DevOpsLesson
DevOpsLesson

Free, comprehensive DevOps tutorials and learning roadmaps. Master Docker, Kubernetes, CI/CD, and more.

Stay Updated

Get notified about new tutorials and features.

Tutorials

  • What is DevOps?
  • Docker Tutorial
  • Terraform Tutorial
  • CI/CD Pipeline
  • All Tutorials

Roadmaps

  • DevOps Engineer
  • Cloud Engineer
  • SRE Path
  • All Roadmaps

Company

  • About Us
  • Blog
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 DevOpsLesson. All rights reserved.

DOCKERKUBERNETESTERRAFORMAWSCI/CDLINUXGITDEVOPS ROADMAPCLOUD ROADMAPSRE ROADMAPGIT CHEATSHEETDOCKER CHEATSHEETK8S CHEATSHEETTF CHEATSHEETLINUX CHEATSHEETDOCKERFILE LINTERYAML VALIDATORCRON PARSERREGEX TESTER

Linux Tutorial

Introduction to Linux
Linux Filesystem
Linux Navigation
Linux File Operations
Linux Text Processing
Linux Permissions
Linux Users and Groups
Linux Process Management
Linux systemd Basics
Linux Networking
Linux Disk and Storage
Linux Bash Scripting
Linux Package Management
Linux Environment Variables
Linux Cron Jobs
Linux SSH Keys
Linux Firewall Basics
Linux Log Management
Linux Performance Monitoring and Troubleshooting

Linux Firewall Basics

PreviousPrev
Next

Learn the core ideas behind Linux firewalls and how to use UFW, iptables, and firewalld to allow or block traffic safely.

Why Firewalls Matter

A firewall controls which network traffic is allowed into and out of a Linux system. Even if your application is secure, leaving unnecessary ports open increases risk.

In DevOps, firewall rules help enforce the principle of least exposure: allow only the services that should be reachable and block everything else by default.

UFW on Ubuntu

UFW stands for Uncomplicated Firewall. It provides a friendlier interface over lower-level packet filtering.

Basic UFW workflow

Enable the firewall:

sudo ufw enable

Check status and rules:

sudo ufw status
sudo ufw status numbered

Allow SSH so you do not lock yourself out:

sudo ufw allow ssh
sudo ufw allow 22/tcp

Allow a web port:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Deny a port:

sudo ufw deny 8080/tcp

Delete a rule:

sudo ufw delete allow 8080/tcp

UFW can also allow by application profile when profiles exist:

sudo ufw app list
sudo ufw allow "Nginx Full"

Tip: Before enabling a firewall on a remote server, always allow SSH first. Otherwise you can block your own access.

iptables Basics

iptables is a classic low-level firewall tool. Many higher-level interfaces ultimately build rules on top of similar kernel packet filtering mechanisms.

Three important built-in chains are:

  • INPUT for traffic coming into the host
  • OUTPUT for traffic leaving the host
  • FORWARD for traffic being routed through the host

Common actions include:

  • ACCEPT to allow traffic
  • DROP to silently discard traffic
  • REJECT to deny traffic and usually send a response

Example rules:

sudo iptables -L -n -v
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -j DROP

This illustrates a common pattern: allow specific traffic, then drop the rest.

Note: Raw iptables changes may not persist across reboots unless the system has a persistence mechanism configured.

firewalld on RHEL and CentOS Style Systems

firewalld is common on RHEL family systems and introduces the idea of zones. A zone represents a trust level and associated rules.

Check firewall state:

sudo firewall-cmd --state
sudo firewall-cmd --get-active-zones

List allowed services in the default zone:

sudo firewall-cmd --list-services

Allow HTTP and HTTPS permanently:

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

Open a specific port:

sudo firewall-cmd --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

Remove a port rule:

sudo firewall-cmd --remove-port=8080/tcp --permanent
sudo firewall-cmd --reload

Zones let you apply different rule sets based on interface or network context, which is helpful on more complex hosts.

Default Deny and Least Privilege

A good firewall strategy usually starts with a restrictive baseline:

  • deny unsolicited inbound traffic by default
  • allow only required ports and protocols
  • review rules regularly
  • document why each exposed port exists

For example, a public web server might allow:

  • 22/tcp for SSH from admin networks
  • 80/tcp for HTTP
  • 443/tcp for HTTPS

Everything else should stay blocked unless there is a clear need.

A Practical Example

Suppose you deploy an application on port 3000 behind Nginx. The outside world should reach ports 80 and 443, but not port 3000 directly.

A safe setup could be:

sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw deny 3000/tcp
sudo ufw status

This keeps the app reachable through the reverse proxy but not exposed directly.

Choosing the Right Tool

  • use UFW for simpler Ubuntu administration
  • use firewalld on many RHEL style systems
  • learn iptables to understand the underlying traffic filtering model

The exact tool changes by distribution, but the core ideas stay the same: identify required traffic, allow it intentionally, and block unnecessary access.

What You Should Remember

Linux firewalls are about controlled exposure, not just blocking everything randomly. UFW simplifies common Ubuntu tasks, iptables teaches the core model of chains and targets, and firewalld adds zone-based management for many enterprise systems.

If you follow a default-deny mindset and open only what is necessary, you will already be much closer to a secure server baseline.

Test Your Understanding

Exercise

Exercise 1: Allowing web traffic with UFW

Which UFW command allows inbound HTTPS traffic on the standard port?

Exercise

Exercise 2: Understanding iptables chains

Which iptables chain handles traffic arriving at the local host?

Exercise

Exercise 3: Secure firewall posture

Which practice best matches the lesson's recommended firewall approach?

PreviousPrev
Next

Continue Learning

Linux Environment Variables

Learn how environment variables work in Linux, how to export and persist them, and how PATH and .env files fit into daily workflows.

15 min·Medium

Linux Cron Jobs

Learn how to schedule recurring tasks with cron, understand crontab syntax, and compare cron with systemd timers.

18 min·Medium

Linux SSH Keys

Learn how SSH key authentication works, generate secure keys, configure clients, and manage agents and authorized keys.

20 min·Medium

Explore Related Topics

Do

Docker Tutorials

Run and manage containers on Linux

Gi

Git Tutorials

Master Git version control on the command line

Try the Tool

Cron Parser

Parse and validate cron expressions with a visual schedule preview.

Regex Tester

Test and debug regular expressions used in Bash scripts and configs.

On This Page

Why Firewalls MatterUFW on UbuntuBasic UFW workflowiptables Basicsfirewalld on RHEL and CentOS Style SystemsDefault Deny and Least PrivilegeA Practical ExampleChoosing the Right ToolWhat You Should RememberTest Your Understanding