Firewall Rule Generator

Generate properly formatted firewall rules for Linux iptables, UFW, and Windows Firewall (netsh). Configure the direction, protocol, port, source IP, and action, then copy the generated commands directly into your terminal or script.

Direction

Action

Protocol

Port(s)

Source IP / CIDR

Destination IP / CIDR

Add logging

Add comment/description

iptables

UFW

Windows Firewall (netsh)

nftables

What Is a Firewall Rule?

A firewall rule is an instruction that tells your firewall what to do with network traffic matching specific criteria — allow it, block it, or reject it. Every packet passing through your network is evaluated against these rules in order. Firewalls are the first line of defense for any network, whether it is your home WiFi or a corporate data center.

Understanding firewall rules is essential when setting up port forwarding, configuring a VPN on your router, or hardening your network against attacks. This generator creates properly formatted rules for the four most common firewall systems.

Supported Firewall Systems

Our generator outputs rules for four major firewall platforms. Each has its own syntax and use cases:

Firewall	Platform	Complexity	Best For
iptables	Linux (legacy)	Medium-High	Detailed packet filtering, older Linux systems
UFW	Linux (Ubuntu/Debian)	Low	Simple server firewalls, beginners
netsh	Windows	Medium	Windows Server and desktop firewalls
nftables	Linux (modern)	Medium	Modern Linux, replacement for iptables

Pro Tip: If you are running a Linux server and are unsure which tool to use, start with UFW. It provides a simple interface on top of iptables/nftables and is sufficient for most use cases. For advanced packet manipulation, use iptables or nftables directly. When configuring your router's port forwarding, the router's web interface typically handles the firewall rules automatically.

Understanding Rule Components

Every firewall rule consists of matching criteria and an action. Here is what each component controls:

Component	Options	Description
Direction	Inbound, Outbound, Forward	Which traffic flow the rule applies to
Protocol	TCP, UDP, ICMP, Any	The network protocol to match
Port	Single, range, or multiple	Destination port number(s)
Source IP	Single IP, CIDR range, any	Where the traffic originates
Destination IP	Single IP, CIDR range, any	Where the traffic is going
Action	Allow, Deny (Drop), Reject	What to do with matching traffic

The difference between Drop and Reject is important: Drop silently discards the packet (the sender gets no response), while Reject sends back an error message. Drop is generally preferred for public-facing firewalls because it does not reveal that a firewall exists, making port scanning less effective for attackers.

Common Firewall Rule Patterns

Here are frequently needed firewall configurations that network administrators and home users regularly implement:

Allow SSH (port 22) from specific subnet

# iptables
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT

# UFW
sudo ufw allow in from 192.168.1.0/24 to any port 22 proto tcp

# Windows
netsh advfirewall firewall add rule name="Allow SSH" dir=in action=allow protocol=tcp localport=22 remoteip=192.168.1.0/24

Block all incoming traffic except established connections

# iptables
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP

# UFW (default behavior)
sudo ufw default deny incoming
sudo ufw default allow outgoing

These patterns are commonly needed when managing a server accessible from your router's network. For more complex setups involving NAT and multiple subnets, consider combining firewall rules with proper DNS configuration.

Note: Firewall rules are processed in order from top to bottom. The first matching rule wins. Always place more specific rules before general rules. For example, if you want to allow SSH from one IP but block it from everywhere else, the allow rule must come first. Test your rules carefully to avoid locking yourself out — especially on remote servers.

Firewall Best Practices

Regardless of which firewall system you use, these best practices apply universally and complement the security measures you should already have in place on your home network:

Default deny — Start by blocking everything, then selectively allow only what is needed. This is the safest approach.
Principle of least privilege — Only open ports that are actively used. Close everything else.
Log denied traffic — Enable logging to detect attack attempts and unauthorized access. Review logs regularly.
Use specific source IPs — Whenever possible, restrict access to known IP addresses or CIDR ranges.
Document your rules — Use comments to explain the purpose of each rule. Future you will be grateful.
Test before deploying — On remote servers, always have an out-of-band access method before applying restrictive rules.
Combine with other security layers — Firewalls work best alongside strong encryption, strong admin passwords, and updated firmware.

Router Firewall vs Software Firewall

Most home routers include a built-in firewall that operates at the network perimeter. Understanding the difference between this and software firewalls helps you build a layered defense:

Feature	Router Firewall	Software Firewall (iptables/UFW/Windows)
Location	Network edge (between WAN and LAN)	On the individual device
Scope	All devices on the network	Only the host it runs on
Performance	Hardware-accelerated	Software-based, uses CPU
Configuration	Web GUI (router admin)	Command line or GUI tools
Granularity	Basic port/IP rules	Deep packet inspection possible

For maximum security, use both: configure your router's firewall for network-wide protection and run software firewalls on individual devices for host-level defense. This layered approach is especially important when you have IoT devices on your network.

Key Takeaways

Always use a default-deny policy and only allow traffic you explicitly need.
iptables is the most flexible Linux firewall; UFW is the easiest for beginners.
Drop silently discards packets; Reject sends an error response. Prefer Drop for external-facing firewalls.
Firewall rules are processed in order — specific rules must come before general ones.
Combine router firewalls with host-based firewalls for layered security.
Always enable logging and use comments to document your firewall rules.

Video: Linux Firewall Tutorial (iptables and UFW)

Related Guides

Frequently Asked Questions

What is the difference between DROP and REJECT?

DROP silently discards the packet — the sender receives no response and the connection eventually times out. REJECT sends back an ICMP error message (like "port unreachable") telling the sender the connection was refused. DROP is preferred for external-facing firewalls because it makes port scanning harder for attackers.

Should I use iptables or nftables?

If you are on a modern Linux distribution (Debian 10+, Ubuntu 20.04+, RHEL 8+), use nftables as it is the intended replacement for iptables. For older systems or when following legacy documentation, iptables still works fine. Many distributions translate iptables commands to nftables automatically.

Will these rules survive a reboot?

UFW rules persist automatically. For iptables, you need to save rules explicitly using iptables-save or a package like iptables-persistent. Windows Firewall rules persist by default. For nftables, save your rules to /etc/nftables.conf.

How do I block a specific IP address?

Use the generator above: set Direction to Inbound, Action to Deny, Source IP to the IP you want to block, and leave other fields at their defaults. This creates a rule that drops all incoming traffic from that address.

Can I use port ranges?

Yes. Enter ranges using colon notation for iptables (e.g., 8080:8090) or dash notation for UFW and Windows (e.g., 8080-8090). You can also specify multiple individual ports separated by commas in most firewall systems.

What ports should I block?

With a default-deny policy, all ports are blocked by default and you only open what you need. Common ports to explicitly allow include 80/443 (web), 22 (SSH), and 53 (DNS). Use our Port Checker to verify which ports are open on your network.

How do I test if my firewall rules are working?

Use our Port Checker to scan your public IP for open ports. You can also use nmap from an external machine or test from a different network. Always test both allowed and blocked traffic to verify rules work as expected.

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.