UFW vs iptables: Simple Firewall Rules That Actually Work

ufw



UFW vs iptables: Simple Firewall Rules That Actually Work

UFW vs iptables: Simple Firewall Rules That Actually Work

Every production Linux server needs a firewall. Even with cloud-level protections and DDoS mitigation, a properly configured host firewall is a critical layer of defense. In 2025, the two most widely used firewall tools on Linux are iptables (the low-level classic) and UFW (Uncomplicated Firewall, a higher-level frontend). Both control traffic filtering via the Linux kernel’s netfilter framework, but they differ in complexity and usability.

This guide explains the differences between UFW and iptables, how to set them up, how to write rules that actually work in production, and which tool is best for different scenarios. We’ll cover basic rules, advanced logging, IPv6 support, rate limiting, and security best practices.

🔹 UFW vs iptables: The Core Difference

  • iptables: A direct interface to netfilter. Extremely powerful but verbose. Rules are written with granular syntax.
  • UFW: A frontend for iptables (and nftables in newer versions). Provides simplified commands for common tasks like ufw allow 80.

Think of iptables as assembly language and UFW as Python — UFW is easier, but iptables gives ultimate control.

🔹 Step 1: Installing UFW and iptables

# Ubuntu/Debian
sudo apt install ufw iptables -y

# RHEL/CentOS (uses firewalld by default, but iptables is still available)
sudo dnf install iptables-services -y

🔹 Step 2: Basic UFW Usage

Enable UFW:

sudo ufw enable

Allow SSH, HTTP, HTTPS:

sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Deny all incoming by default:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Check status:

sudo ufw status verbose

🔹 Step 3: Basic iptables Usage

Flush existing rules:

sudo iptables -F

Default policies:

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

Allow SSH, HTTP, HTTPS:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allow established connections:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

🔹 Step 4: IPv6 Considerations

UFW supports IPv6 if enabled in /etc/default/ufw:

IPV6=yes

iptables has an IPv6 variant: ip6tables. Example:

sudo ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

For production, always configure both IPv4 and IPv6 rules.

🔹 Step 5: Logging

UFW enables logging easily:

sudo ufw logging on

iptables logging example:

sudo iptables -A INPUT -j LOG --log-prefix "iptables-dropped: " --log-level 7

Logs are written to /var/log/syslog or /var/log/messages.

🔹 Step 6: Rate Limiting and DoS Protection

UFW

# Limit SSH brute force attempts
sudo ufw limit 22/tcp

iptables

# Limit new SSH connections to 3 per minute
sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min -j ACCEPT

🔹 Step 7: Persistence Across Reboots

UFW automatically saves rules across reboots.

For iptables, install:

sudo apt install iptables-persistent

Save rules:

sudo netfilter-persistent save

🔹 Step 8: Advanced UFW Rules

  • Allow specific IP: sudo ufw allow from 203.0.113.10 to any port 22
  • Deny subnet: sudo ufw deny from 10.0.0.0/8
  • Application profiles (defined in /etc/ufw/applications.d/): sudo ufw app list

🔹 Step 9: Advanced iptables Rules

  • Drop invalid packets: sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  • Allow ping with rate limiting: sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  • Port forwarding (NAT): sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80

🔹 Step 10: nftables (Future of Linux Firewalls)

Although this article focuses on UFW and iptables, it’s worth noting that nftables is the modern replacement for iptables in Linux. UFW now supports nftables as a backend, so using UFW in 2025 indirectly uses nftables on modern distros.

🔹 When to Use UFW vs iptables

  • Use UFW if you need simplicity, fast deployment, and maintainability (especially on VPS environments).
  • Use iptables if you require fine-grained control, NAT, port forwarding, or advanced filtering for high-performance dedicated servers.

✅ Conclusion

Both UFW and iptables rely on the same kernel firewall engine. The difference is in usability vs flexibility. UFW is ideal for most sysadmins who want clean, easy-to-read firewall rules. iptables remains the power tool for advanced configurations, large-scale deployments, or when you need fine control over packets. In 2025, most production systems use a combination: UFW for simple management and raw iptables (or nftables) for complex rules.

At WeHaveServers.com, we provision servers with UFW defaults enabled but also support advanced iptables rules for customers with complex networking requirements.

❓ FAQ

Does UFW replace iptables?

No. UFW is a frontend that writes iptables/nftables rules under the hood.

Which is faster, UFW or iptables?

Performance is the same, since both use netfilter. Only usability differs.

Can I use UFW and iptables together?

Yes, but avoid conflicts. If you write raw iptables rules, they may override UFW behavior.

Is nftables better than iptables?

Yes, nftables is more efficient and flexible. iptables is slowly being phased out, but still widely used.

Should I use UFW in production?

Yes, especially for VPS and dedicated servers. It’s secure, simple, and reliable.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *