Ports & Firewall

The ports 3x-ui uses by default and ready-made ufw / nftables rules to open them.

Open only the ports you actually use. Below are the common ones and a generator for ufw and nftables rules.

Common ports

Port (default)	Purpose
`22`	SSH (keep this open!).
`2053`	Panel (configurable).
`2096`	Subscription server (if separate).
`443`	A common inbound port (TLS / REALITY).
`80` / `443`	Reverse proxy (if you run one).

Your actual inbound ports depend on the inbounds you create.

Generate firewall rules

Firewall rules generator

Pick the ports to open and copy ready-made ufw and nftables rules.

ufw

ufw allow 22/tcp   # SSH
ufw allow 2053/tcp   # panel
ufw allow 443/tcp   # inbound (HTTPS)
ufw enable

nftables (/etc/nftables.conf)

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        iif "lo" accept
        ct state established,related accept
        icmp type echo-request accept
        tcp dport 22 accept   # SSH
        tcp dport 2053 accept   # panel
        tcp dport 443 accept   # inbound (HTTPS)
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

Always keep SSH allowed before enabling a default-deny policy, and test from a second session so you don't lock yourself out.

Security

Fail2ban, IP limits, and hardening.

Environment variables

XUI_PORT and friends.

Ports & Firewall

Common ports

Generate firewall rules

Related

Security

Environment variables

On this page