlmaLinux 8/9 and CentOS Stream), raw iptables commands can conflict with firewalld’s rule management. Either disable firewalld first or use the firewall-cmd interface instead.
How UFW Works
UFW is a frontend for iptables. It doesn’t replace iptables — it writes iptables rules for you, based on simpler commands. The trade-off is that you get less granular control, but the syntax is much more approachable.
UFW comes pre-installed on Ubuntu. On Debian, install it with:
sudo apt install ufw -y⚠ Warning: UFW is disabled by default. Enabling it without first allowing SSH will lock you out of your server. Always allow SSH before enabling the firewall.
Here’s the correct sequence to get UFW running safely:
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status verboseUFW also supports application profiles — named rule sets for common services. You can see what’s available on your system:
sudo ufw app listCommon profiles include OpenSSH, Nginx Full, Apache Full, and Postfix. Using these instead of raw port numbers makes your ruleset easier to read and audit later.
To allow HTTP and HTTPS traffic for a web server:
sudo ufw allow 'Nginx Full'Or if you’re using Apache:
sudo ufw allow 'Apache Full'iptables vs UFW: Which One Should You Use?
Here’s my honest take after managing hundreds of servers: use UFW if you’re on Ubuntu/Debian and you don’t need complex routing rules. It’s maintainable, it persists across reboots automatically, and the syntax won’t cause mistakes at 2am when something is on fire.
Use raw iptables (or nftables, the modern successor) when you need:
- NAT rules or packet forwarding (e.g. a VPN gateway, a load balancer, or a server routing traffic between interfaces)
- Fine-grained control over connection states, rate limiting, or specific TCP flags
- Scripted rule management in complex automation environments
- AlmaLinux/CentOS environments where firewalld is more appropriate anyway
One non-obvious thing worth knowing: UFW stores its rules in /etc/ufw/ and generates actual iptables rules from them. If you mix direct iptables commands with UFW on the same server, you’ll end up with a rule set that’s hard to reason about. Pick one approach and stick to it.
Step-by-Step: Basic Firewall Setup for a Web Server
This covers a typical setup for a Linux VPS or dedicated server running a web application.
-
Check whether UFW or iptables is already active
Copied to clipboard
sudo ufw status sudo iptables -L -n -vIf UFW shows
Status: inactive, it’s installed but not running. Ifiptables -Lshows only empty chains, nothing is filtering traffic yet. -
Allow SSH before enabling anything
If your SSH runs on the default port 22:
Copied to clipboardsudo ufw allow OpenSSHIf you’ve moved SSH to a custom port (e.g. 2222):
Copied to clipboardsudo ufw allow 2222/tcp⚠ Warning: Skipping this step and running
sudo ufw enablewill immediately block your SSH session. You’d need to use your hosting provider’s out-of-band console (Host & Tech provides this through the VPS control panel) to recover access. -
Allow web traffic
Copied to clipboard
sudo ufw allow 80/tcp sudo ufw allow 443/tcp -
Enable the firewall
Copied to clipboard
sudo ufw enable -
Verify the active rules
Copied to clipboard
sudo ufw status numberedThe
numberedflag shows each rule with an index, which makes it easier to delete specific rules later withsudo ufw delete [number]. -
Deny everything else (default policy)
UFW’s default incoming policy is already deny, but it’s worth confirming and setting explicitly:
Copied to clipboardsudo ufw default deny incoming sudo ufw default allow outgoing📝 Note: Setting outgoing to
denyis possible but requires explicitly allowing DNS, NTP, apt/yum, and other system services. That’s overkill for most setups and easy to misconfigure.
Common Issues & Troubleshooting
UFW is active but traffic is still being blocked
This usually happens when your hosting provider also has a network-level firewall in front of your server (a security group or edge firewall). UFW might be wide open, but the upstream rule is blocking the port. Check your Host & Tech control panel for any network firewall or security group settings. These operate independently from your on-server firewall.
iptables rules disappear after reboot
Raw iptables rules are stored in memory, not on disk. They don’t survive a reboot unless you’ve saved them. On Ubuntu/Debian, install iptables-persistent and run sudo netfilter-persistent save. On AlmaLinux, run sudo service iptables save which writes rules to /etc/sysconfig/iptables.
SSH connection drops immediately after enabling UFW
You enabled UFW without adding an SSH rule first. Connect via your server’s VNC/console (available in the Host & Tech VPS control panel), then run sudo ufw allow OpenSSH followed by sudo ufw reload. Your rules are still there — you just need to add the missing one.
Port is allowed in UFW but curl/browser still can’t connect
Check whether the application is actually listening on that port: sudo ss -tlnp | grep :80. If nothing shows up, the service isn’t running — that’s not a firewall problem. Also check that you’re not accidentally running both UFW and firewalld simultaneously, which can produce conflicting rules.
iptables -L shows rules but connections are still rejected
Rule order matters in iptables. A DROP or REJECT rule earlier in the chain will win over an ACCEPT rule below it. Run sudo iptables -L INPUT -n -v --line-numbers to see the exact order. If you need to insert a rule at a specific position rather than appending it, use -I instead of -A: sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT.
FAQ
Frequently Asked Questions
Does UFW replace iptables or run alongside it?
UFW runs on top of iptables — it generates iptables rules behind the scenes based on the commands you give it. You can see the actual iptables rules UFW creates by running sudo iptables -L -n -v. This means iptables is always involved; UFW just makes managing it easier.
Should I use UFW or firewalld on AlmaLinux?
On AlmaLinux 8 and 9, firewalld is the default and it’s what the system is designed around. I’d recommend sticking with firewalld on those distributions and using firewall-cmd to manage rules. UFW can be installed on AlmaLinux but it’s not a natural fit there and can conflict with firewalld if both are active.
How do I check if my firewall is blocking a specific port?
Run sudo ufw status verbose if you’re using UFW, or sudo iptables -L INPUT -n -v for raw iptables. From an external machine, you can also test with nc -zv your-server-ip 80 or an online port checker. Remember that a cloud firewall at the network edge is separate from the on-server firewall — both need to allow the port.
Will enabling UFW affect my existing web server or database connections?
Yes, it can — and that’s the most common way people accidentally take down their own server. Before enabling UFW, explicitly allow every port your services use: 80 and 443 for web, 3306 if MySQL is accessed remotely, your SSH port, and any other active services. Run sudo ufw status numbered to review before and after enabling.
Is a server firewall enough, or do I need something else?
A server firewall is a solid baseline but it’s not the whole picture. For production servers, you’ll also want to think about fail2ban to block brute-force attempts, keeping software updated, and disabling unused services. If you’re running a high-traffic site or handling sensitive data, a dedicated server with hardware-level firewall options gives you more control at the network layer.