Webmin gives you a graphical interface to manage Linux server firewall rules without memorising iptables syntax. Whether you're running Ubuntu with UFW, CentOS/AlmaLinux with FirewallD, or a custom iptables ruleset, Webmin's firewall modules handle it. This guide walks through setting up sensible default rules, allowing specific services, blocking malicious IPs, and avoiding the SSH lockout that catches every beginner.
Step 1: Access the Webmin Firewall Module
Log in to your Webmin panel (typically at https://your-server-ip:10000). Navigate to:
- Networking > Linux Firewall — for iptables-based systems (Debian, Ubuntu without FirewallD)
- Networking > FirewallD — for RHEL-based systems (CentOS, AlmaLinux, Rocky Linux)
If neither appears, install the module: Webmin > Webmin Configuration > Webmin Modules and search for "firewall."
Before making any changes, verify your current firewall status via SSH so you have a baseline to compare against:
# For iptables
iptables -L -n -v
# For UFW
ufw status verbose
# For FirewallD
firewall-cmd --list-all
💡 None of these worked? Skip the guesswork.
Get Expert Help →Step 2: Set Up Default Rules (The Right Order)
The single most important firewall principle: set your default policy to DROP, then explicitly allow what you need. Webmin's "Reset Firewall" button does this safely.
In Networking > Linux Firewall:
1. Click "Reset Firewall" at the bottom of the page.
2. Select "Block all except SSH, IDENT, ping and high ports on interface" — this creates a sensible starting ruleset that keeps your SSH connection alive while blocking everything else inbound.
3. Click "Apply Configuration."
This creates the following baseline ruleset in iptables:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
The ESTABLISHED,RELATED rule is critical — it allows return traffic for connections your server initiates (package downloads, outbound API calls) without opening inbound ports for those services.
Step 3: Allow Essential Services Through the Firewall
With the default DROP policy in place, add allow rules for the services your server runs. In Webmin's Linux Firewall module, scroll to the Incoming Packets (INPUT chain) section and click "Add rule."
HTTP and HTTPS (web server):
- Action: Accept
- Network protocol: TCP
- Destination TCP or UDP port:
80, 443 - Connection state: New or established
FTP (if hosting requires it):
- Port:
21(control) — also add20for active FTP data transfer - For passive FTP, also allow your passive port range (e.g., 49152–65534)
Mail server (Exim/Postfix + IMAP/POP3):
- SMTP:
25, 587, 465 - IMAP:
143, 993 - POP3:
110, 995
DNS (if running a nameserver):
- Protocol: Both TCP and UDP
- Port:
53
MySQL/MariaDB (local only — never expose to internet):
- Source address:
127.0.0.1 - Port:
3306
After adding each rule, click "Apply Configuration" to activate it immediately.
Step 4: Restrict SSH to Specific IPs
Leaving SSH (port 22) open to the entire internet invites brute-force attacks. Restrict it to your office or home IP:
1. Find your existing SSH ACCEPT rule in the INPUT chain.
2. Edit it and add your IP address in the Source address or network field: e.g., 203.0.113.50 or a range 203.0.113.0/24.
3. Add a second SSH rule for your backup/monitoring IP if needed.
4. Delete the original unrestricted SSH rule.
If you have a dynamic IP, use an SSH key-based VPN instead of IP restriction — restrict SSH to the VPN subnet.
Also consider changing the SSH port from 22 to a high port (e.g., 2222 or 47392) to reduce log noise from automated scanners. Update the firewall rule to match, then edit /etc/ssh/sshd_config: Port 2222, then systemctl restart sshd.
Step 5: Block Malicious IPs
To block a specific IP or range in Webmin's Linux Firewall:
1. In the INPUT chain, click "Add rule."
2. Action: Drop
3. Source address: the malicious IP or CIDR range (e.g., 185.220.101.0/24)
4. Move this rule to the top of the INPUT chain using the up-arrow in the Move column — rules are evaluated in order, and a DROP rule must appear before any ACCEPT rules to take effect.
For bulk IP blocking, it's faster via SSH using ipset:
ipset create blacklist hash:ip
ipset add blacklist 185.220.101.45
iptables -I INPUT -m set --match-set blacklist src -j DROP
# Save rules
iptables-save > /etc/iptables/rules.v4
Step 6: Using the FirewallD Module (AlmaLinux / Rocky Linux)
On RHEL-based systems with FirewallD, Webmin's FirewallD module offers a zone-based interface. Navigate to Networking > FirewallD.
1. Assign your network interface to the correct zone: The public zone is restrictive (good for internet-facing interfaces). The internal zone is permissive (good for private LAN interfaces).
2. Add services to a zone: In the Public zone, click "Add allowed service" and select from the predefined list: http, https, smtp, ssh, etc. FirewallD knows the port numbers for named services automatically.
3. Add custom ports: If a service isn't in the predefined list, use "Add allowed port": enter the port number and protocol.
4. Make rules permanent: FirewallD runtime rules don't survive a reboot. After testing, click "Make Rules Permanent" in the Webmin module — equivalent to firewall-cmd --runtime-to-permanent.
Step 7: Avoid Locking Yourself Out of SSH
The single most common Webmin firewall mistake: applying a DROP-all rule without first verifying your SSH ACCEPT rule is in place. If this happens:
- Cloud servers (AWS, Azure, DigitalOcean): Use the cloud provider's web console to access your server directly (not via SSH) and flush iptables:
iptables -F - Dedicated servers: Use IPMI/KVM-over-IP or contact your host for console access
- VPS with VNC access: Connect via VNC in your provider's portal and run
iptables -F
Prevention: Before applying new firewall rules, always set up a cron job that flushes rules after 5 minutes — if you lose access, the cron saves you:
crontab -e
# Add this line — flushes iptables 5 minutes from now:
*/5 * * * * root iptables -F && crontab -r
Remove the cron job immediately after verifying your new rules work.
Step 8: Save Firewall Rules Persistently
Webmin's "Apply Configuration" activates rules immediately but they may not survive a reboot depending on your system setup.
# Debian/Ubuntu — install persistence:
apt install iptables-persistent
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
# RHEL/CentOS with iptables-services:
service iptables save
# FirewallD — make permanent:
firewall-cmd --runtime-to-permanent
Webmin also has a "Save Configuration" option that writes rules to a script loaded at boot — verify this is enabled under Networking > Linux Firewall > Bootup and Shutdown.
