Skip to content

Firewall Configuration Guide

Last Updated: 2026-02-09 Server: Hetzner Production (46.224.40.5) Status: ✅ UFW Active | 9 Permanent Bans


The server uses UFW (Uncomplicated Firewall) as the frontend for iptables, with fail2ban dynamically adding rules for banned IPs.

┌─────────────────────────────────────────────────────────────┐
│ FIREWALL LAYERS │
├─────────────────────────────────────────────────────────────┤
│ UFW Rules (permanent bans + port access) │
│ ↓ │
│ iptables (managed by UFW + fail2ban) │
│ ↓ │
│ f2b-* chains (dynamic fail2ban bans) │
└─────────────────────────────────────────────────────────────┘

DirectionPolicy
IncomingDENY (block all except allowed)
OutgoingALLOW
RoutedDENY
PortServicePurpose
22SSHRemote access (rate-limited by fail2ban)
80HTTPWeb traffic
443HTTPSSecure web traffic
3004GrafanaMonitoring dashboard
3005ThriveSendB2B2G platform
8001SACE APIBackend service
8003SANSA APIBackend service
PortServiceAccess
3100Loki127.0.0.1 only
9090Prometheus127.0.0.1 only
9093Alertmanager127.0.0.1 only
9100Node Exporter127.0.0.1 only

Currently 9 IPs permanently banned via UFW (survives restart).


Terminal window
# View full status
ufw status verbose
# View numbered rules (for deletion)
ufw status numbered
# Check if enabled
ufw status
Terminal window
# Allow a port
ufw allow 8080/tcp comment "Service description"
# Allow port for specific IP only
ufw allow from 192.168.1.100 to any port 22
# Deny a port
ufw deny 8080/tcp
# Delete a rule (by number)
ufw status numbered
ufw delete 5
# Delete by rule
ufw delete allow 8080/tcp
Terminal window
# Permanent ban (insert at top for priority)
ufw insert 1 deny from 192.168.1.100 comment "Permanent ban - reason"
# View all bans
ufw status | grep DENY
# Remove a ban
ufw delete deny from 192.168.1.100

For IPs that repeatedly attack (3+ times in recidive jail):

Terminal window
# 1. Identify persistent attackers
grep "Ban" /var/log/fail2ban.log | awk '{print $NF}' | sort | uniq -c | sort -rn | head -10
# 2. Check if already banned in fail2ban
fail2ban-client status sshd | grep "192.168.1.100"
# 3. Add permanent UFW ban
ufw insert 1 deny from 192.168.1.100 comment "Permanent ban - 50+ attacks on $(date +%Y-%m-%d)"
# 4. Verify ban added
ufw status | grep 192.168.1.100

fail2ban creates dynamic iptables chains for banned IPs.

Terminal window
# List all fail2ban chains
iptables -L | grep f2b
# View specific chain (SSH)
iptables -L f2b-sshd -n
# Count banned IPs in chain
iptables -L f2b-sshd -n | grep -c DROP
Terminal window
# Full INPUT chain with line numbers
iptables -L INPUT -n --line-numbers
# Summary of rules
iptables -L INPUT -n | head -20

If you accidentally block yourself:

Terminal window
# Access via Hetzner Console (robot.hetzner.com)
# Then reset UFW
ufw reset
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw enable
# Re-add essential rules
ufw allow 80/tcp
ufw allow 443/tcp
# ... etc
Terminal window
# Disable UFW
ufw disable
# Re-enable
ufw enable

  • Main: /etc/ufw/ufw.conf
  • Rules: /etc/ufw/user.rules
  • IPv6 Rules: /etc/ufw/user6.rules
Terminal window
# Backup current rules
cp /etc/ufw/user.rules /etc/ufw/user.rules.backup.$(date +%Y%m%d)
# Restore from backup
cp /etc/ufw/user.rules.backup.20260209 /etc/ufw/user.rules
ufw reload

Terminal window
# Quick status
ufw status
# Count rules
ufw status numbered | wc -l
# View recent iptables activity
dmesg | grep -i "ufw" | tail -10
Terminal window
# UFW log location
tail -50 /var/log/ufw.log
# Enable logging (if not enabled)
ufw logging on

  1. Principle of Least Privilege: Only open ports that are needed
  2. Document Everything: Use comments on all rules
  3. Regular Audit: Review rules monthly
  4. Backup Before Changes: Always backup rules before modifications
  5. Test Changes: Open new SSH session before closing existing one

  • Default deny incoming
  • Only required ports open
  • Monitoring ports restricted to localhost
  • Permanent bans for persistent attackers
  • Regular rule audit
  • Logging enabled


Last audit: 2026-02-09 Maintainer: Nhlanhla Mnyandu (nhlanhla@isutech.co.za)