How to configure a firewall with ufw or nftables

Topic: Servers linux

Enable and configure a host firewall with ufw (Ubuntu/Debian) or nftables (RHEL/modern): allow SSH first, then HTTP/HTTPS or app ports; deny by default. Verify with ufw status or nft list ruleset so the server is protected and still reachable.

Intent: How-to

Quick answer

  • ufw: allow 22/tcp first (SSH), then allow 80,443; ufw enable; ufw status. Ensure you do not lock yourself out (allow SSH before enabling).
  • nftables: create table and chain; add rule allow tcp 22; allow established; policy drop; nft list ruleset to verify.
  • If locked out: use console to disable (ufw disable) or flush nft rules; then re-add SSH and re-enable carefully.

Prerequisites

Steps

  1. Allow SSH before enabling

    ufw allow 22/tcp (or your SSH port); or in nft add rule for port 22; confirm from another session that SSH still works before enabling the firewall.

  2. Enable ufw

    ufw allow 22/tcp; ufw allow 80/tcp; ufw allow 443/tcp; ufw default deny incoming; ufw default allow outgoing; ufw enable; ufw status verbose.

  3. Or configure nftables

    Create table inet filter; chain input policy drop; add rules: ct state established,related accept; tcp dport 22 accept; tcp dport 80,443 accept; load and enable nftables.

  4. Verify and document

    Test SSH and HTTP from outside; list rules (ufw status or nft list ruleset); document allowed ports and source IPs if restricted.

Summary

You will set up a host firewall with ufw or nftables, allow SSH and required services first, then enable a default-deny policy. Use this to limit exposure and reduce brute-force and unintended access.

Prerequisites

  • Root or sudo; console or second SSH session so you can fix rules if locked out.
  • List of ports and (if any) source IPs to allow.

Steps

Step 1: Allow SSH before enabling

sudo ufw allow 22/tcp
# or for nft: add rule for port 22

Open a new SSH session and confirm it works before enabling the firewall.

Step 2: Enable ufw

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status verbose

Step 3: Or configure nftables

sudo nft add table inet filter
sudo nft add chain inet filter input { type filter hook input priority 0\; policy drop \; }
sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input tcp dport 22 accept
sudo nft add rule inet filter input tcp dport { 80, 443 } accept

Persist rules to a file and load at boot (e.g. /etc/nftables.conf and systemd).

Step 4: Verify and document

  • SSH and HTTP/HTTPS work from a client; list rules; note any IP restrictions.

Verification

  • Firewall is active; only allowed ports are open; SSH and app ports work; default deny is in place.

Troubleshooting

Locked out — Use provider console; ufw disable or nft flush ruleset; add SSH rule and re-enable; test in new session first.

Service unreachable — Allow the port (and protocol) the service uses; check both incoming and, if needed, outgoing or forward rules.

Next steps

Continue to