UFW Firewall
Configure UFW (Uncomplicated Firewall) on your VPS, simple iptables management with practical rules for web servers, SSH and services
UFW (Uncomplicated Firewall) is an iptables frontend that simplifies firewall management on Ubuntu and Debian. It's ideal for VPS with straightforward rule sets.
Before enabling UFW, make sure to allow SSH (port 22 or your custom port), otherwise you will lock yourself out of the server.
Installation
# UFW is pre-installed on Ubuntu, install if missing
apt update && apt install ufw -y
# Check current status
ufw status verboseBasic Configuration
Set default policies
# Block all incoming, allow all outgoing (secure default)
ufw default deny incoming
ufw default allow outgoingAllow SSH (do this BEFORE enabling)
# Standard SSH (port 22)
ufw allow ssh
# Or explicitly by port
ufw allow 22/tcp
# Custom SSH port
ufw allow 2222/tcpEnable UFW
ufw enable
# Answer "y" to confirmCommon Rules
Web servers
# HTTP and HTTPS
ufw allow 80/tcp
ufw allow 443/tcp
# Or use the "Nginx Full" preset (if Nginx is installed)
ufw allow 'Nginx Full'
# Apache
ufw allow 'Apache Full'Databases (local only: never expose publicly)
# Allow MySQL/MariaDB only from localhost (default, no rule needed)
# Allow from a specific IP (e.g., another server)
ufw allow from 1.2.3.4 to any port 3306
# PostgreSQL
ufw allow from 1.2.3.4 to any port 5432Other common services
# FTP passive
ufw allow 21/tcp
ufw allow 40000:50000/tcp # passive range
# Mail server
ufw allow 25/tcp # SMTP
ufw allow 587/tcp # SMTP submission
ufw allow 465/tcp # SMTPS
ufw allow 143/tcp # IMAP
ufw allow 993/tcp # IMAPS
# DNS (if running a DNS server)
ufw allow 53
# OpenVPN
ufw allow 1194/udp
# WireGuard
ufw allow 51820/udpRules with Source IP Restrictions
# Allow SSH only from your IP
ufw allow from 1.2.3.4 to any port 22
# Allow a port range from a specific subnet
ufw allow from 192.168.1.0/24 to any port 8080:8090
# Block a specific IP completely
ufw deny from 5.6.7.8Managing Rules
# View rules with numbers
ufw status numbered
# Delete a rule by number
ufw delete 3
# Delete a rule by specification
ufw delete allow 80/tcp
# Disable UFW temporarily (does not delete rules)
ufw disable
# Reset all rules (WARNING: removes everything)
ufw resetUFW Logging
# Enable logging (logs to /var/log/ufw.log)
ufw logging on
# Log level: low, medium, high, full
ufw logging medium
# View recent logs
tail -f /var/log/ufw.logUFW and Docker
Docker bypasses UFW by default: containers with published ports (-p 0.0.0.0:80:80) are accessible from the internet even if UFW blocks port 80. This is a well-known issue.
Solution 1: bind to localhost in Docker
In docker-compose.yml, bind ports only to localhost:
ports:
- "127.0.0.1:8080:80" # only localhost, not 0.0.0.0Then use Nginx or a reverse proxy to expose the service externally.
Solution 2: ufw-docker
ufw-docker is a script that fixes the UFW/Docker conflict by modifying iptables rules:
# Download the script
wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker
chmod +x /usr/local/bin/ufw-docker
# Install the iptables fix
ufw-docker install
# Restart UFW and Docker
systemctl restart ufw
systemctl restart docker
# Allow specific Docker container
ufw-docker allow nginx 80/tcpComplete Example: Web Server + SSH
# Reset and start fresh
ufw --force reset
# Default policies
ufw default deny incoming
ufw default allow outgoing
# SSH (replace 22 with your port)
ufw allow 22/tcp
# Web
ufw allow 80/tcp
ufw allow 443/tcp
# Enable
ufw enable
# Verify
ufw status verboseAvailable Presets (Application Profiles)
# List available application profiles
ufw app list
# Show details about a profile
ufw app info 'Nginx Full'
# Allow a profile
ufw allow 'Nginx Full'UFW is the simplest choice for VPS management. For more complex rules (traffic shaping, NAT, port forwarding), prefer iptables or nftables directly. See the Firewall guide for advanced examples.