Firewall Configuration Guide: UFW and iptables for VPS

Introduction

A properly configured firewall is essential. This guide covers UFW for beginners and iptables for advanced setups on your Hostxpeed VPS.

1. Basic UFW Setup

sudo ufw default deny incoming, sudo ufw default allow outgoing, then allow SSH, HTTP, HTTPS.

2. Enabling UFW

sudo ufw enable. Check status with sudo ufw status verbose.

3. Advanced UFW Rules

Allow from specific IP: sudo ufw allow from 203.0.113.0/24 to any port 22.

4. UFW Rate Limiting

sudo ufw limit ssh/tcp – blocks excessive connection attempts.

5. Application Profiles

sudo ufw app list and enable e.g. sudo ufw allow 'Nginx Full'.

6. Transition to iptables

For fine control, use raw iptables. Example: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT.

7. iptables Rate Limiting

iptables -A INPUT -p tcp --dport 22 -m limit --limit 5/min -j ACCEPT.

8. Port Knocking with iptables

Use recent module to open SSH only after hitting a secret port sequence.

9. Blocking Invalid Packets

iptables -A INPUT -m state --state INVALID -j DROP.

10. Allowing Private Networks

iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT for Hostxpeed private networking.

11. Logging Dropped Packets

iptables -A INPUT -j LOG --log-prefix "DROP: ".

12. firewalld for RHEL

For Rocky/AlmaLinux: sudo firewall-cmd --permanent --add-service=http etc.

13. Testing Your Firewall

Use nmap from another VPS to verify only expected ports are open.

14. Automating Updates

Use ipset and scripts to block dynamic threat feeds.

15. IPv6 Considerations

Configure ip6tables similarly. Disable IPv6 if not needed.

16. Regular Audits

Review iptables -L -n -v monthly. Remove stale rules.

17. Backup Firewall Rules

sudo iptables-save > /etc/iptables/rules.v4.

18. Combine with Fail2ban

Fail2ban dynamically adds iptables rules to block offenders.

19. Hostxpeed Network Firewall

Use Hostxpeed optional external firewall for DDoS mitigation at the edge.

20. Default Deny Policy

Always set default policies to DROP for INPUT and FORWARD chains.

Conclusion

Start with UFW; move to iptables when you need advanced features. Test every change.