iptables, firewalld
iptables
iptables is a Linux Firewall utility that's used to configure rules on the kernel netfilter firewall. iptables processes packets based on chains of rules, deciding whether to allow, drop, or manipulate them.
DISADVANTAGE - RELOAD CONNECTION DROP
iptables does not preserve connection state across reloads - meaning that reloading the service/ruleset will drop existing connections. firewalld avoids this.
By default, iptables rules are lost on reboot. See HERE for info on how to save rules.
Tables & Chains
What are tables?
iptables has various different tables that perform different functions. Notable tables and their functions;
| Table | Purpose | Example |
| Filter | The default table for allowing/blocking traffic. | Accept SSH, block pings, etc |
| NAT | Used to implement Network Address Translation rules. | Port forwarding, IP masking |
| Mangle | Used for modifying packet headers. | Changing TTL, |
| Raw | Used to configure exceptions for packets involved in connection tracking. | |
| Security | Used to mark packets with SELinux context. |
If you don't specify a specific table when running iptables commands, you'll be using the filter table by default - which is the most commonly used anyway.
What are chains?
Chains are lists of rules that belong to a table. Each chain represents a rule that a packet must have imposed against it during its journey through the system.
| Chain | Function |
INPUT |
For incoming packets. |
OUTPUT |
For outgoing packets. |
FORWARD |
For packets passing through the system. |
PREROUTING & POSTROUTING |
Used in NAT/Mangle tables for altering packets before or after routing decisions. |
Basic Commands & Syntax
iptables [options] [-t table] [commands] {chain/rule specification}Saving & Persisting Rules
firewalld
firewalld at its core is essentially a wrapper for iptables, but it does include some extra features and improved functionality.
- With
iptables, when you reload a rule, connections can drop. This is a big problem on production servers. Firewalld uses in-place rule updates to prevent this.
firewall-cmd --get-zonesfirewall-cmd --zone=dmz --list-all