Linux Firewall Rules Builder
House of Shield - Defend Your Network Perimeter
Build Your Firewall Rule
Examples: 192.168.1.0/24, 10.0.0.1, 0.0.0.0/0 (any)
Examples: 192.168.1.0/24, 10.0.0.1, 0.0.0.0/0 (any)
Examples: 22, 80, 1024:65535 (range)
Examples: 22, 80, 443
iptables Command
# Configure your rule above and click "Generate Rule"
UFW Command
# UFW syntax will appear here
firewall-cmd Command
# firewalld syntax will appear here
Your Firewall Rules
No rules added yet. Create and add rules above.
Packet Flow Visualization
Network Packet Journey
Incoming Packet (INPUT Chain)
Network
Packet arrives
→
PREROUTING
NAT decisions
→
INPUT
Your rules here
→
Local Process
Destination
Outgoing Packet (OUTPUT Chain)
Local Process
Origin
→
OUTPUT
Your rules here
→
POSTROUTING
NAT decisions
→
Network
Packet leaves
Forwarded Packet (FORWARD Chain)
Network A
Packet arrives
→
PREROUTING
NAT decisions
→
FORWARD
Your rules here
→
POSTROUTING
NAT decisions
→
Network B
Packet leaves
Rule Evaluation Colors
GREEN - ACCEPT
Packet is allowed through
RED - DROP/REJECT
Packet is blocked
YELLOW - LOG
Packet is logged
How Rules Are Evaluated
- Rules are evaluated from top to bottom in order
- First matching rule is applied (unless using LOG)
- If no rule matches, the default policy is applied
- LOG action records packet info but continues evaluation
- More specific rules should come before general rules
- ACCEPT stops evaluation, DROP/REJECT end the packet
Common Firewall Rule Templates
Click any template to load it into the rule builder
Allow SSH
Permit incoming SSH connections on port 22 (TCP)
Port: 22/TCP Action: ACCEPT
Allow HTTP/HTTPS
Permit web traffic on ports 80 and 443 (TCP)
Ports: 80,443/TCP Action: ACCEPT
Allow Ping (ICMP)
Permit ICMP echo requests for network diagnostics
Protocol: ICMP Action: ACCEPT
Allow DNS
Permit DNS queries on port 53 (UDP/TCP)
Port: 53/UDP Action: ACCEPT
Allow Established
Permit responses to outgoing connections
State: ESTABLISHED Action: ACCEPT
Block Specific IP
Drop all traffic from a malicious IP address
Source: 192.168.1.100 Action: DROP
Log SSH Attempts
Record all SSH connection attempts
Port: 22/TCP Action: LOG
Allow MySQL
Permit MySQL connections from local network
Port: 3306/TCP Source: 192.168.1.0/24
Default Policy Templates
# Secure default - deny all incoming, allow outgoing iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Allow loopback iptables -A INPUT -i lo -j ACCEPT # Allow established connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Understanding Firewall Chains
INPUT
Incoming packets destined for this machine
OUTPUT
Outgoing packets originating from this machine
FORWARD
Packets passing through this machine to another destination
INPUT Chain - Detailed Explanation
Controls packets coming INTO your server from the network
- Web traffic to your web server (port 80, 443)
- SSH connections to your server (port 22)
- Ping requests to your server (ICMP)
- Database connections to your server (port 3306, 5432)
# Allow incoming SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow incoming HTTP/HTTPS iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
OUTPUT Chain - Detailed Explanation
Controls packets going OUT from your server to the network
- Your server connecting to external APIs
- Your server sending emails (port 25, 587)
- Your server making DNS queries (port 53)
- Your server downloading updates (HTTP/HTTPS)
# Allow outgoing DNS iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # Allow outgoing HTTP/HTTPS iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
FORWARD Chain - Detailed Explanation
Controls packets being routed THROUGH your server to other destinations
- Your server acting as a router/gateway
- NAT (Network Address Translation) scenarios
- Traffic between different network interfaces
- Docker containers routing through host
# Allow forwarding from internal to external network iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # Allow forwarding for established connections iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Default Policies
What happens to packets that don't match any rule
# View current policies iptables -L | grep policy # Set default DROP (secure - deny all, allow specific) iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Set default ACCEPT (permissive - allow all, block specific) iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
UFW Quick Reference
Uncomplicated Firewall (UFW) - A user-friendly frontend for iptables
Basic UFW Commands
# Enable UFW sudo ufw enable # Disable UFW sudo ufw disable # Check status sudo ufw status sudo ufw status verbose sudo ufw status numbered # Reset to defaults sudo ufw reset
Allow Rules
# Allow specific port sudo ufw allow 22 sudo ufw allow 80/tcp sudo ufw allow 53/udp # Allow port range sudo ufw allow 6000:6007/tcp # Allow from specific IP sudo ufw allow from 192.168.1.100 # Allow from subnet to specific port sudo ufw allow from 192.168.1.0/24 to any port 22 # Allow specific service sudo ufw allow ssh sudo ufw allow http sudo ufw allow https
Deny Rules
# Deny specific port sudo ufw deny 23 # Deny from specific IP sudo ufw deny from 192.168.1.100 # Deny to specific IP sudo ufw deny to 192.168.1.100 # Deny from subnet sudo ufw deny from 10.0.0.0/8
Delete Rules
# Delete by rule specification sudo ufw delete allow 80 # Delete by rule number sudo ufw status numbered sudo ufw delete 3 # Delete specific rule sudo ufw delete allow from 192.168.1.100
Advanced UFW
# Set default policies sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw default deny forward # Rate limiting (prevents brute force) sudo ufw limit ssh sudo ufw limit 22/tcp # Application profiles sudo ufw app list sudo ufw allow 'Nginx Full' sudo ufw allow 'OpenSSH' # Logging sudo ufw logging on sudo ufw logging off sudo ufw logging low sudo ufw logging medium sudo ufw logging high
Common UFW Scenarios
# Web server setup sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw enable # Database server (MySQL) from local network only sudo ufw allow from 192.168.1.0/24 to any port 3306 # Allow ping sudo ufw allow proto icmp # Block specific IP sudo ufw deny from 203.0.113.100 # Allow specific IP to all ports sudo ufw allow from 192.168.1.50
Firewall Security Best Practices
1. Default Deny Policy
Start with a secure baseline - deny everything by default, then explicitly allow what you need
# iptables approach iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # UFW approach sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw default deny forward
- Minimizes attack surface
- Forces you to think about what services you actually need
- Easier to audit allowed services
- More secure than "allow all, block some"
2. Allow Only Necessary Ports
Every open port is a potential attack vector
- Identify which services actually need network access
- Close unused services (FTP, Telnet, unnecessary databases)
- Use non-standard ports for common services (but don't rely on security through obscurity)
- Regularly audit open ports with:
netstat -tulpnorss -tulpn
3. Rate Limiting
Prevent brute force attacks by limiting connection attempts
# UFW rate limiting (easy) sudo ufw limit ssh sudo ufw limit 22/tcp # iptables rate limiting (more control) iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP # Explanation: Allow only 3 new SSH connections per 60 seconds per IP
- Protects against brute force password attacks
- Mitigates DoS attempts
- Apply to SSH, web login pages, API endpoints
4. Allow Established Connections
Permit return traffic for connections you initiated
# Allow established and related connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Or using state module iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- Allows responses to your outgoing requests
- Essential for normal network operation
- Should be one of your first rules
5. Logging Suspicious Traffic
Monitor and log potential attacks or unusual activity
# Log dropped packets (before DROP policy) iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables-DROP: " --log-level 7 # Log specific port attempts iptables -A INPUT -p tcp --dport 23 -j LOG --log-prefix "Telnet-attempt: " # View logs sudo tail -f /var/log/syslog | grep iptables sudo journalctl -f | grep iptables
- Use rate limiting on logs to prevent log flooding
- Monitor logs regularly for attack patterns
- Set up alerts for critical events
- Be careful not to log too much (performance impact)
6. Restrict by Source IP
Limit access to sensitive services based on source address
# Allow SSH only from your office network iptables -A INPUT -p tcp --dport 22 -s 203.0.113.0/24 -j ACCEPT # Allow database only from app servers iptables -A INPUT -p tcp --dport 3306 -s 192.168.1.10 -j ACCEPT iptables -A INPUT -p tcp --dport 3306 -s 192.168.1.11 -j ACCEPT # UFW equivalent sudo ufw allow from 203.0.113.0/24 to any port 22
- Apply to administrative services (SSH, database management)
- Use VPN if accessing from dynamic IPs
- Consider fail2ban for dynamic blacklisting
7. Loopback Interface
Always allow local communication
# Allow all loopback traffic iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # UFW automatically allows loopback
- Essential for local services to communicate
- Required for many applications to function
- Should be one of your first rules
8. Persistence and Backups
Make your rules survive reboots and maintain backups
# Save iptables rules sudo iptables-save > /etc/iptables/rules.v4 sudo ip6tables-save > /etc/iptables/rules.v6 # Install iptables-persistent (Debian/Ubuntu) sudo apt install iptables-persistent # Or use netfilter-persistent sudo netfilter-persistent save # UFW persists automatically when enabled # Backup your rules sudo cp /etc/iptables/rules.v4 /root/iptables-backup-$(date +%Y%m%d).v4
9. Regular Auditing
Periodically review your firewall configuration
# List all rules sudo iptables -L -n -v --line-numbers sudo ufw status numbered # Check for open ports sudo netstat -tulpn sudo ss -tulpn # Review logs sudo grep -i iptables /var/log/syslog sudo journalctl -u ufw
- Remove obsolete rules
- Verify rules are still necessary
- Check for conflicts or overlaps
- Test firewall effectiveness with external scans
10. Testing Before Production
Always test firewall changes to avoid lockouts
- Have console/KVM access before making changes
- Use a testing environment first
- Add rules one at a time and verify connectivity
- Keep a second SSH session open when modifying SSH rules
- Set up a cron job to reset firewall if you get locked out
# Emergency reset cron job (removes itself after 5 minutes) at now + 5 minutes <<< "iptables -F; iptables -X; iptables -P INPUT ACCEPT"
Firewall Security Quiz
Test your knowledge of Linux firewall concepts and best practices