Configuring rules UFW , Iptables

Prerequisites

• Access Level: root or sudo required.
• Install tools:

sudo apt update && sudo apt install ufw iptables -y

• Verify installation:

ufw --version
iptables --version

• Knowledge: Basic understanding of common ports (SSH 22, HTTP 80, HTTPS 443).

5W+1H Framework

Question	Answer
What	ufw (Uncomplicated Firewall) and iptables are tools that filter incoming/outgoing network traffic.
Why	Protect servers from brute-force, DDoS, and unauthorized access.
When	Set up immediately after provisioning and update when adding services.
Where	Runs at Linux kernel networking layer, not inside WordPress.
Who	Sysadmins, DevOps, and WordPress site owners.
How	Define rules that allow or block traffic on ports or from IPs.

Syntax Breakdown

ufw

ufw [allow|deny|delete] [service|port]

iptables

iptables -A [CHAIN] -p [protocol] --dport [port] -j [ACTION]

Options / Flags

Tool	Flag	Meaning	Example
ufw	allow	Permit traffic	ufw allow 80
ufw	deny	Block traffic	ufw deny 21
ufw	delete	Remove rule	ufw delete allow 80
ufw	default	Set default policy	ufw default deny incoming
iptables	-A	Append rule	iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables	-D	Delete rule	iptables -D INPUT -s IP -j DROP
iptables	-L	List rules	iptables -L -n -v
iptables	-F	Flush rules	iptables -F
iptables	-P	Set chain policy	iptables -P INPUT DROP

25 Real Commands with Goal, Explanation & Expected Output

UFW Commands (1–16)

1. Check firewall status

sudo ufw status

• Goal: Verify firewall status.
• Explanation: Shows rules and whether UFW is active.
• Output:

Status: active
22   ALLOW   Anywhere
80   ALLOW   Anywhere
443  ALLOW   Anywhere

2. Enable UFW

sudo ufw enable

• Goal: Turn on firewall.
• Explanation: Activates UFW on boot.
• Output:

Firewall is active and enabled on system startup

3. Disable UFW

sudo ufw disable

• Goal: Stop firewall temporarily.
• Explanation: Useful for debugging.
• Output:

Firewall stopped and disabled on system startup

4. Allow SSH

sudo ufw allow 22

• Goal: Keep SSH accessible.
• Explanation: Prevents accidental lockout.
• Output:

Rule added
Rule added (v6)

5. Allow HTTP

sudo ufw allow 80

• Goal: Open port 80.
• Explanation: Required for WordPress websites.
• Output:

Rule added
Rule added (v6)

6. Allow HTTPS

sudo ufw allow 443

• Goal: Enable SSL/TLS.
• Explanation: Secure site traffic.
• Output:

Rule added
Rule added (v6)

7. Deny FTP

sudo ufw deny 21

• Goal: Block insecure FTP.
• Explanation: Forces SFTP instead.
• Output:

Rule added
Rule added (v6)

8. Delete a rule

sudo ufw delete allow 80

• Goal: Remove rule.
• Explanation: Useful if rule is no longer needed.
• Output:

Rule deleted
Rule deleted (v6)

9. Allow by service name

sudo ufw allow ssh

• Goal: Open SSH via service name.
• Explanation: Equivalent to ufw allow 22.
• Output:

Rule added
Rule added (v6)

10. Allow port range

sudo ufw allow 3000:3010/tcp

• Goal: Open multiple ports.
• Explanation: Useful for apps needing ranges.
• Output:

Rule added
Rule added (v6)

11. Allow specific IP

sudo ufw allow from 203.0.113.5

• Goal: Whitelist a trusted IP.
• Explanation: Restricts access to one source.
• Output:

Rule added

12. Allow IP to specific port

sudo ufw allow from 203.0.113.5 to any port 22

• Goal: Restrict SSH to one IP.
• Explanation: Extra security layer.
• Output:

Rule added

13. Deny specific IP

sudo ufw deny from 203.0.113.200

• Goal: Block attacker IP.
• Explanation: Prevents brute force.
• Output:

Rule added

14. Default deny incoming

sudo ufw default deny incoming

• Goal: Block all by default.
• Explanation: Secure baseline.
• Output:

Default incoming policy changed to 'deny'

15. Default allow outgoing

sudo ufw default allow outgoing

• Goal: Allow server connections.
• Explanation: Needed for updates.
• Output:

Default outgoing policy changed to 'allow'

16. Reset firewall

sudo ufw reset

• Goal: Reset UFW.
• Explanation: Wipes all rules.
• Output:

Resetting all rules to installed defaults

iptables Commands (17–25)

17. List rules with counters

sudo iptables -L -n -v

• Goal: Inspect firewall rules.
• Explanation: Shows packet/byte counters.
• Output:

Chain INPUT (policy ACCEPT)
 pkts bytes target prot opt in out source destination

18. Allow HTTP

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

• Goal: Open HTTP.
• Explanation: Appends rule to INPUT chain.
• Output: (no output, confirm with iptables -L)

19. Allow HTTPS

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

• Goal: Enable SSL/TLS.
• Explanation: Allows encrypted traffic.
• Output: (silent, verify with iptables -L)

20. Allow SSH from one IP

sudo iptables -A INPUT -p tcp -s 203.0.113.5 --dport 22 -j ACCEPT

• Goal: Restrict SSH.
• Explanation: Only one IP can connect.
• Output: (silent)

21. Block malicious IP

sudo iptables -A INPUT -s 203.0.113.200 -j DROP

• Goal: Drop attacker.
• Explanation: Packets from that IP ignored.
• Output: (silent)

22. Drop all incoming by default

sudo iptables -P INPUT DROP

• Goal: Default deny stance.
• Explanation: Requires explicit allows.
• Output: (silent)

23. Save rules

sudo sh -c "iptables-save > /etc/iptables/rules.v4"

• Goal: Persist rules.
• Explanation: Ensures rules survive reboot.
• Output: (file created)

24. Delete a rule

sudo iptables -D INPUT -s 203.0.113.200 -j DROP

• Goal: Remove rule.
• Explanation: Reverts blocking.
• Output: (silent)

25. Flush all rules

sudo iptables -F

• Goal: Clear all firewall rules.
• Explanation: Resets everything — dangerous.
• Output: (silent, verify with iptables -L → empty)

Use Case Scenarios

Scenario	Command(s)	Why Useful
Prevent SSH lockout	ufw allow 22 then ufw enable	Keeps access open
WordPress hardening	ufw allow 80, ufw allow 443, ufw default deny incoming	Only web ports exposed
Block insecure FTP	ufw deny 21	Prevents weak logins
Restrict SSH by IP	ufw allow from 203.0.113.5 to any port 22	Stops brute-force
Block attackers	iptables -A INPUT -s BAD_IP -j DROP	Mitigate abuse fast

Benefits

• Stronger server security.
• Flexibility: ufw for simple, iptables for advanced.
• Granular control over traffic.
• Logging and auditing capabilities.

Best Practices

1. Always open SSH before enabling firewall.
2. Restrict to essential ports only.
3. Save iptables rules for persistence.
4. Test rules before production.
5. Pair with fail2ban for brute-force prevention.

Quick Lab

1. Allow web + SSH:

sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443

1. Block FTP:

sudo ufw deny 21

1. Enable firewall:

sudo ufw enable

1. Verify rules:

sudo ufw status

Cheat Sheet

Task	Command
Allow SSH	ufw allow 22
Allow HTTP	ufw allow 80
Allow HTTPS	ufw allow 443
Block FTP	ufw deny 21
List rules	iptables -L -n -v
Block IP	iptables -A INPUT -s IP -j DROP
Delete rule	iptables -D INPUT -s IP -j DROP
Flush rules	iptables -F

Mini-Quiz

1. Which UFW command blocks all incoming by default?
2. How do you allow SSH only from a specific IP?
3. What’s the iptables command to delete a rule?
4. Why allow SSH before enabling firewall?
5. How do you persist iptables rules after reboot?

This is now fully consistent for all 25 commands with goal, explanation, and expected output.

Would you like me to also create a Troubleshooting Matrix (problem → command to check → possible fix) as the final layer of this module?