A firewall is one of the most important security components of a dedicated server. It controls incoming and outgoing traffic, allowing or blocking access to services based on predefined rules. Proper firewall configuration helps protect the server from unauthorized access, DDoS attacks, port scans, and more.
🔧 What to Know Before Configuring
-
Which services are running on the server (SSH, HTTP, HTTPS, FTP, mail, etc.)
-
Which ports these services use
-
From where access should be allowed (all IPs, office only, VPN, etc.)
🛡️ Main Types of Firewalls
-
iptables / nftables – system-level firewalls in Linux
-
firewalld – a convenient layer for CentOS, AlmaLinux, Rocky
-
ufw (Uncomplicated Firewall) – simple utility for Ubuntu/Debian
-
CSF (ConfigServer Security & Firewall) – popular firewall for Plesk/cPanel
-
Panel interfaces – Plesk, cPanel, HestiaCP often include a graphical firewall management tool
⚙️ Basic Firewall Configuration
1. UFW (Ubuntu / Debian)
sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow access to core services
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
# Enable firewall
sudo ufw enable
# Check status
sudo ufw status
2. firewalld (AlmaLinux, Rocky, CentOS)
sudo systemctl enable firewalld --now
# Check zones
sudo firewall-cmd --get-active-zones
# Add rules
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
# Apply changes
sudo firewall-cmd --reload
# Check active rules
sudo firewall-cmd --list-all
3. iptables (Universal Option)
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback and established connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow access to ports
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS
# Save rules
sudo iptables-save > /etc/iptables/rules.v4
⚠️ Important: By default, iptables/ufw/firewalld may block all connections. Always allow SSH access before activating the firewall to avoid losing server access.
🔐 Recommended Ports to Open
| Service | Protocol | Port(s) |
|---|---|---|
| SSH | TCP | 22 |
| HTTP | TCP | 80 |
| HTTPS | TCP | 443 |
| Plesk | TCP | 8443 |
| cPanel | TCP | 2083 |
| FTP | TCP | 21 |
| SMTP | TCP | 25 / 587 / 465 |
| IMAP/POP3 | TCP | 143 / 993 / 110 / 995 |
Best practice: Only open the ports you need, and ideally only for authorized IP addresses.
