From The World according to Vissie
Jump to navigation Jump to search


my "old" iptables configs:

  1. iptables

What ports are open?

nmap -sT -O localhost

What is running on a port?

cat /etc/services | grep 834
netstat -anp | grep 834
lsof -i | grep 834

Linux 2.4 stateful firewall design

Lets do iptables the easy way


Uncomplicated Firewall


sudo apt-get install ufw
vim: /etc/default/ufw


sudo ufw status verbose

Set Up Default Policies:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow SSH Connections:

sudo ufw allow ssh


sudo ufw allow 1234

Enable UFW:

sudo ufw enable

Enable log: ufw logging on IF you get:

WARN: /etc is group writable!
WARN: /usr is group writable!


chmod 755 /etc /lib /usr

Working with numbered rules

Listing rules with a reference number

sudo ufw status numbered

Delete numbered rule

You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list.

sudo ufw delete 1

Check your ports

See all services on the server

sudo ufw show listening

See is firewall is allowing traffic on that port

sudo ufw status
Status: active
To                         Action      From
--                         ------      ----
1194/udp                   ALLOW       Anywhere
1194/udp (v6)              ALLOW       Anywhere (v6)

See if iptables will allow

sudo iptables -L | less
Chain ufw-user-input (1 references)
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

OpenVPN is listening on that port (if I am interpreting this correctly):

sudo netstat -vaun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0  *

See if nmap sees a service running on that port

sudo nmap -sU localhost -p 1194
Starting Nmap 6.40 ( ) at 2016-11-13 17:58 GMT
Nmap scan report for localhost (
Host is up.
1194/udp open|filtered openvpn

Or try this to see if a port is open:

nmap -p 22  -P0
Starting Nmap 6.40 ( ) at 2015-01-04 20:48 CST
Nmap scan report for (
Host is up (0.060s latency).
22/tcp open  ssh
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds