Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for Beginners
**
Hello everyone! Previously, when sharing about Linux SSH remote management, some friends in the background commented: “Remote connection is convenient, but the server is exposed to the network, and I am always worried about being attacked. How can I ensure proper protection?”
In fact, the Linux firewall is the server’s “first line of defense”—it acts like a “gatekeeper,” controlling which traffic can enter and which can exit, blocking malicious attacks while ensuring normal service operation. However, many beginners both love and fear firewalls: they fear that complex configurations will crash the service, and they fear that not configuring will leave security vulnerabilities. This article will help you completely master it: from “understanding firewalls” to “basic configurations,” and then to “advanced rule practices,” each step includes operation screenshots and commands, so you can install a “protective shield” for your server after reading!
1. First, understand: Why can’t we skip the Linux firewall?
Before starting operations, let’s clarify the core functions of the firewall to help you understand “why it must be configured”:
Resist malicious attacks: It can intercept common risks such as port scanning, brute force cracking (like SSH password cracking), DDoS attacks, etc., reducing the probability of server intrusion;
Control network access: Only open necessary ports (like Web service ports 80/443, SSH port 22), close all other ports to avoid risks from “useless port exposure”;
Adapt to production environment requirements: For enterprise-level server deployments, a firewall is a “standard configuration”; without reasonable firewall rules, it may even fail security compliance checks.
👉 Tip: There are two commonly used firewall tools in mainstream Linux systems—firewalld (default in CentOS 7+) and ufw (default in Ubuntu). Today, we will explain both, so users of the corresponding systems can follow along!
2. Basic Practice: Configuration of Two Mainstream Firewall Tools (with Comparison)
First, let’s compare the core differences between firewalld and ufw to help you quickly find the tool that suits you, and then demonstrate basic operations step by step, so beginners can follow along!
- firewalld vs ufw: How to choose?
Tool Name
Default System
Advantages
Disadvantages
Recommended Users
firewalld
CentOS 7+/RHEL
Supports dynamic rules (no need to restart to take effect), zone management (public/work/home)
Commands are slightly complex, beginners need to remember parameters
CentOS users, scenarios requiring dynamic rule adjustments
ufw
Ubuntu/Debian
Simple commands (e.g., “allow port 80” only requires 1 command), quick to get started
Does not support dynamic rules (modifications require a restart)
Ubuntu users, beginners, simple protection scenarios
👉 Beginner friendliness: ufw > firewalld (ufw commands are simpler, suitable for beginners; firewalld has stronger functionality, suitable for complex scenarios)
**
- Essential for CentOS Users: Basic Configuration of firewalld (5 Steps to Complete)
Taking CentOS 7 as an example, firewalld is the default firewall tool. Let’s start with basic operations such as “checking status,” “opening ports,” and “applying rules”:
Step 1: Check firewalld status
First, confirm whether the firewall is started by executing the command:

Check firewalld status
systemctl status firewalld
If it shows “active (running),” it means it is started;
If it shows “inactive (dead),” execute the command to start it: systemctl start firewalld, and set it to start on boot: systemctl enable firewalld.
Step 2: Check current firewall rules
Understand existing rules to avoid duplicate configurations or conflicts, execute the command:

View open ports and services
firewall-cmd –list-all
The output is similar to:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Among them, “services: ssh dhcpv6-client” indicates that SSH (port 22) and DHCPv6 client services are open by default.
Step 3: Open common ports (taking Web service port 80 as an example)
If you have deployed Nginx/Apache Web services, you need to open port 80 (HTTP) and port 443 (HTTPS), execute the command:

Temporarily open port 80 (will be invalid after restarting firewalld)
firewall-cmd –add-port=80/tcp

Open port 80 permanently (will remain effective after restart)
firewall-cmd –add-port=80/tcp –permanent

Open port 443 permanently
firewall-cmd –add-port=443/tcp –permanent
Tip: The port type must correspond to the protocol, for example, fill in “80/tcp” for TCP protocol, “53/udp” for UDP protocol (commonly used for DNS services).
Step 4: Reload rules (to make the configuration effective)
After permanently modifying the rules, you need to reload to make them effective, execute the command:

Reload firewalld rules
firewall-cmd –reload
After successful loading, execute firewall-cmd –list-all again, and you will see “ports: 80/tcp 443/tcp,” indicating that the ports are open.
Step 5: Close unnecessary ports (taking port 3306 as an example)
If the MySQL service is only used internally on the server and does not need to be exposed externally, close port 3306, execute the command:

Temporarily close port 3306
firewall-cmd –remove-port=3306/tcp

Close port 3306 permanently
firewall-cmd –remove-port=3306/tcp –permanent

Reload rules
firewall-cmd –reload
**
- Essential for Ubuntu Users: Basic Configuration of ufw (4 Steps to Complete)
Ubuntu uses ufw by default, with simpler commands, suitable for beginners. Taking Ubuntu 20.04 as an example:
Step 1: Enable ufw and set it to start on boot
Ubuntu disables ufw by default, first execute the command to enable it:

Enable ufw
sudo ufw enable

Check ufw status (confirm if it is started)
sudo ufw status
The output “Status: active” indicates it is started, and the default rule is “deny all incoming traffic, allow all outgoing traffic” (the safest default configuration).
Step 2: Open common ports (taking SSH port 22 as an example)
After enabling ufw, it will deny SSH connections by default (if it is a remote management server, first open port 22 to avoid being unable to reconnect after disconnection):

Allow SSH (port 22) inbound
sudo ufw allow ssh

Allow Web service port 80 inbound
sudo ufw allow 80/tcp

Allow Web service port 443 inbound
sudo ufw allow 443/tcp
Tip: ufw supports “service names” instead of ports, for example, “allow ssh” is equivalent to “allow 22/tcp,” which is easier to remember.
Step 3: View configured rules
Execute the command to view current rules and confirm whether the ports are open:

View detailed rules
sudo ufw status verbose
The output is similar to:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
Step 4: Close unnecessary ports (taking port 8080 as an example)
If the service on port 8080 is no longer needed, execute the command to close it:

Deny inbound on port 8080
sudo ufw deny 8080/tcp

View rules to confirm
sudo ufw status verbose
**
3. Pitfall Guide: 5 Common Firewall Configuration Issues for Beginners (with Solutions)
Many friends encounter issues like “service cannot connect” or “rules not taking effect” when configuring firewalls. In fact, these are all due to overlooked details, and avoiding them can save you 2 hours!
Pitfall 1: After opening the port, the service is still inaccessible
Reason: Either the port protocol is wrong (for example, using TCP but opening UDP), or the firewall rules have not been reloaded, or the server has multiple layers of protection (like the security group of a cloud server).
Solution Steps:
Confirm port protocol: For example, SSH uses TCP, DNS uses UDP, execute firewall-cmd –list-ports (firewalld) or ufw status (ufw) to check if the port is listed with the correct protocol;
Reload rules: for firewalld execute firewall-cmd –reload, for ufw execute sudo ufw reload;
Check cloud server security group: If it is an Alibaba Cloud/Tencent Cloud server, in addition to the Linux firewall, you also need to open the corresponding ports in the cloud console (like the “security group rules” in Alibaba Cloud).
Pitfall 2: Unable to connect to the server after enabling the firewall during remote management
Reason: SSH (port 22) was not opened before enabling the firewall, causing the firewall to deny SSH connections by default.
Solution Steps:
If you can still operate locally on the server (like in a virtual machine): directly execute firewall-cmd –add-port=22/tcp –permanent && firewall-cmd –reload (CentOS) or sudo ufw allow ssh (Ubuntu);
If you can only connect remotely (already disconnected): log in via the cloud server’s “VNC remote connection” (available in Alibaba Cloud/Tencent Cloud console), then open port 22.
Pitfall 3: firewalld rules permanently modified but become ineffective after restarting the server
Reason: Forgot to add the –permanent parameter, only temporary configurations were made (which become ineffective after restarting firewalld or the server).
Solution: When modifying rules, you must add the –permanent parameter, for example, firewall-cmd –add-port=80/tcp –permanent, then execute firewall-cmd –reload to take effect.
Pitfall 4: Unable to ping the server after enabling ufw
Reason: ufw denies ICMP protocol by default (ping relies on ICMP), resulting in inability to ping.
Solution: Allow ICMP protocol inbound, execute the command:

Allow ping on Ubuntu
sudo ufw allow in proto icmp from any to any icmp-type echo-request
Pitfall 5: Too many firewall rules, want to reset to default state
Reason: Rule configuration is chaotic, wanting to start over.
Solution:
firewalld: execute firewall-cmd –restore-defaults (restore default rules), then reconfigure;
ufw: execute sudo ufw reset (reset all rules), then re-enable and configure.
**
4. Advanced Practice: 2 Practical Firewall Rule Configurations (Common in Production Environments)
In addition to basic port openings, these advanced rules can make protection more precise, suitable for those with some foundation:
- Only allow specified IP to access SSH (to prevent brute force cracking)
If SSH is only needed for yourself or your company internally, limiting access to only specified IPs can greatly reduce the risk of brute force cracking:
firewalld configuration (CentOS):

First remove the default SSH allow rule (if any)
firewall-cmd –remove-service=ssh –permanent

Allow access to port 22 from 192.168.1.100 (your IP)
firewall-cmd –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100/32″ port protocol=”tcp” port=”22″ accept’ –permanent

Reload rules
firewall-cmd –reload
Note: /32 indicates a single IP, multiple IPs can be represented as 192.168.1.0/24 (indicating the range 192.168.1.1-255).
ufw configuration (Ubuntu):

First deny all SSH access
sudo ufw deny ssh

Allow access to SSH from 192.168.1.100
sudo ufw allow from 192.168.1.100 to any port 22 proto tcp

Reload rules
sudo ufw reload
- Port forwarding (forward port 80 to port 8080)
If the web service runs on port 8080 and you want users to access it through the default port 80 (without entering the port number), you can configure port forwarding:
firewalld configuration (CentOS):

Enable IP masquerading (needed for port forwarding)
firewall-cmd –add-masquerade –permanent

Configure port 80 to forward to port 8080 (TCP protocol)
firewall-cmd –add-forward-port=port=80:proto=tcp:to-port=8080 –permanent

Reload rules
firewall-cmd –reload
Test: Users accessing https://serverIP (default port 80) will be automatically forwarded to the service on port 8080.
**
5. Efficient Tools: Visual Firewall Management Tools (No Need to Remember Commands for Beginners)
If you find the command line cumbersome, these visual tools can help you configure the firewall with a “click of the mouse,” suitable for beginners:
- firewalld-config (CentOS)
The graphical tool that comes with CentOS, suitable for servers with a desktop environment:
Install the tool: yum install firewalld-config -y;
Open the tool: search for “Firewall” on the desktop, open “Firewall Configuration”;
Operation: Visually check ports, services, and rules, modify and click “Apply” to take effect, no need to remember commands.
- GUFW (Ubuntu)
The graphical ufw tool for Ubuntu, simple and easy to use:
Install the tool: sudo apt install gufw -y;
Open the tool: find “GUFW” in the application list, enter the password to open;
Operation: Add ports, IP restrictions in the “Rules” section, the interface is intuitive, and beginners can easily understand.
**
6. Interactive Session: Your Firewall Questions, I Will Answer!
If you still have questions after reading the article, feel free to leave a message in the comments:
What pitfalls have you encountered while configuring the Linux firewall?
What advanced firewall features would you like to learn about (like DDoS protection, log analysis)?
The first three friends to leave a message will receive a free PDF of the “Linux Firewall Security Configuration Manual” (including commonly used rule templates for production environments and troubleshooting tips, valued at 99 yuan)!
Additionally, I have compiled the commands from this article, download links for tools, and steps to avoid pitfalls into a “Linux Firewall Configuration Quick Reference Manual.” After following my public account and replying “Firewall Manual,” you can receive it, so you won’t have to flip through articles for configurations in the future!
In conclusion
The Linux firewall is not a tool that is “configured once and forgotten”; it needs to be dynamically adjusted according to service changes—such as opening corresponding ports for new services and closing ports for services that are no longer in use. Today’s content covers most daily scenarios from basic to advanced, and I recommend everyone practice in a test environment before applying it to production servers.
In the future, I will also share “Linux Server Log Analysis” and “Cloud Server Security Protection” and other valuable content. Follow me, and you won’t have to worry about environment deployment and security protection!~
If you find this article useful, don’t forget to like + view + share, so more friends in need can see it!

