VPS Firewall Setup: UFW and iptables Complete Guide

UFW (Uncomplicated Firewall) is the recommended starting point for most VPS administrators. It wraps iptables in a user-friendly interface without sacrificing flexibility. Install it if not present: `apt install ufw`. Before enabling UFW, configure your rules - enabling UFW without allowing SSH will lock you out immediately. Set default policies first: `ufw default deny incoming && ufw default allow outgoing`. These two commands form the foundation of a secure posture - block everything inbound by default, allow all outbound. Then add explicit allows: `ufw allow ssh` (or `ufw allow 2222/tcp` if you changed the port), `ufw allow http`, `ufw allow https`. Only open ports for services you are actually running. Enable UFW with `ufw enable` - you will be warned that this may disrupt SSH connections. If you have already allowed SSH, confirm. Check the rules with `ufw status numbered`. The numbered output lets you delete specific rules by number with `ufw delete 3`. To allow traffic from a specific IP only (useful for database ports): `ufw allow from 203.0.113.10 to any port 5432`. This whitelists PostgreSQL access only from your office IP.

While UFW covers most use cases, iptables gives you precise control over every packet. The four most important chains are INPUT (incoming to server), OUTPUT (outgoing from server), FORWARD (routed traffic), and PREROUTING/POSTROUTING (NAT). For a typical VPS, you mostly work with INPUT and OUTPUT. Create a hardened ruleset script at `/etc/iptables/setup.sh`. Start by flushing existing rules: `iptables -F && iptables -X`. Set default policies: `iptables -P INPUT DROP && iptables -P FORWARD DROP && iptables -P OUTPUT ACCEPT`. Allow loopback: `iptables -A INPUT -i lo -j ACCEPT`. Allow established connections: `iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`. Then add specific service rules: `iptables -A INPUT -p tcp --dport 22 -j ACCEPT` for SSH, and so on. Add rate limiting to protect against brute force and DDoS on open ports. For SSH: create a chain with `iptables -N SSH_LIMIT`, add: `iptables -A INPUT -p tcp --dport 22 -j SSH_LIMIT`, then in the chain: `iptables -A SSH_LIMIT -m recent --name SSH --set && iptables -A SSH_LIMIT -m recent --name SSH --update --seconds 60 --hitcount 10 -j DROP && iptables -A SSH_LIMIT -j ACCEPT`. This allows 10 connection attempts per minute before dropping, effectively nullifying dictionary attacks.

iptables rules are lost on reboot unless persisted. On Debian/Ubuntu, install `iptables-persistent`: `apt install iptables-persistent`. During installation it will ask to save current rules. Later, save with `netfilter-persistent save`. Rules are stored in `/etc/iptables/rules.v4` and `/etc/iptables/rules.v6`. On RHEL-based systems use `service iptables save` or install `iptables-services`. UFW rules persist automatically across reboots without extra configuration. To view the underlying iptables rules that UFW generates, run `iptables -L -v -n --line-numbers`. This is useful for debugging unexpected behavior and for understanding what UFW is actually doing under the hood. You can mix UFW and custom iptables rules by adding them to `/etc/ufw/before.rules` (processed before UFW's auto-generated rules). IPv6 is frequently overlooked. If your VPS has an IPv6 address (most do), apply equivalent rules via `ip6tables`. UFW handles both automatically when IPv6 is enabled in `/etc/ufw/ufw.conf` (set `IPV6=yes`). If using raw iptables, create a parallel `/etc/iptables/rules.v6` file. Leaving IPv6 unfiltered while IPv4 is locked down creates a bypass that sophisticated attackers specifically look for.