iptables vs UFW, chown vs chmod, Permissions & Groups
iptables is the low-level Linux firewall utility that directly interfaces with the kernel's netfilter framework. It gives granular control over packet filtering rules (chains, tables, matches, targets) but has a verbose and complex syntax.
UFW (Uncomplicated Firewall) is a frontend for iptables designed to simplify common tasks. Under the hood, it just generates iptables rules for you.
| Aspect | iptables | UFW |
|---|---|---|
| Complexity | Must understand chains (INPUT, OUTPUT, FORWARD), tables (filter, nat, mangle) | Simple commands like ufw allow 22 |
| Use Case | NAT, port forwarding, custom chains, rate limiting, packet mangling | Straightforward host-based server firewalling |
| Persistence | Rules are ephemeral — need iptables-save or iptables-persistent |
Handles persistence automatically |
| App Profiles | None | Built-in (e.g. ufw allow 'OpenSSH') |
iptables command often use a compatibility layer (iptables-nft) on top of nftables now.
You don't actually remove iptables — UFW depends on it. You just flush existing rules and let UFW manage everything.
sudo iptables -F sudo iptables -X sudo iptables -t nat -F sudo iptables -t mangle -F sudo iptables -P INPUT ACCEPT sudo iptables -P FORWARD ACCEPT sudo iptables -P OUTPUT ACCEPT
sudo apt remove iptables-persistent
sudo apt install ufw sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow 80/tcp sudo ufw allow 443/tcp
sudo ufw enable sudo ufw status verbose
/etc/network/if-pre-up.d/ so they don't conflict.
Changes who owns a file — the user and/or group.
# Change owner and group sudo chown alice:developers file.txt # Change owner only sudo chown alice file.txt # Change group only sudo chown :developers file.txt # Recursive (all files in directory) sudo chown -R ubuntu:www-data /var/www/html
Changes what they can do — read, write, execute for owner, group, and others.
# Set specific permissions chmod 750 /var/www/html # Common permissions chmod 644 file.txt # owner rw, group r, others r chmod 755 script.sh # owner rwx, group rx, others rx chmod 600 secret.key # owner rw only
chown instead.
| Number | Read (r) | Write (w) | Execute (x) | Meaning |
|---|---|---|---|---|
| 7 | ✓ | ✓ | ✓ | Full access |
| 6 | ✓ | ✓ | ✗ | Read + Write |
| 5 | ✓ | ✗ | ✓ | Read + Execute |
| 4 | ✓ | ✗ | ✗ | Read only |
| 0 | ✗ | ✗ | ✗ | No access |
The math: r=4 + w=2 + x=1 — add them up for each group.
-rwxr-x---| Part | Characters | Meaning | Number |
|---|---|---|---|
| - | File type | - = file, d = directory |
— |
| rwx | Owner | read ✓ write ✓ execute ✓ | 4+2+1 = 7 |
| r-x | Group | read ✓ write ✗ execute ✓ | 4+0+1 = 5 |
| --- | Others | read ✗ write ✗ execute ✗ | 0+0+0 = 0 |
# All groups on the system cat /etc/group # Your current user's groups groups # Detailed info for current user id # Groups for a specific user groups username id username # Search for a specific group getent group groupname
# Create a new group sudo groupadd mygroup # Add user to a group (append!) sudo usermod -aG mygroup username # Remove user from a group sudo gpasswd -d username mygroup
-aG flag in usermod is critical — -a means append. Without it, the user gets removed from all other groups! After adding a user to a group, log out and back in (or run newgrp mygroup).
On a fresh Ubuntu install, your first user has sudo access. Always use sudo for package installs:
# Without sudo — will fail! apt install apache2 -y # Error: Permission denied / are you root? # With sudo — works! sudo apt update && sudo apt install apache2 -y
sudo usermod -aG sudo username
After installing Apache, files in /var/www/html/ are owned by root:root — your user can't edit them.
ls -la /var/www/html/ # -rw-r--r-- 1 root root 10918 index.html
ps aux | grep apache # www-data 14579 ... /usr/sbin/apache2 -k start # www-data 14580 ... /usr/sbin/apache2 -k start
First column = www-data — that's the Apache user!
# Your user as owner, Apache's group for read access sudo chown -R ubuntu:www-data /var/www/html sudo chmod -R 750 /var/www/html # Now you can edit without sudo! nano /var/www/html/index.html
Think of it like a house:
chown = changing whose name is on the deed
chmod = deciding who gets a key, who can look through the window, and who can't come near
You need both — chown alone changes ownership but keeps old permissions. chmod ensures only the right people have the right level of access.
This same approach works for Nginx, MySQL, Node, or any service:
# 1. What service needs access? ps aux | grep nginx # runs as www-data ps aux | grep mysql # runs as mysql ps aux | grep node # runs as whoever started it # 2. Set ownership: your-user + service-group sudo chown -R youruser:service-group /path/to/files # 3. Set minimal permissions sudo chmod -R 750 /path/to/files
ps aux | grep servicename and you'll always know the right user/group to work with.