Setting Up a Firewall on Your VPS (UFW/iptables)
A properly configured firewall is your VPS's first line of defense. This guide covers setting up both UFW (the beginner-friendly option) and iptables (for advanced users) on your {{COMPANY_NAME}} VPS.
Understanding Firewalls
A firewall controls which network traffic is allowed in and out of your server. By default, a new VPS may have all ports open, leaving it vulnerable to attacks. Configuring a firewall ensures only the services you need are accessible.
Option 1: UFW (Uncomplicated Firewall)
UFW is the recommended firewall for Ubuntu and Debian-based systems. It provides a simple interface over iptables.
Step 1: Install UFW
UFW is pre-installed on most Ubuntu systems. If not:
sudo apt update
sudo apt install ufwStep 2: Set Default Policies
Start by denying all incoming traffic and allowing outgoing:
sudo ufw default deny incoming
sudo ufw default allow outgoingTip: Always allow SSH before enabling UFW, or you will lock yourself out of your server.
Step 3: Allow Essential Services
# Allow SSH (CRITICAL - do this first)
sudo ufw allow 22/tcp
# Allow HTTP and HTTPS (for web servers)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Allow custom SSH port (if you changed it)
sudo ufw allow 2222/tcpStep 4: Enable the Firewall
sudo ufw enableType y to confirm. The firewall is now active and will persist across reboots.
Step 5: Verify Firewall Status
sudo ufw status verboseExpected output:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN AnywhereCommon UFW Commands
# Allow a specific port
sudo ufw allow 3306/tcp
# Allow from a specific IP only
sudo ufw allow from 192.168.1.100 to any port 3306
# Deny a specific port
sudo ufw deny 8080/tcp
# Delete a rule
sudo ufw delete allow 8080/tcp
# Reset all rules
sudo ufw reset
# Disable firewall
sudo ufw disable
# Show numbered rules (for deletion)
sudo ufw status numbered
# Delete rule by number
sudo ufw delete 3Option 2: iptables (Advanced)
iptables is the underlying firewall framework on Linux. Use it when you need fine-grained control.
Basic iptables Rules
# Flush existing rules
sudo iptables -F
# Allow loopback interface
sudo iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP and HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Drop all other incoming traffic
sudo iptables -A INPUT -j DROPPersist iptables Rules
iptables rules are lost on reboot unless saved:
# Install persistence package
sudo apt install iptables-persistent
# Save current rules
sudo netfilter-persistent save
# Rules are saved to:
# /etc/iptables/rules.v4
# /etc/iptables/rules.v6Rate Limiting with iptables
Protect SSH from brute-force attacks:
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROPThis limits new SSH connections to 3 per minute per source IP.
Firewall for CentOS/RHEL (firewalld)
CentOS and RHEL use firewalld by default:
# Start and enable firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
# Allow services
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
# Reload rules
sudo firewall-cmd --reload
# Check status
sudo firewall-cmd --list-allCommon Port Reference
| Service | Port | Protocol |
|---|---|---|
| SSH | 22 | TCP |
| HTTP | 80 | TCP |
| HTTPS | 443 | TCP |
| FTP | 21 | TCP |
| SMTP | 25, 587 | TCP |
| MySQL | 3306 | TCP |
| PostgreSQL | 5432 | TCP |
| DNS | 53 | TCP/UDP |
Troubleshooting
| Problem | Solution |
|---|---|
| Locked out of VPS | Use VNC console from {{COMPANY_NAME}} client area to disable firewall |
| Service unreachable after enabling firewall | Check if the service port is allowed: sudo ufw status |
| Rules not persisting after reboot | Install iptables-persistent or use UFW which persists automatically |
| Cannot send email | Allow ports 25 and 587 for SMTP |
Related Articles
- VPS Security Hardening Checklist
- How to Connect to Your VPS via SSH
- Basic VPS Server Management Commands
Need help configuring your firewall? Contact our support team at {{SUPPORT_EMAIL}} or open a ticket at {{SUPPORT_URL}}.