UFW (Uncomplicated Firewall) is a simple interface to manage iptables\/nftables on Linux. To set up UFW on a Linux server: install it, set default policies (deny incoming, allow outgoing), allow SSH, open required service ports (e.g., HTTP\/HTTPS), enable UFW, and verify rules. This protects your server with minimal, readable commands.<\/p>\n\n\n\n
If you\u2019re looking to setup UFW on a Linux server safely and quickly, this step-by-step guide covers everything from installation to advanced rules, troubleshooting, Docker considerations, and best practices. Written from a hosting and security perspective, it helps beginners get production-grade protection with a few commands\u2014without locking themselves out.<\/p>\n\n\n\n
UFW (Uncomplicated Firewall) is a user friendly command-line tool that manages Linux firewall rules. Under the hood, it configures iptables or nftables depending on your distribution. It\u2019s included by default on Ubuntu and available for most Debian\/RHEL-based systems. UFW reduces complexity with human-readable commands like \u201callow 22\/tcp,\u201d making it ideal for developers and sysadmins.<\/p>\n\n\n\n
Key benefits:<\/p>\n\n\n\n
Most readers want a safe, copy-paste path to enable UFW without losing SSH access<\/a>, plus answers to common questions: how to allow services, open ports, block IPs, log and test rules, use IPv6, handle Docker, and recover from mistakes. This guide delivers that with a best-practice Quick Start and deep dives for production use.<\/p>\n\n\n\n On Ubuntu and Debian, UFW is often installed by default. If not, install it:<\/p>\n\n\n\n On Fedora:<\/p>\n\n\n\n On RHEL, AlmaLinux, Rocky Linux (enable EPEL if required):<\/p>\n\n\n\n Important: Do not run firewalld and UFW simultaneously. Choose one firewall manager to avoid conflicts.<\/p>\n\n\n\n Follow this safe sequence to configure UFW without losing access.<\/p>\n\n\n\n If you changed \/etc\/default\/ufw for IPv6, apply and reload:<\/p>\n\n\n\n Always allow your SSH port before enabling UFW. If you moved SSH to a custom port (e.g., 2222), adjust accordingly:<\/p>\n\n\n\n On Ubuntu, UFW can use application profiles:<\/p>\n\n\n\n Generic port-based rules work everywhere:<\/p>\n\n\n\n Only allow database ports from trusted hosts or private networks.<\/p>\n\n\n\n For FTP passive mode, also configure your FTP server to use the same passive port range.<\/p>\n\n\n\n Helpful when your server has public and private interfaces:<\/p>\n\n\n\n Rate limiting throttles repeated connection attempts from the same IP:<\/p>\n\n\n\n For deeper protection, pair UFW with Fail2ban to dynamically ban abusive IPs based on log patterns.<\/p>\n\n\n\n Enable IPv6 in \/etc\/default\/ufw (IPV6=yes) and reload. UFW will then manage ip6tables\/nftables rules to match your IPv4 policy, ensuring your server isn\u2019t exposed over IPv6 unintentionally.<\/p>\n\n\n\n UFW can handle NAT and forwarding by editing before.rules and default forward policy. Example: redirect port 80 to 8080 on the same server.<\/p>\n\n\n\n Be cautious: NAT changes impact traffic flow. Test carefully and document your modifications.<\/p>\n\n\n\n Docker manipulates iptables directly, which can bypass UFW\u2019s default policy. By default, published container ports are open on the host even if UFW denies incoming. Options:<\/p>\n\n\n\n Practical approach: expose services via Nginx on 80\/443, secure those ports with UFW, and keep containers on internal networks.<\/p>\n\n\n\n Verify open ports and rules after enabling UFW:<\/p>\n\n\n\n Enable logging to capture dropped\/allowed traffic:<\/p>\n\n\n\n If services are blocked by an upstream firewall (AWS Security Groups, Cloud provider firewalls), adjust those rules to match UFW. Both layers must allow the traffic.<\/p>\n\n\n\n Choose the tool your team can manage well. Consistency and correct policy are more important than the specific framework.<\/p>\n\n\n\nPrerequisites and Safety Checklist<\/strong><\/h2>\n\n\n\n
\n
Install UFW on Popular Linux Distributions<\/strong><\/h2>\n\n\n\n
sudo apt update\nsudo apt install ufw<\/code><\/pre>\n\n\n\nsudo dnf install ufw\n# Fedora defaults to firewalld. If you choose UFW, stop\/disable firewalld first:\nsudo systemctl stop firewalld\nsudo systemctl disable firewalld<\/a>\nsudo systemctl mask firewalld\nsudo systemctl enable ufw\nsudo systemctl start ufw<\/code><\/pre>\n\n\n\nsudo dnf install epel-release -y\nsudo dnf install ufw -y\nsudo systemctl stop firewalld\nsudo systemctl disable firewalld\nsudo systemctl mask firewalld\nsudo systemctl enable ufw\nsudo systemctl start ufw<\/code><\/pre>\n\n\n\nQuick Start: Secure Setup in 5 Minutes<\/strong><\/h2>\n\n\n\n
# 1) Check if IPv6 should be managed too (recommended on dual-stack servers)\nsudo nano \/etc\/default\/ufw\n# Ensure: IPV6=yes\n# Save and exit if you changed it:\n# Then reload defaults after enabling later\n\n# 2) Allow SSH FIRST (replace 22 if using a custom port)\nsudo ufw allow 22\/tcp comment 'SSH'\n\n# 3) Set sensible defaults\nsudo ufw default deny incoming\nsudo ufw default allow outgoing\n\n# 4) Allow web traffic if this is a web server<\/a>\nsudo ufw allow 80\/tcp comment 'HTTP'\nsudo ufw allow 443\/tcp comment 'HTTPS'\n\n# 5) Enable UFW (type 'y' to proceed)\nsudo ufw enable\n\n# 6) Verify\nsudo ufw status verbose<\/code><\/pre>\n\n\n\nsudo ufw reload\nsudo ufw status numbered<\/code><\/pre>\n\n\n\nEssential UFW Commands (Cheat Sheet)<\/strong><\/h2>\n\n\n\n
\n
sudo ufw enable<\/code>, sudo ufw disable<\/code><\/li>\n\n\n\nsudo ufw status<\/code>, sudo ufw status verbose<\/code>, sudo ufw status numbered<\/code><\/li>\n\n\n\nsudo ufw allow 22\/tcp<\/code>, sudo ufw deny 25\/tcp<\/code><\/li>\n\n\n\nsudo ufw status numbered<\/code> then sudo ufw delete <num><\/code><\/li>\n\n\n\nsudo ufw limit 22\/tcp<\/code><\/li>\n\n\n\nsudo ufw allow 10000:20000\/tcp<\/code><\/li>\n\n\n\nsudo ufw allow from 203.0.113.10 to any port 22 proto tcp<\/code>, sudo ufw allow from 10.0.0.0\/24 to any port 5432<\/code><\/li>\n\n\n\nsudo ufw allow in on eth0 to any port 22<\/code><\/li>\n\n\n\nsudo ufw logging on<\/code> (levels: off, low, medium, high, full)<\/li>\n\n\n\nsudo ufw reset<\/code> (removes rules; use carefully)<\/li>\n<\/ul>\n\n\n\nConfigure Common Services<\/strong><\/h2>\n\n\n\n
SSH (Remote Access)<\/strong><\/h2>\n\n\n\n
# Default\nsudo ufw allow 22\/tcp comment 'SSH'\n\n# Custom\nsudo ufw allow 2222\/tcp comment 'SSH (custom port)'\n\n# Add rate limiting to slow brute-force attempts\nsudo ufw limit 22\/tcp<\/code><\/pre>\n\n\n\nWeb Servers (Nginx\/Apache)<\/strong><\/h2>\n\n\n\n
# Show available app profiles\nsudo ufw app list\n\n# Common profiles:\nsudo ufw allow 'Nginx Full' # 80,443\nsudo ufw allow 'Apache Full' # 80,443<\/code><\/pre>\n\n\n\nsudo ufw allow 80\/tcp\nsudo ufw allow 443\/tcp<\/code><\/pre>\n\n\n\nDatabases (PostgreSQL, MySQL\/MariaDB)<\/strong><\/h2>\n\n\n\n
# PostgreSQL (5432) from app server only\nsudo ufw allow from 10.0.0.10 to any port 5432 proto tcp\n\n# MySQL\/MariaDB (3306) from specific subnet\nsudo ufw allow from 10.0.1.0\/24 to any port 3306 proto tcp<\/code><\/pre>\n\n\n\nMail, FTP, and Other Services<\/strong><\/h2>\n\n\n\n
# SMTP\nsudo ufw allow 25\/tcp\n\n# SMTPS\/Submission\nsudo ufw allow 465\/tcp\nsudo ufw allow 587\/tcp\n\n# IMAP(S) and POP3(S)\nsudo ufw allow 993\/tcp\nsudo ufw allow 995\/tcp\n\n# FTP (and passive range example)\nsudo ufw allow 21\/tcp\nsudo ufw allow 30000:31000\/tcp<\/code><\/pre>\n\n\n\nAdvanced UFW Rules and Scenarios<\/strong><\/h2>\n\n\n\n
Default Policies<\/strong><\/h2>\n\n\n\n
# Recommended defaults\nsudo ufw default deny incoming\nsudo ufw default allow outgoing\n\n# For hardened egress control (optional)\nsudo ufw default deny outgoing\n# Then allow specific outbound destinations\/ports as needed<\/code><\/pre>\n\n\n\nAllow by Source, Port, Protocol<\/strong><\/h2>\n\n\n\n
# Single IP\nsudo ufw allow from 203.0.113.5 to any port 22 proto tcp\n\n# CIDR subnet\nsudo ufw allow from 10.10.0.0\/16 to any port 9200 proto tcp\n\n# UDP example (DNS)\nsudo ufw allow 53\/udp<\/code><\/pre>\n\n\n\nInterface-Specific Rules<\/strong><\/h2>\n\n\n\n
# Only allow SSH on public interface eth0\nsudo ufw allow in on eth0 to any port 22 proto tcp\n\n# Allow database only on private interface eth1\nsudo ufw allow in on eth1 to any port 5432 proto tcp<\/code><\/pre>\n\n\n\nPort Ranges and Service Groups<\/strong><\/h2>\n\n\n\n
# TCP range\nsudo ufw allow 2000:2100\/tcp\n\n# UDP range\nsudo ufw allow 60000:61000\/udp<\/code><\/pre>\n\n\n\nRate Limiting and Brute-Force Mitigation<\/strong><\/h2>\n\n\n\n
sudo ufw limit 22\/tcp\nsudo ufw limit 80\/tcp\nsudo ufw limit 443\/tcp<\/code><\/pre>\n\n\n\nIPv6 Support<\/strong><\/h2>\n\n\n\n
NAT, Forwarding, and Port Redirection<\/strong><\/h2>\n\n\n\n
# 1) Enable forwarding in \/etc\/default\/ufw\nDEFAULT_FORWARD_POLICY=\"ACCEPT\"\n\n# 2) Edit \/etc\/ufw\/before.rules (IPv4) and add before the *filter section:\n*nat\n:PREROUTING ACCEPT [0:0]\n:POSTROUTING ACCEPT [0:0]\n-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080\nCOMMIT\n\n# 3) Reload\nsudo ufw reload<\/code><\/pre>\n\n\n\nUFW and Docker: What You Need to Know<\/strong><\/h2>\n\n\n\n
\n
--publish<\/code> except through a controlled proxy.<\/li>\n\n\n\nTesting, Verification, and Logging<\/strong><\/h2>\n\n\n\n
# On the server\nsudo ufw status verbose\nss -tulpn\n\n# From a remote host\nnmap -Pn <server_ip>\nnc -zv <server_ip> 22\ncurl -I http:\/\/<server_ip><\/code><\/pre>\n\n\n\nsudo ufw logging medium\n# Logs usually at \/var\/log\/ufw.log (or via syslog\/journal)\nsudo tail -f \/var\/log\/ufw.log<\/code><\/pre>\n\n\n\nTroubleshooting and Recovery<\/strong><\/h2>\n\n\n\n
Avoiding Lockouts<\/strong><\/h2>\n\n\n\n
\n
Common Fixes<\/strong><\/h2>\n\n\n\n
# If you lost access (via console):\nsudo ufw disable\n\n# Re-allow SSH and re-enable:\nsudo ufw allow 22\/tcp\nsudo ufw enable\n\n# Reset all rules (careful: wipes configuration)\nsudo ufw reset\nsudo ufw default deny incoming\nsudo ufw default allow outgoing\nsudo ufw allow 22\/tcp\nsudo ufw enable\n\n# Delete a bad rule by number\nsudo ufw status numbered\nsudo ufw delete <number><\/code><\/pre>\n\n\n\nHardening Tips and Best Practices<\/strong><\/h2>\n\n\n\n
\n
Automating UFW (Cloud-Init and Ansible)<\/strong><\/h2>\n\n\n\n
Cloud-Init Snippet<\/strong><\/h2>\n\n\n\n
#cloud-config\npackages:\n - ufw\nruncmd:\n - sed -i 's\/IPV6=no\/IPV6=yes\/' \/etc\/default\/ufw\n - ufw default deny incoming\n - ufw default allow outgoing\n - ufw allow 22\/tcp comment 'SSH'\n - ufw allow 80\/tcp comment 'HTTP'\n - ufw allow 443\/tcp comment 'HTTPS'\n - yes | ufw enable\n - ufw status verbose<\/code><\/pre>\n\n\n\nAnsible Task Example<\/strong><\/h2>\n\n\n\n
- name: Install UFW\n apt:\n name: ufw\n state: present\n become: yes\n\n- name: Configure UFW defaults\n ufw:\n state: enabled\n policy: deny\n direction: incoming\n become: yes\n\n- name: Allow outgoing by default\n command: ufw default allow outgoing\n become: yes\n\n- name: Allow SSH, HTTP, HTTPS\n ufw:\n rule: allow\n port: \"{{ item }}\"\n proto: tcp\n loop:\n - \"22\"\n - \"80\"\n - \"443\"\n become: yes<\/code><\/pre>\n\n\n\nUFW vs. firewalld vs. iptables\/nftables<\/strong><\/h2>\n\n\n\n
\n
Real-World Example: Production Web App<\/strong><\/h2>\n\n\n\n