Control which connections a Linux machine accepts — see the current rules, open only the ports you need, set a deny-by-default policy with ufw, lock yourself out safely by allowing SSH first, and understand the iptables layer underneath.
A firewall is a gatekeeper for network connections: it decides which ones the machine accepts and which it drops. On a server you want it closed to everything except the few ports you actually use. ufw ("uncomplicated firewall") is the friendly front end most distributions ship — start by asking it whether it is even on.
Is the firewall on, and what rules are active?
sudo ufw status verboseIf ufw is not installed yet (Debian/Ubuntu)
sudo apt install ufwThis is the rule that saves careers. The moment you turn on a deny-by-default firewall on a remote server, any port you have not allowed is blocked — including port 22, your SSH way in. Allow SSH first, or you will lock yourself out of a machine you can only reach over SSH. ufw knows common service names, so "ufw allow OpenSSH" opens the right port.
Allow SSH first — by service name...
sudo ufw allow OpenSSH...or by port number, which is the same thing here
sudo ufw allow 22/tcpA good firewall blocks incoming traffic by default and lets your machine make outgoing connections freely. Set those two defaults, then enable the firewall. Because you allowed SSH in the previous step, your session survives. "ufw enable" also makes the rules persist across reboots.
Default: block what comes IN, allow what goes OUT
sudo ufw default deny incomingsudo ufw default allow outgoingTurn it on (answer "y" — your SSH rule keeps you connected)
sudo ufw enableWith deny-by-default in place, each service you run needs its door opened explicitly. A web server needs 80 (HTTP) and 443 (HTTPS). You can allow by port, by service name, or limit a port to a single trusted source address — useful for keeping something like a database reachable only from one server.
Open the web ports
sudo ufw allow 80/tcpsudo ufw allow 443/tcpAllow a port only FROM one trusted IP (e.g. a database)
sudo ufw allow from 203.0.113.5 to any port 5432 proto tcpOver time you accumulate rules and need to prune them. "ufw status numbered" prints each rule with an index, and you delete by that number. Removing a rule you no longer need keeps the surface area small — every open port is a way in.
List rules with an index number next to each
sudo ufw status numberedDelete rule number 3 (it will ask you to confirm)
sudo ufw delete 3Reset everything back to defaults (start over)
sudo ufw resetufw is a convenience wrapper — underneath, the Linux kernel enforces the actual rules through netfilter, which you read and write with iptables (and its successor nftables). You rarely edit these by hand on a server with ufw, but you need to recognize them: cloud tools, Docker, and Kubernetes all program this same layer directly, so this is what you are really looking at when you list it.
Show the raw rules ufw generated, with line numbers
sudo iptables -L -n --line-numbersNewer systems use nftables — same idea, newer syntax
sudo nft list ruleset