Firewalls, SSH & Network Security

30 minLesson 12 of 16

Learning Objectives

  • Configure firewall rules with iptables and UFW
  • Set up SSH key-based authentication
  • Scan ports with nmap and netcat
  • Understand firewall chains (INPUT, OUTPUT, FORWARD)

Firewalls in Linux

A firewall controls which network traffic is allowed in and out of your server.

iptables — The Foundation

iptables uses three chains:

ChainControls
INPUTTraffic coming TO the server
OUTPUTTraffic going FROM the server
FORWARDTraffic passing THROUGH the server
# View current rules
sudo iptables -L
 
# View with line numbers
sudo iptables -L --line-numbers

Basic iptables Rules

# Allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
# Allow SSH (port 22)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
# Allow HTTP and HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 
# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
 
# Drop everything else (set default policy)
sudo iptables -P INPUT DROP

Saving iptables Rules

# Install persistence package
sudo apt install iptables-persistent -y
 
# Save current rules
sudo iptables-save | sudo tee /etc/iptables/rules.v4
sudo ip6tables-save | sudo tee /etc/iptables/rules.v6

UFW — Uncomplicated Firewall

UFW is a simpler interface for iptables:

# Install and enable
sudo apt install ufw -y
sudo ufw enable
 
# Check status
sudo ufw status

Common UFW Rules

# Allow SSH (always do this BEFORE enabling UFW!)
sudo ufw allow 22
 
# Allow HTTP/HTTPS
sudo ufw allow 80
sudo ufw allow 443
 
# Allow by service name
sudo ufw allow ssh
sudo ufw allow http
 
# Deny a port
sudo ufw deny 25
 
# Allow from specific IP
sudo ufw allow from 192.168.1.100
 
# Allow from IP to specific port
sudo ufw allow from 10.0.0.0/24 to any port 3306
 
# Block an IP
sudo ufw deny from 203.0.113.50
 
# Delete a rule
sudo ufw delete allow 80
 
# Reset all rules
sudo ufw reset

Default Policies

# Deny all incoming (whitelist approach — recommended)
sudo ufw default deny incoming
 
# Allow all outgoing
sudo ufw default allow outgoing
⚠️

Always allow SSH (port 22) BEFORE setting the default policy to deny. Otherwise you'll lock yourself out of the server.

Port Scanning

nmap — Network Mapper

sudo apt install nmap -y
 
# Scan a host
nmap 192.168.1.1
 
# Scan specific ports
nmap -p 22,80,443 192.168.1.1
 
# Scan a range
nmap -p 1-1000 192.168.1.1
 
# Discover hosts on network
nmap -sP 192.168.1.0/24
 
# Scan your own server
nmap localhost

netcat — Quick Port Check

sudo apt install netcat -y
 
# Check if port is open
nc -zvn 127.0.0.1 22
 
# Check multiple ports
nc -zvn 127.0.0.1 80 443 22
 
# Check a range
nc -zv 127.0.0.1 20-25

SSH — Secure Shell

SSH Key Authentication

Key-based auth is more secure than passwords:

# Generate key pair (on your LOCAL machine)
ssh-keygen -t rsa -b 4096
 
# Output:
# ~/.ssh/id_rsa      (private key — NEVER share)
# ~/.ssh/id_rsa.pub  (public key — copy to servers)

Copy Public Key to Server

# Automated method
ssh-copy-id user@server_ip
 
# Manual method
cat ~/.ssh/id_rsa.pub | ssh user@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Connect with SSH

# Basic connection
ssh user@192.168.1.10
 
# Specify port
ssh -p 2222 user@192.168.1.10
 
# Specify key file
ssh -i ~/.ssh/custom_key user@192.168.1.10

Hardening SSH

Edit /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

Recommended settings:

# Disable password authentication (keys only)
PasswordAuthentication no

# Disable root login
PermitRootLogin no

# Change default port (optional)
Port 2222

# Allow only specific users
AllowUsers deploy admin

Restart SSH:

sudo systemctl restart sshd

SSH Config File (Client Side)

Create ~/.ssh/config for shortcuts:

Host webserver
    HostName 192.168.1.10
    User deploy
    Port 2222
    IdentityFile ~/.ssh/webserver_key

Host database
    HostName 192.168.1.20
    User admin
    IdentityFile ~/.ssh/db_key

Now connect with just:

ssh webserver
ssh database

Network Monitoring

ss — Socket Statistics

# All listening TCP ports
sudo ss -tuln
 
# All established connections
sudo ss -tun
 
# Show process using a port
sudo ss -tulnp | grep :80

netstat (Legacy)

sudo apt install net-tools -y
 
# Listening ports with PIDs
sudo netstat -tulnp
 
# All connections
sudo netstat -an

Summary

  • iptables is the low-level firewall; UFW simplifies it
  • Always allow SSH before setting default deny policy
  • Use nmap to scan ports and discover services
  • SSH keys are more secure than passwords
  • Disable password auth and root login in production
  • ss -tuln shows what's listening on your server
  • Use ~/.ssh/config for convenient SSH shortcuts

Next Steps

With networking and security covered, let's set up NGINX — the web server, reverse proxy, and load balancer used in production.

Networking FundamentalsNGINX — Web Server & Configuration