Step 4: Configure the firewall

Firewall Overview

Securing your VPS is very important. Configuring a firewall is an easy way to provide a lot of security.

  • A firewall allows you to control incoming and outgoing traffic.

Initially, we will allow outside traffic to enter the VPS using ports 80 (HTTP), 443 (HTTPS), and 22 (SSH). We won’t restrict outgoing traffic to keep the procedure simple. Ultimately, we want to restrict outgoing traffic, as well.

Using nano

We will use a text editor called nano to edit most of the files.

Mouse operations do not work well in a terminal editor. So, we must enter commands using the keyboard.


Copy and pasting in Nano

  • Clicking right in the text editor will paste the contents in the Windows clipboard directly to the terminal.

  • Selecting the text in the editor will copy the selection to the Windows clipboard.


Saving a document in Nano

  • Press Ctrl+S to save a file

  • Press Ctrl+X to exit Nano

  • If the document is not saved:

    1. Press y to save or press n to exit without saving.

    2. Press Enter to confirm the file name if saving and overwriting.

Optionally, we can use MobaXterm to edit the files using their built-in text editor. Watch this video on how to use MobaXterm.


The MobaXerm text editor uses 8-bit ASCII. Non-ASCII chars outside of 0x0 to 07F hex range will not render correctly.

Configuring the Firewall

Let’s practice straight away using nano!

Verify that IPv6 is enabled

Most VPSs provide an IPv6 address. Furthermore, it should be enabled by default on UFW. But, let’s verify.

To open the file using nano, we must supply the full path or just the file name. The file that we want to open is /etc/default/ufw.

  • /etc/default is the path to the file.

  • ufw is the name of the file.

sudo nano /etc/default/ufw
  • Shell scripts or bash use # for comments.

  • Using your arrow, keys, navigate to a line that has the configuration of IPV6=yes.

    • If you see # character in front of it, delete it.

  • Save and exit the file using Ctrl+S Ctrl+X

 1nano /etc/default/ufw
 3# /etc/default/ufw
 6# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
 7# accepted). You will need to 'disable' and then 'enable' the firewall for
 8# the changes to take affect.
11# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
12. . .

Configure UFW

  1. Set the firewall to deny all incoming connection

    sudo ufw default deny incoming
  1. Set the firewall to allow all outgoing connections

    sudo ufw default allow outgoing
  2. We will restrict the firewall to allow SSH (port 22), HTTP (80), and HTTPS (443) through the firewall. All other ports will be blocked.

    sudo ufw allow ssh
    sudo ufw allow http
    sudo ufw allow https
  3. Enable the firewall rules now and also on system restart

    sudo ufw enable
     1 root@vps298933:~#
     2 root@vps298933:~# sudo ufw status verbose
     3 Status: inactive
     4 root@vps298933:~#
     5 root@vps298933:~# sudo ufw default deny incoming
     6 Default incoming policy changed to 'deny'
     7 (be sure to update your rules accordingly)
     8 root@vps298933:~#
     9 root@vps298933:~# sudo ufw default allow outgoing
    10 Default outgoing policy changed to 'allow'
    11 (be sure to update your rules accordingly)
    12 root@vps298933:~# sudo ufw allow ssh
    13 Rules updated
    14 Rules updated (v6)
    15 root@vps298933:~# sudo ufw allow http
    16 Rules updated
    17 Rules updated (v6)
    18 root@vps298933:~# sudo ufw allow https
    19 Rules updated
    20 Rules updated (v6)
    21 root@vps298933:~#
    22 root@vps298933:~# sudo ufw enable
    23 Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
    24 Firewall is active and enabled on system startup
    25 root@vps298933:~#
  4. Verify the firewall state

    • In particular, verify that your SSH port (22) is open.

    • Otherwise, you might not be able to log back into your VPS

    sudo ufw status verbose
     1 root@vps298933:~# sudo ufw status verbose
     2 Status: active
     3 Logging: on (low)
     4 Default: deny (incoming), allow (outgoing), disabled (routed)
     5 New profiles: skip
     7 To                         Action      From
     8 --                         ------      ----
     9 22/tcp                     ALLOW IN    Anywhere
    10 80/tcp                     ALLOW IN    Anywhere
    11 443/tcp                    ALLOW IN    Anywhere
    12 22/tcp (v6)                ALLOW IN    Anywhere (v6)
    13 80/tcp (v6)                ALLOW IN    Anywhere (v6)
    14 443/tcp (v6)               ALLOW IN    Anywhere (v6)
    16 root@vps298933:~#

Reboot and Verify

On some systems, UFW does not automatically enable on reboot. We should test it.

sudo reboot -n

# after logging back in, verify:
sudo ufw status verbose

If the firewall is disabled, you need to enable it using systemctl (system control)

sudo systemctl enable ufw
 1root@vps298933:~# sudo systemctl enable ufw
 2Synchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install.
 3Executing: /lib/systemd/systemd-sysv-install enable ufw
 6root@vps298933:~# ufw status verbose
 7Status: active
 8Logging: on (low)
 9Default: deny (incoming), allow (outgoing), disabled (routed)
10New profiles: skip
12To                         Action      From
13--                         ------      ----
1422/tcp                     ALLOW IN    Anywhere
1580/tcp                     ALLOW IN    Anywhere
16443/tcp                    ALLOW IN    Anywhere
1722/tcp (v6)                ALLOW IN    Anywhere (v6)
1880/tcp (v6)                ALLOW IN    Anywhere (v6)
19443/tcp (v6)               ALLOW IN    Anywhere (v6)