Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for Beginners

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for Beginners

**

Hello everyone! Previously, when sharing about Linux SSH remote management, some friends in the background commented: “Remote connection is convenient, but the server is exposed to the network, and I am always worried about being attacked. How can I ensure proper protection?”

In fact, the Linux firewall is the server’s “first line of defense”—it acts like a “gatekeeper,” controlling which traffic can enter and which can exit, blocking malicious attacks while ensuring normal service operation. However, many beginners both love and fear firewalls: they fear that complex configurations will crash the service, and they fear that not configuring will leave security vulnerabilities. This article will help you completely master it: from “understanding firewalls” to “basic configurations,” and then to “advanced rule practices,” each step includes operation screenshots and commands, so you can install a “protective shield” for your server after reading!

1. First, understand: Why can’t we skip the Linux firewall?

Before starting operations, let’s clarify the core functions of the firewall to help you understand “why it must be configured”:

Resist malicious attacks: It can intercept common risks such as port scanning, brute force cracking (like SSH password cracking), DDoS attacks, etc., reducing the probability of server intrusion;

Control network access: Only open necessary ports (like Web service ports 80/443, SSH port 22), close all other ports to avoid risks from “useless port exposure”;

Adapt to production environment requirements: For enterprise-level server deployments, a firewall is a “standard configuration”; without reasonable firewall rules, it may even fail security compliance checks.

👉 Tip: There are two commonly used firewall tools in mainstream Linux systems—firewalld (default in CentOS 7+) and ufw (default in Ubuntu). Today, we will explain both, so users of the corresponding systems can follow along!

2. Basic Practice: Configuration of Two Mainstream Firewall Tools (with Comparison)

First, let’s compare the core differences between firewalld and ufw to help you quickly find the tool that suits you, and then demonstrate basic operations step by step, so beginners can follow along!

  1. firewalld vs ufw: How to choose?

Tool Name

Default System

Advantages

Disadvantages

Recommended Users

firewalld

CentOS 7+/RHEL

Supports dynamic rules (no need to restart to take effect), zone management (public/work/home)

Commands are slightly complex, beginners need to remember parameters

CentOS users, scenarios requiring dynamic rule adjustments

ufw

Ubuntu/Debian

Simple commands (e.g., “allow port 80” only requires 1 command), quick to get started

Does not support dynamic rules (modifications require a restart)

Ubuntu users, beginners, simple protection scenarios

👉 Beginner friendliness: ufw > firewalld (ufw commands are simpler, suitable for beginners; firewalld has stronger functionality, suitable for complex scenarios)

**

  1. Essential for CentOS Users: Basic Configuration of firewalld (5 Steps to Complete)

Taking CentOS 7 as an example, firewalld is the default firewall tool. Let’s start with basic operations such as “checking status,” “opening ports,” and “applying rules”:

Step 1: Check firewalld status

First, confirm whether the firewall is started by executing the command:

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersCheck firewalld status

systemctl status firewalld

If it shows “active (running),” it means it is started;

If it shows “inactive (dead),” execute the command to start it: systemctl start firewalld, and set it to start on boot: systemctl enable firewalld.

Step 2: Check current firewall rules

Understand existing rules to avoid duplicate configurations or conflicts, execute the command:

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersView open ports and services

firewall-cmd –list-all

The output is similar to:

public (active)

target: default

icmp-block-inversion: no

interfaces: eth0

sources:

services: ssh dhcpv6-client

ports:

protocols:

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

Among them, “services: ssh dhcpv6-client” indicates that SSH (port 22) and DHCPv6 client services are open by default.

Step 3: Open common ports (taking Web service port 80 as an example)

If you have deployed Nginx/Apache Web services, you need to open port 80 (HTTP) and port 443 (HTTPS), execute the command:

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersTemporarily open port 80 (will be invalid after restarting firewalld)

firewall-cmd –add-port=80/tcp

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersOpen port 80 permanently (will remain effective after restart)

firewall-cmd –add-port=80/tcp –permanent

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersOpen port 443 permanently

firewall-cmd –add-port=443/tcp –permanent

Tip: The port type must correspond to the protocol, for example, fill in “80/tcp” for TCP protocol, “53/udp” for UDP protocol (commonly used for DNS services).

Step 4: Reload rules (to make the configuration effective)

After permanently modifying the rules, you need to reload to make them effective, execute the command:

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersReload firewalld rules

firewall-cmd –reload

After successful loading, execute firewall-cmd –list-all again, and you will see “ports: 80/tcp 443/tcp,” indicating that the ports are open.

Step 5: Close unnecessary ports (taking port 3306 as an example)

If the MySQL service is only used internally on the server and does not need to be exposed externally, close port 3306, execute the command:

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersTemporarily close port 3306

firewall-cmd –remove-port=3306/tcp

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersClose port 3306 permanently

firewall-cmd –remove-port=3306/tcp –permanent

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersReload rules

firewall-cmd –reload

**

  1. Essential for Ubuntu Users: Basic Configuration of ufw (4 Steps to Complete)

Ubuntu uses ufw by default, with simpler commands, suitable for beginners. Taking Ubuntu 20.04 as an example:

Step 1: Enable ufw and set it to start on boot

Ubuntu disables ufw by default, first execute the command to enable it:

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEnable ufw

sudo ufw enable

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersCheck ufw status (confirm if it is started)

sudo ufw status

The output “Status: active” indicates it is started, and the default rule is “deny all incoming traffic, allow all outgoing traffic” (the safest default configuration).

Step 2: Open common ports (taking SSH port 22 as an example)

After enabling ufw, it will deny SSH connections by default (if it is a remote management server, first open port 22 to avoid being unable to reconnect after disconnection):

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersAllow SSH (port 22) inbound

sudo ufw allow ssh

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersAllow Web service port 80 inbound

sudo ufw allow 80/tcp

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersAllow Web service port 443 inbound

sudo ufw allow 443/tcp

Tip: ufw supports “service names” instead of ports, for example, “allow ssh” is equivalent to “allow 22/tcp,” which is easier to remember.

Step 3: View configured rules

Execute the command to view current rules and confirm whether the ports are open:

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersView detailed rules

sudo ufw status verbose

The output is similar to:

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), deny (routed)

New profiles: skip

To Action From

22/tcp ALLOW IN Anywhere

80/tcp ALLOW IN Anywhere

443/tcp ALLOW IN Anywhere

22/tcp (v6) ALLOW IN Anywhere (v6)

80/tcp (v6) ALLOW IN Anywhere (v6)

443/tcp (v6) ALLOW IN Anywhere (v6)

Step 4: Close unnecessary ports (taking port 8080 as an example)

If the service on port 8080 is no longer needed, execute the command to close it:

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersDeny inbound on port 8080

sudo ufw deny 8080/tcp

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersView rules to confirm

sudo ufw status verbose

**

3. Pitfall Guide: 5 Common Firewall Configuration Issues for Beginners (with Solutions)

Many friends encounter issues like “service cannot connect” or “rules not taking effect” when configuring firewalls. In fact, these are all due to overlooked details, and avoiding them can save you 2 hours!

Pitfall 1: After opening the port, the service is still inaccessible

Reason: Either the port protocol is wrong (for example, using TCP but opening UDP), or the firewall rules have not been reloaded, or the server has multiple layers of protection (like the security group of a cloud server).

Solution Steps:

Confirm port protocol: For example, SSH uses TCP, DNS uses UDP, execute firewall-cmd –list-ports (firewalld) or ufw status (ufw) to check if the port is listed with the correct protocol;

Reload rules: for firewalld execute firewall-cmd –reload, for ufw execute sudo ufw reload;

Check cloud server security group: If it is an Alibaba Cloud/Tencent Cloud server, in addition to the Linux firewall, you also need to open the corresponding ports in the cloud console (like the “security group rules” in Alibaba Cloud).

Pitfall 2: Unable to connect to the server after enabling the firewall during remote management

Reason: SSH (port 22) was not opened before enabling the firewall, causing the firewall to deny SSH connections by default.

Solution Steps:

If you can still operate locally on the server (like in a virtual machine): directly execute firewall-cmd –add-port=22/tcp –permanent && firewall-cmd –reload (CentOS) or sudo ufw allow ssh (Ubuntu);

If you can only connect remotely (already disconnected): log in via the cloud server’s “VNC remote connection” (available in Alibaba Cloud/Tencent Cloud console), then open port 22.

Pitfall 3: firewalld rules permanently modified but become ineffective after restarting the server

Reason: Forgot to add the –permanent parameter, only temporary configurations were made (which become ineffective after restarting firewalld or the server).

Solution: When modifying rules, you must add the –permanent parameter, for example, firewall-cmd –add-port=80/tcp –permanent, then execute firewall-cmd –reload to take effect.

Pitfall 4: Unable to ping the server after enabling ufw

Reason: ufw denies ICMP protocol by default (ping relies on ICMP), resulting in inability to ping.

Solution: Allow ICMP protocol inbound, execute the command:

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersAllow ping on Ubuntu

sudo ufw allow in proto icmp from any to any icmp-type echo-request

Pitfall 5: Too many firewall rules, want to reset to default state

Reason: Rule configuration is chaotic, wanting to start over.

Solution:

firewalld: execute firewall-cmd –restore-defaults (restore default rules), then reconfigure;

ufw: execute sudo ufw reset (reset all rules), then re-enable and configure.

**

4. Advanced Practice: 2 Practical Firewall Rule Configurations (Common in Production Environments)

In addition to basic port openings, these advanced rules can make protection more precise, suitable for those with some foundation:

  1. Only allow specified IP to access SSH (to prevent brute force cracking)

If SSH is only needed for yourself or your company internally, limiting access to only specified IPs can greatly reduce the risk of brute force cracking:

firewalld configuration (CentOS):

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersFirst remove the default SSH allow rule (if any)

firewall-cmd –remove-service=ssh –permanent

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersAllow access to port 22 from 192.168.1.100 (your IP)

firewall-cmd –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100/32″ port protocol=”tcp” port=”22″ accept’ –permanent

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersReload rules

firewall-cmd –reload

Note: /32 indicates a single IP, multiple IPs can be represented as 192.168.1.0/24 (indicating the range 192.168.1.1-255).

ufw configuration (Ubuntu):

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersFirst deny all SSH access

sudo ufw deny ssh

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersAllow access to SSH from 192.168.1.100

sudo ufw allow from 192.168.1.100 to any port 22 proto tcp

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersReload rules

sudo ufw reload

  1. Port forwarding (forward port 80 to port 8080)

If the web service runs on port 8080 and you want users to access it through the default port 80 (without entering the port number), you can configure port forwarding:

firewalld configuration (CentOS):

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEnable IP masquerading (needed for port forwarding)

firewall-cmd –add-masquerade –permanent

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersConfigure port 80 to forward to port 8080 (TCP protocol)

firewall-cmd –add-forward-port=port=80:proto=tcp:to-port=8080 –permanent

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersReload rules

firewall-cmd –reload

Test: Users accessing https://serverIP (default port 80) will be automatically forwarded to the service on port 8080.

**

5. Efficient Tools: Visual Firewall Management Tools (No Need to Remember Commands for Beginners)

If you find the command line cumbersome, these visual tools can help you configure the firewall with a “click of the mouse,” suitable for beginners:

  1. firewalld-config (CentOS)

The graphical tool that comes with CentOS, suitable for servers with a desktop environment:

Install the tool: yum install firewalld-config -y;

Open the tool: search for “Firewall” on the desktop, open “Firewall Configuration”;

Operation: Visually check ports, services, and rules, modify and click “Apply” to take effect, no need to remember commands.

  1. GUFW (Ubuntu)

The graphical ufw tool for Ubuntu, simple and easy to use:

Install the tool: sudo apt install gufw -y;

Open the tool: find “GUFW” in the application list, enter the password to open;

Operation: Add ports, IP restrictions in the “Rules” section, the interface is intuitive, and beginners can easily understand.

**

6. Interactive Session: Your Firewall Questions, I Will Answer!

If you still have questions after reading the article, feel free to leave a message in the comments:

What pitfalls have you encountered while configuring the Linux firewall?

What advanced firewall features would you like to learn about (like DDoS protection, log analysis)?

The first three friends to leave a message will receive a free PDF of the “Linux Firewall Security Configuration Manual” (including commonly used rule templates for production environments and troubleshooting tips, valued at 99 yuan)!

Additionally, I have compiled the commands from this article, download links for tools, and steps to avoid pitfalls into a “Linux Firewall Configuration Quick Reference Manual.” After following my public account and replying “Firewall Manual,” you can receive it, so you won’t have to flip through articles for configurations in the future!

In conclusion

The Linux firewall is not a tool that is “configured once and forgotten”; it needs to be dynamically adjusted according to service changes—such as opening corresponding ports for new services and closing ports for services that are no longer in use. Today’s content covers most daily scenarios from basic to advanced, and I recommend everyone practice in a test environment before applying it to production servers.

In the future, I will also share “Linux Server Log Analysis” and “Cloud Server Security Protection” and other valuable content. Follow me, and you won’t have to worry about environment deployment and security protection!~

If you find this article useful, don’t forget to like + view + share, so more friends in need can see it!

Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for BeginnersEssential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for Beginners

Leave a Comment