Firewall Rule Generator
Define firewall rules once, export to 6 formats: iptables, nftables, UFW, AWS Security Groups, Azure NSG, or GCP Firewall. Built-in conflict detection. 100% client-side — nothing leaves your browser.
Linux netfilter
iptables Settings
Generated Rules
#!/bin/bash # Generated by RawOps.dev — Firewall Rule Generator # Format: iptables # Set ACCEPT first to avoid lockout during rule loading iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT # Flush existing rules iptables -F INPUT iptables -F OUTPUT # Allow loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow established and related connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Apply default policies (set last to prevent lockout) iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
Quick Recipes
Click a recipe to populate the form with common firewall rules.
Firewall Configuration Guide
A firewall controls network traffic by enforcing rules that allow or deny connections based on IP addresses, ports, and protocols. On Linux servers, iptables (legacy) and nftables (modern replacement) are the standard kernel-level packet filters. UFW provides a simpler interface on top of iptables for Ubuntu/Debian systems. Cloud providers offer their own abstractions: AWS Security Groups, Azure NSGs, and GCP Firewall Rules.
Linux Firewall Comparison
| Feature | iptables | nftables | UFW |
|---|---|---|---|
| Status | Legacy (still widely used) | Recommended (kernel 3.13+) | Frontend for iptables |
| Syntax | Command-line flags | Structured ruleset file | Simple keywords |
| Atomic updates | No (per-rule) | Yes (full ruleset) | No |
| IPv6 | Separate ip6tables | Unified (inet family) | Built-in |
| Learning curve | Steep | Moderate | Easy |
Cloud Firewall Comparison
| Feature | AWS SG | Azure NSG | GCP Firewall |
|---|---|---|---|
| Default | Deny all inbound | Deny all inbound | Deny all inbound |
| Deny rules | Not supported | Supported | Supported |
| Priority | Not applicable | 100-4096 | 0-65534 |
| Stateful | Yes (always) | Yes (always) | Yes (always) |
| Scope | VPC + instance | Subnet or NIC | Network + tags |
Common Ports Reference
| Port | Protocol | Service |
|---|---|---|
| 22 | TCP | SSH |
| 53 | TCP/UDP | DNS |
| 80 | TCP | HTTP |
| 443 | TCP | HTTPS |
| 3306 | TCP | MySQL / MariaDB |
| 5432 | TCP | PostgreSQL |
| 6379 | TCP | Redis |
| 6443 | TCP | Kubernetes API |
| 8080 | TCP | HTTP Alternate |
| 9090 | TCP | Prometheus |
| 27017 | TCP | MongoDB |
| 30000-32767 | TCP | Kubernetes NodePort |
| 51820 | UDP | WireGuard |
iptables Packet Flow & Chain Architecture
Understanding how packets traverse iptables chains is essential for writing correct rules. Packets follow different paths depending on whether they're destined for the local machine, being forwarded (routed), or originating from the local machine:
Incoming Packet
│
▼
PREROUTING (nat, mangle) ─── Destination NAT (DNAT), port forwarding
│
├── For local machine? ──▶ INPUT (filter) ──▶ Local Process
│ │
└── For another host? ──▶ FORWARD (filter) ──────┐
│
▼
Local Process ──▶ OUTPUT (filter, nat) ──▶ POSTROUTING (nat, mangle)
│
◀────────────────┘
│
▼
Network (out)
Key rules:
• Firewall rules for server services → INPUT chain
• Firewall rules for routed traffic → FORWARD chain (routers, Docker hosts)
• NAT rules (port forwarding) → PREROUTING + POSTROUTING
• Outbound filtering → OUTPUT chain (rarely needed)In nftables, the same concepts apply but chains are user-defined. You create chains with explicit types (type filter hook input) instead of the fixed chain names.
iptables vs nftables: Syntax Comparison
nftables replaces iptables with a cleaner syntax and better performance. Here are the same rules written in both formats:
| Task | iptables | nftables |
|---|---|---|
| Allow SSH | iptables -A INPUT -p tcp --dport 22 -j ACCEPT | nft add rule inet filter input tcp dport 22 accept |
| Allow from subnet | iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT | nft add rule inet filter input ip saddr 10.0.0.0/8 accept |
| Drop all inbound | iptables -P INPUT DROP | nft add rule inet filter input drop |
| Conntrack | iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | nft add rule inet filter input ct state established,related accept |
| Log + drop | iptables -A INPUT -j LOG --log-prefix "DROP: " | nft add rule inet filter input log prefix "DROP: " drop |
| List rules | iptables -L -n -v --line-numbers | nft list ruleset |
Key nftables advantages: atomic ruleset updates (replace entire ruleset in one operation), unified IPv4/IPv6 (inet family handles both), sets and maps (match against lists without multiple rules), and better performance (fewer kernel modules).
Docker & iptables: The DOCKER-USER Chain
Docker modifies iptables rules automatically, which can bypass your INPUT chain rules. When you publish a port (-p 8080:80), Docker adds DNAT rules in PREROUTING and FORWARD chain rules that bypass INPUT entirely.
# Problem: This rule does NOT block Docker-published ports! iptables -A INPUT -p tcp --dport 8080 -j DROP # Useless for Docker ports # Solution: Use the DOCKER-USER chain (processed before Docker's rules) iptables -I DOCKER-USER -p tcp --dport 8080 -s 0.0.0.0/0 -j DROP iptables -I DOCKER-USER -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT # Allow only specific IPs to access Docker-published ports iptables -I DOCKER-USER -i eth0 -j DROP iptables -I DOCKER-USER -i eth0 -s 10.0.0.0/8 -j RETURN iptables -I DOCKER-USER -i eth0 -p tcp --dport 80 -j RETURN iptables -I DOCKER-USER -i eth0 -p tcp --dport 443 -j RETURN # Persist DOCKER-USER rules (they survive Docker restarts) # Create a systemd service that loads rules on boot
This is the most common Docker security mistake: administrators add INPUT chain rules thinking they protect Docker services, but published ports are routed through the FORWARD chain. Always use DOCKER-USER for firewall rules on Docker hosts. Alternatively, bind ports to 127.0.0.1 and use a reverse proxy.
Common Firewall Mistakes
| Mistake | Consequence | Fix |
|---|---|---|
| Locking yourself out via SSH | Can't access server remotely | Always add SSH allow rule FIRST, use at command to auto-flush rules after 5 min |
| No conntrack rule | Return traffic blocked (outbound DNS, apt, etc.) | Add ESTABLISHED,RELATED rule before specific rules |
| Rules not persisted | Rules lost on reboot | Use iptables-persistent or nft -f /etc/nftables.conf |
| Forgetting IPv6 | IPv6 traffic bypasses IPv4 rules | Use ip6tables or nftables inet family for dual-stack |
| REJECT vs DROP | DROP causes timeouts; REJECT sends RST/ICMP | Use REJECT for internal services (faster failure), DROP for internet-facing (no info to attacker) |
| Docker bypasses INPUT | Published ports accessible despite INPUT DROP | Use DOCKER-USER chain or bind to 127.0.0.1 |
IPv6 Support
This generator fully supports IPv6 addresses and CIDR ranges. Enter IPv6 CIDRs like 2001:db8::/32, fe80::1/64, or ::/0 (all IPv6) in source/destination fields. For iptables, IPv6 rules are automatically output as ip6tables commands with essential ICMPv6 rules included. For nftables, the inet family handles both IPv4 and IPv6 in a single ruleset. UFW and cloud formats (AWS, Azure, GCP) pass IPv6 CIDRs through natively. The conflict detection engine correctly handles IPv6 range overlap analysis.
Privacy First
All rules are generated entirely in your browser using JavaScript. Your IP addresses, subnets, and infrastructure details are never sent to any server. This tool has zero backend dependencies.