AI QA Monkey
AI Security Intelligence
Fix Guide

Firewall Hardening Guide: iptables, ufw & Cloud Security Groups

Published Feb 19, 2026 15 min read By AI QA Monkey Security Team
Table of Contents
  1. Why Firewall Hardening Matters
  2. Audit Your Open Ports First
  3. UFW (Uncomplicated Firewall)
  4. iptables Rules
  5. Cloud Security Groups
  6. Advanced Hardening
  7. Testing Your Firewall
  8. FAQ

Open ports are the front door to your server. Every exposed service is a potential entry point for attackers — from brute-force SSH attacks to database exfiltration through exposed MySQL or Redis ports.

In our analysis of 50,000+ scans on AI QA Monkey, 34% of servers had database ports (3306, 5432, 27017) accessible from the internet, and 18% had Redis (6379) exposed without authentication.

Related Guides

Also see: Open Port Security Guide, Open Port Remediation Playbook, Pre-Launch Security Checklist, and Website Security Checklist 2026.

Why Firewall Hardening Matters

  • Reduces attack surface — fewer open ports means fewer targets for attackers
  • Blocks automated attacks — bots constantly scan for exposed databases, SSH, and admin panels
  • Prevents data exfiltration — even if an application is compromised, firewall rules limit lateral movement
  • Compliance requirement — PCI DSS, ISO 27001, and SOC 2 all require firewall configuration

Audit Your Open Ports First

# Check listening services on your server
ss -tlnp

# Or using netstat
netstat -tlnp

# External scan (from another machine)
nmap -sT -p 1-65535 your-server-ip

# Quick check of common dangerous ports
nmap -sT -p 22,80,443,3306,5432,6379,27017,9200,11211 your-server-ip

Use AI QA Monkey's free Open Port Scanner to check which ports are visible from the internet without installing anything.

UFW (Uncomplicated Firewall) RECOMMENDED

UFW is the simplest way to configure a Linux firewall. It's pre-installed on Ubuntu and available on most distributions.

Basic Setup

# Reset to defaults (deny all incoming, allow all outgoing)
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (IMPORTANT: do this before enabling!)
sudo ufw allow 22/tcp

# Allow web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable the firewall
sudo ufw enable

# Check status
sudo ufw status verbose
Warning: Always Allow SSH First

If you enable ufw without allowing SSH, you will lock yourself out of your server. Always run sudo ufw allow 22/tcp before sudo ufw enable.

Advanced UFW Rules

# Allow SSH only from your IP
sudo ufw allow from 203.0.113.50 to any port 22

# Allow MySQL only from application server
sudo ufw allow from 10.0.1.10 to any port 3306

# Rate limit SSH (blocks IPs with 6+ connections in 30 seconds)
sudo ufw limit 22/tcp

# Deny a specific IP
sudo ufw deny from 198.51.100.0/24

# Delete a rule
sudo ufw delete allow 80/tcp

# View numbered rules (for deletion)
sudo ufw status numbered

iptables Rules

For more granular control, use iptables directly:

Default Deny Policy

# Flush existing rules
sudo iptables -F
sudo iptables -X

# Default policies: deny all incoming, allow outgoing
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# Allow loopback (localhost)
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP and HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow ICMP (ping) — optional
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Log dropped packets (for debugging)
sudo iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: "

# Save rules (persist across reboots)
sudo iptables-save > /etc/iptables/rules.v4

Rate Limiting with iptables

# Limit SSH to 3 new connections per minute per IP
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW \
  -m recent --set --name SSH
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW \
  -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

# Limit HTTP connections (basic DDoS protection)
sudo iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

Cloud Security Groups

AWS Security Groups

# AWS CLI: Create a web server security group
aws ec2 create-security-group \
  --group-name web-server-sg \
  --description "Web server - HTTP/HTTPS/SSH only"

# Allow HTTP from anywhere
aws ec2 authorize-security-group-ingress \
  --group-name web-server-sg \
  --protocol tcp --port 80 --cidr 0.0.0.0/0

# Allow HTTPS from anywhere
aws ec2 authorize-security-group-ingress \
  --group-name web-server-sg \
  --protocol tcp --port 443 --cidr 0.0.0.0/0

# Allow SSH only from your IP
aws ec2 authorize-security-group-ingress \
  --group-name web-server-sg \
  --protocol tcp --port 22 --cidr 203.0.113.50/32

# Database SG: Allow MySQL only from web server SG
aws ec2 authorize-security-group-ingress \
  --group-name database-sg \
  --protocol tcp --port 3306 \
  --source-group web-server-sg

Google Cloud Firewall Rules

# Allow HTTP/HTTPS
gcloud compute firewall-rules create allow-web \
  --allow tcp:80,tcp:443 \
  --source-ranges 0.0.0.0/0 \
  --target-tags web-server

# Allow SSH from specific IP only
gcloud compute firewall-rules create allow-ssh \
  --allow tcp:22 \
  --source-ranges 203.0.113.50/32 \
  --target-tags web-server

# Deny all other ingress (default in GCP, but explicit is better)
gcloud compute firewall-rules create deny-all-ingress \
  --action deny --rules all \
  --source-ranges 0.0.0.0/0 \
  --priority 65534

Advanced Hardening

Change Default SSH Port

# Edit SSH config
sudo nano /etc/ssh/sshd_config
# Change: Port 22 → Port 2222

# Update firewall BEFORE restarting SSH
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

# Restart SSH
sudo systemctl restart sshd

Block Common Attack Ports

# Explicitly block dangerous services from external access
sudo ufw deny 3306/tcp   # MySQL
sudo ufw deny 5432/tcp   # PostgreSQL
sudo ufw deny 6379/tcp   # Redis
sudo ufw deny 27017/tcp  # MongoDB
sudo ufw deny 9200/tcp   # Elasticsearch
sudo ufw deny 11211/tcp  # Memcached
sudo ufw deny 2049/tcp   # NFS
sudo ufw deny 445/tcp    # SMB
sudo ufw deny 3389/tcp   # RDP

Testing Your Firewall

  1. Scan externally — use AI QA Monkey Open Port Scanner to verify only intended ports are visible
  2. Verify services still work — test HTTP, HTTPS, and SSH access
  3. Check from different IPs — ensure IP-restricted rules work correctly
  4. Test rate limiting — attempt rapid connections to verify throttling

Scan Your Open Ports

Free scan — discover exposed ports, database services, and firewall misconfigurations.

Scan Open Ports Now

Frequently Asked Questions

What is firewall hardening?

Firewall hardening is configuring firewall rules to allow only necessary network traffic and block everything else, following the principle of least privilege.

What is the difference between iptables and ufw?

iptables is the low-level Linux firewall tool with granular control. ufw is a user-friendly frontend that simplifies common tasks. ufw is recommended for most users.

Which ports should I keep open on a web server?

Only ports 80 (HTTP), 443 (HTTPS), and your SSH port. All database ports (3306, 5432, 6379, 27017) should be blocked from external access.

How do I check which ports are open on my server?

Use AI QA Monkey's free Open Port Scanner for external checks, or run ss -tlnp on your server for local checks.

Check Your Website Right Now

Run a free automated security scan — 75 checks in 60 seconds. No signup required.

Run Free Security Scan →

Related security guides