Firewall Configuration Cheat Sheet
Covers practical firewall rule syntax for iptables and cloud security groups, plus best practices for default-deny policies.
2 PagesIntermediateFeb 20, 2026
iptables Basics (Linux)
Common commands to view and set firewall rules.
bash
# List current rules with line numbersiptables -L -n -v --line-numbers# Allow SSH from a specific subnetiptables -A INPUT -p tcp -s 10.0.0.0/24 --dport 22 -j ACCEPT# Allow established/related connectionsiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT# Default-deny policy on INPUT chainiptables -P INPUT DROP# Save rules (Debian/Ubuntu)netfilter-persistent save
UFW (Simplified Firewall)
Higher-level firewall management on Ubuntu/Debian systems.
bash
ufw default deny incomingufw default allow outgoingufw allow 22/tcp # SSHufw allow 443/tcp # HTTPSufw allow from 10.0.0.0/24 to any port 3306 # DB access from internal net onlyufw enableufw status verbose
Key Concepts
Terminology used when designing firewall policy.
- Default-deny- Block all traffic by default, explicitly allow only what's needed
- Stateful inspection- Tracks connection state so return traffic for allowed sessions is automatically permitted
- Ingress vs. egress- Inbound traffic to the host vs. outbound traffic leaving it — both should be filtered
- Security groups (cloud)- Stateful, instance-level virtual firewalls in AWS/Azure/GCP
- NACLs (AWS)- Stateless, subnet-level firewall rules evaluated in addition to security groups
Configuration Best Practices
Habits that keep firewall rulesets secure and maintainable.
- Least exposure- Only open ports actually required by the service
- Restrict by source- Scope management ports (SSH/RDP) to known IP ranges, never 0.0.0.0/0
- Log dropped traffic- Helps detect scanning and troubleshoot blocked legitimate traffic
- Document every rule- Include owner and purpose so rules can be safely retired later
- Regular audits- Periodically review rules to remove stale or overly permissive entries
Pro Tip
When testing new iptables rules remotely, always add a cron job like 'iptables-restore < /etc/iptables/rules.v4.bak' scheduled a few minutes out as a failsafe — a bad default-deny rule can lock you out instantly with no console access.
Was this cheat sheet helpful?
Explore Topics
#FirewallConfiguration#FirewallConfigurationCheatSheet#Cybersecurity#Intermediate#IptablesBasicsLinux#UFWSimplifiedFirewall#KeyConcepts#ConfigurationBestPractices#CloudComputing#Security#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance