How to Set Up and Manage Your Linux Server Firewall in Webmin (2026)

Priya

Content Writer & Researcher

Last Updated: 29 June 2026

How to Set Up and Manage Your Linux Server Firewall in Webmin (2026)

🖥️

Need Your Linux Server Firewall Locked Down Properly?

CloudHouse Technologies configures and hardens Linux server firewalls — iptables, FirewallD, UFW — so your server is protected without blocking legitimate traffic. We work with Webmin, cPanel/WHM, Plesk, and bare-metal setups.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

Webmin gives you a graphical interface to manage Linux server firewall rules without memorising iptables syntax. Whether you're running Ubuntu with UFW, CentOS/AlmaLinux with FirewallD, or a custom iptables ruleset, Webmin's firewall modules handle it. This guide walks through setting up sensible default rules, allowing specific services, blocking malicious IPs, and avoiding the SSH lockout that catches every beginner.

Step 1: Access the Webmin Firewall Module

Networking > Linux Firewall — for iptables-based systems (Debian, Ubuntu without FirewallD)
Networking > FirewallD — for RHEL-based systems (CentOS, AlmaLinux, Rocky Linux)

If neither appears, install the module: Webmin > Webmin Configuration > Webmin Modules and search for "firewall."

Before making any changes, verify your current firewall status via SSH so you have a baseline to compare against:

# For iptables
iptables -L -n -v

# For UFW
ufw status verbose

# For FirewallD
firewall-cmd --list-all

💡 None of these worked? Skip the guesswork.

Get Expert Help →

Step 2: Set Up Default Rules (The Right Order)

The single most important firewall principle: set your default policy to DROP, then explicitly allow what you need. Webmin's "Reset Firewall" button does this safely.

In Networking > Linux Firewall:

1. Click "Reset Firewall" at the bottom of the page.

2. Select "Block all except SSH, IDENT, ping and high ports on interface" — this creates a sensible starting ruleset that keeps your SSH connection alive while blocking everything else inbound.

3. Click "Apply Configuration."

This creates the following baseline ruleset in iptables:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP

The ESTABLISHED,RELATED rule is critical — it allows return traffic for connections your server initiates (package downloads, outbound API calls) without opening inbound ports for those services.

Step 3: Allow Essential Services Through the Firewall

With the default DROP policy in place, add allow rules for the services your server runs. In Webmin's Linux Firewall module, scroll to the Incoming Packets (INPUT chain) section and click "Add rule."

HTTP and HTTPS (web server):

Action: Accept
Network protocol: TCP
Destination TCP or UDP port: 80, 443
Connection state: New or established

FTP (if hosting requires it):

Port: 21 (control) — also add 20 for active FTP data transfer
For passive FTP, also allow your passive port range (e.g., 49152–65534)

Mail server (Exim/Postfix + IMAP/POP3):

SMTP: 25, 587, 465
IMAP: 143, 993
POP3: 110, 995

DNS (if running a nameserver):

Protocol: Both TCP and UDP
Port: 53

MySQL/MariaDB (local only — never expose to internet):

Source address: 127.0.0.1
Port: 3306

After adding each rule, click "Apply Configuration" to activate it immediately.

Step 4: Restrict SSH to Specific IPs

Leaving SSH (port 22) open to the entire internet invites brute-force attacks. Restrict it to your office or home IP:

1. Find your existing SSH ACCEPT rule in the INPUT chain.

2. Edit it and add your IP address in the Source address or network field: e.g., 203.0.113.50 or a range 203.0.113.0/24.

3. Add a second SSH rule for your backup/monitoring IP if needed.

4. Delete the original unrestricted SSH rule.

If you have a dynamic IP, use an SSH key-based VPN instead of IP restriction — restrict SSH to the VPN subnet.

Also consider changing the SSH port from 22 to a high port (e.g., 2222 or 47392) to reduce log noise from automated scanners. Update the firewall rule to match, then edit /etc/ssh/sshd_config: Port 2222, then systemctl restart sshd.

Step 5: Block Malicious IPs

To block a specific IP or range in Webmin's Linux Firewall:

1. In the INPUT chain, click "Add rule."

2. Action: Drop

3. Source address: the malicious IP or CIDR range (e.g., 185.220.101.0/24)

4. Move this rule to the top of the INPUT chain using the up-arrow in the Move column — rules are evaluated in order, and a DROP rule must appear before any ACCEPT rules to take effect.

For bulk IP blocking, it's faster via SSH using ipset:

ipset create blacklist hash:ip
ipset add blacklist 185.220.101.45
iptables -I INPUT -m set --match-set blacklist src -j DROP
# Save rules
iptables-save > /etc/iptables/rules.v4

Step 6: Using the FirewallD Module (AlmaLinux / Rocky Linux)

On RHEL-based systems with FirewallD, Webmin's FirewallD module offers a zone-based interface. Navigate to Networking > FirewallD.

1. Assign your network interface to the correct zone: The public zone is restrictive (good for internet-facing interfaces). The internal zone is permissive (good for private LAN interfaces).

2. Add services to a zone: In the Public zone, click "Add allowed service" and select from the predefined list: http, https, smtp, ssh, etc. FirewallD knows the port numbers for named services automatically.

3. Add custom ports: If a service isn't in the predefined list, use "Add allowed port": enter the port number and protocol.

4. Make rules permanent: FirewallD runtime rules don't survive a reboot. After testing, click "Make Rules Permanent" in the Webmin module — equivalent to firewall-cmd --runtime-to-permanent.

Step 7: Avoid Locking Yourself Out of SSH

The single most common Webmin firewall mistake: applying a DROP-all rule without first verifying your SSH ACCEPT rule is in place. If this happens:

Cloud servers (AWS, Azure, DigitalOcean): Use the cloud provider's web console to access your server directly (not via SSH) and flush iptables: iptables -F
Dedicated servers: Use IPMI/KVM-over-IP or contact your host for console access
VPS with VNC access: Connect via VNC in your provider's portal and run iptables -F

Prevention: Before applying new firewall rules, always set up a cron job that flushes rules after 5 minutes — if you lose access, the cron saves you:

crontab -e
# Add this line — flushes iptables 5 minutes from now:
*/5 * * * * root iptables -F && crontab -r

Remove the cron job immediately after verifying your new rules work.

Step 8: Save Firewall Rules Persistently

Webmin's "Apply Configuration" activates rules immediately but they may not survive a reboot depending on your system setup.

# Debian/Ubuntu — install persistence:
apt install iptables-persistent
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

# RHEL/CentOS with iptables-services:
service iptables save

# FirewallD — make permanent:
firewall-cmd --runtime-to-permanent

Webmin also has a "Save Configuration" option that writes rules to a script loaded at boot — verify this is enabled under Networking > Linux Firewall > Bootup and Shutdown.

FAQs

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

No. Webmin does not have a dedicated UFW module. Webmin's Linux Firewall module interfaces directly with iptables, and the FirewallD module interfaces with FirewallD. On Ubuntu servers, UFW is a frontend to iptables, so rules you set in UFW are visible in iptables but Webmin's module won't show them in UFW's native format. The recommended approach is to either use Webmin's iptables module directly and disable UFW (ufw disable), or manage UFW entirely via the command line and not through Webmin.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...