Firewall Configuration Guide
Firewall Configuration Guide
Section titled “Firewall Configuration Guide”Last Updated: 2026-02-09 Server: Hetzner Production (46.224.40.5) Status: ✅ UFW Active | 9 Permanent Bans
Overview
Section titled “Overview”The server uses UFW (Uncomplicated Firewall) as the frontend for iptables, with fail2ban dynamically adding rules for banned IPs.
┌─────────────────────────────────────────────────────────────┐│ FIREWALL LAYERS │├─────────────────────────────────────────────────────────────┤│ UFW Rules (permanent bans + port access) ││ ↓ ││ iptables (managed by UFW + fail2ban) ││ ↓ ││ f2b-* chains (dynamic fail2ban bans) │└─────────────────────────────────────────────────────────────┘Current Configuration
Section titled “Current Configuration”Default Policy
Section titled “Default Policy”| Direction | Policy |
|---|---|
| Incoming | DENY (block all except allowed) |
| Outgoing | ALLOW |
| Routed | DENY |
Open Ports
Section titled “Open Ports”| Port | Service | Purpose |
|---|---|---|
| 22 | SSH | Remote access (rate-limited by fail2ban) |
| 80 | HTTP | Web traffic |
| 443 | HTTPS | Secure web traffic |
| 3004 | Grafana | Monitoring dashboard |
| 3005 | ThriveSend | B2B2G platform |
| 8001 | SACE API | Backend service |
| 8003 | SANSA API | Backend service |
Localhost-Only Services
Section titled “Localhost-Only Services”| Port | Service | Access |
|---|---|---|
| 3100 | Loki | 127.0.0.1 only |
| 9090 | Prometheus | 127.0.0.1 only |
| 9093 | Alertmanager | 127.0.0.1 only |
| 9100 | Node Exporter | 127.0.0.1 only |
Permanent Bans (Persistent Attackers)
Section titled “Permanent Bans (Persistent Attackers)”Currently 9 IPs permanently banned via UFW (survives restart).
Quick Commands
Section titled “Quick Commands”Status Check
Section titled “Status Check”# View full statusufw status verbose
# View numbered rules (for deletion)ufw status numbered
# Check if enabledufw statusManaging Ports
Section titled “Managing Ports”# Allow a portufw allow 8080/tcp comment "Service description"
# Allow port for specific IP onlyufw allow from 192.168.1.100 to any port 22
# Deny a portufw deny 8080/tcp
# Delete a rule (by number)ufw status numberedufw delete 5
# Delete by ruleufw delete allow 8080/tcpBanning IPs
Section titled “Banning IPs”# Permanent ban (insert at top for priority)ufw insert 1 deny from 192.168.1.100 comment "Permanent ban - reason"
# View all bansufw status | grep DENY
# Remove a banufw delete deny from 192.168.1.100Permanent Ban Procedure
Section titled “Permanent Ban Procedure”For IPs that repeatedly attack (3+ times in recidive jail):
# 1. Identify persistent attackersgrep "Ban" /var/log/fail2ban.log | awk '{print $NF}' | sort | uniq -c | sort -rn | head -10
# 2. Check if already banned in fail2banfail2ban-client status sshd | grep "192.168.1.100"
# 3. Add permanent UFW banufw insert 1 deny from 192.168.1.100 comment "Permanent ban - 50+ attacks on $(date +%Y-%m-%d)"
# 4. Verify ban addedufw status | grep 192.168.1.100iptables Integration
Section titled “iptables Integration”fail2ban creates dynamic iptables chains for banned IPs.
View fail2ban Chains
Section titled “View fail2ban Chains”# List all fail2ban chainsiptables -L | grep f2b
# View specific chain (SSH)iptables -L f2b-sshd -n
# Count banned IPs in chainiptables -L f2b-sshd -n | grep -c DROPView All INPUT Rules
Section titled “View All INPUT Rules”# Full INPUT chain with line numbersiptables -L INPUT -n --line-numbers
# Summary of rulesiptables -L INPUT -n | head -20Emergency Procedures
Section titled “Emergency Procedures”Locked Out?
Section titled “Locked Out?”If you accidentally block yourself:
# Access via Hetzner Console (robot.hetzner.com)
# Then reset UFWufw resetufw default deny incomingufw default allow outgoingufw allow sshufw enable
# Re-add essential rulesufw allow 80/tcpufw allow 443/tcp# ... etcDisable Firewall (Emergency Only)
Section titled “Disable Firewall (Emergency Only)”# Disable UFWufw disable
# Re-enableufw enableConfiguration Files
Section titled “Configuration Files”UFW Config
Section titled “UFW Config”- Main:
/etc/ufw/ufw.conf - Rules:
/etc/ufw/user.rules - IPv6 Rules:
/etc/ufw/user6.rules
Backup Rules
Section titled “Backup Rules”# Backup current rulescp /etc/ufw/user.rules /etc/ufw/user.rules.backup.$(date +%Y%m%d)
# Restore from backupcp /etc/ufw/user.rules.backup.20260209 /etc/ufw/user.rulesufw reloadMonitoring
Section titled “Monitoring”Daily Check
Section titled “Daily Check”# Quick statusufw status
# Count rulesufw status numbered | wc -l
# View recent iptables activitydmesg | grep -i "ufw" | tail -10Audit Trail
Section titled “Audit Trail”# UFW log locationtail -50 /var/log/ufw.log
# Enable logging (if not enabled)ufw logging onBest Practices
Section titled “Best Practices”- Principle of Least Privilege: Only open ports that are needed
- Document Everything: Use comments on all rules
- Regular Audit: Review rules monthly
- Backup Before Changes: Always backup rules before modifications
- Test Changes: Open new SSH session before closing existing one
Security Checklist
Section titled “Security Checklist”- Default deny incoming
- Only required ports open
- Monitoring ports restricted to localhost
- Permanent bans for persistent attackers
- Regular rule audit
- Logging enabled
Related Documentation
Section titled “Related Documentation”Last audit: 2026-02-09 Maintainer: Nhlanhla Mnyandu (nhlanhla@isutech.co.za)