100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Firewall Configuration Cheat Sheet

Firewall Configuration Cheat Sheet

Covers practical firewall rule syntax for iptables and cloud security groups, plus best practices for default-deny policies.

2 PagesIntermediateFeb 20, 2026

iptables Basics (Linux)

Common commands to view and set firewall rules.

bash
# List current rules with line numbersiptables -L -n -v --line-numbers# Allow SSH from a specific subnetiptables -A INPUT -p tcp -s 10.0.0.0/24 --dport 22 -j ACCEPT# Allow established/related connectionsiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT# Default-deny policy on INPUT chainiptables -P INPUT DROP# Save rules (Debian/Ubuntu)netfilter-persistent save

UFW (Simplified Firewall)

Higher-level firewall management on Ubuntu/Debian systems.

bash
ufw default deny incomingufw default allow outgoingufw allow 22/tcp        # SSHufw allow 443/tcp       # HTTPSufw allow from 10.0.0.0/24 to any port 3306  # DB access from internal net onlyufw enableufw status verbose

Key Concepts

Terminology used when designing firewall policy.

  • Default-deny- Block all traffic by default, explicitly allow only what's needed
  • Stateful inspection- Tracks connection state so return traffic for allowed sessions is automatically permitted
  • Ingress vs. egress- Inbound traffic to the host vs. outbound traffic leaving it — both should be filtered
  • Security groups (cloud)- Stateful, instance-level virtual firewalls in AWS/Azure/GCP
  • NACLs (AWS)- Stateless, subnet-level firewall rules evaluated in addition to security groups

Configuration Best Practices

Habits that keep firewall rulesets secure and maintainable.

  • Least exposure- Only open ports actually required by the service
  • Restrict by source- Scope management ports (SSH/RDP) to known IP ranges, never 0.0.0.0/0
  • Log dropped traffic- Helps detect scanning and troubleshoot blocked legitimate traffic
  • Document every rule- Include owner and purpose so rules can be safely retired later
  • Regular audits- Periodically review rules to remove stale or overly permissive entries
Pro Tip

When testing new iptables rules remotely, always add a cron job like 'iptables-restore < /etc/iptables/rules.v4.bak' scheduled a few minutes out as a failsafe — a bad default-deny rule can lock you out instantly with no console access.

Was this cheat sheet helpful?

Explore Topics

#FirewallConfiguration#FirewallConfigurationCheatSheet#Cybersecurity#Intermediate#IptablesBasicsLinux#UFWSimplifiedFirewall#KeyConcepts#ConfigurationBestPractices#CloudComputing#Security#CheatSheet#SkillVeris