iptables, firewalld
iptables
iptables is a Linux Firewall utility that's used to configure rules on the kernel netfilter firewall. iptables processes packets based on chains of rules, deciding whether to allow, drop, or manipulate them.
DISADVANTAGE - RELOAD CONNECTION DROP
iptables does not preserve connection state across reloads - meaning that reloading the service/ruleset will drop existing connections. firewalld avoids this.
By default, iptables rules are lost on reboot. See HERE for info on how to save rules.
Tables & Chains
What are tables?
iptables has various different tables that perform different functions. Notable tables and their functions;
| Table | Purpose | Example |
| Filter | The default table for allowing/blocking traffic. | Accept SSH, block pings, etc |
| NAT | Used to implement Network Address Translation rules. | Port forwarding, IP masking |
| Mangle | Used for modifying packet headers. | Changing TTL, |
| Raw | Used to configure exceptions for packets involved in connection tracking. | |
| Security | Used to mark packets with SELinux context. |
If you don't specify a specific table when running iptables commands, you'll be using the filter table by default - which is the most commonly used anyway.
What are chains?
Chains are lists of rules that belong to a table. Each chain represents a rule that a packet must have imposed against it during its journey through the system.
| Chain | Function |
INPUT |
For incoming packets. |
OUTPUT |
For outgoing packets. |
FORWARD |
For packets passing through the system. |
PREROUTING & POSTROUTING |
Used in NAT/Mangle tables for altering packets before or after routing decisions. |
Basic Commands & Syntax
iptables [options] [-t table] [commands] {chain/rule specification}iptables events (drops/blocks) are recorded in /var/log/messages or /var/log/kern.log)
DROP Packets
iptables -l CHAIN_NAME -j DROPEnsure packets not processed by prior rules will jump to a specific chain:
Create a new chain
iptables -N CHAIN_NAMEEnable logging on a chain
iptables -I INPUT -j CHAIN_NAMESaving & Persisting Rules
There are additional iptables packages available to enable saving and persisting reboot options for chains/rules.
Centos/CentOS/RHEL
NOTE: Most modern RHEL based systems will have firewalld installed by default - this will handle any saving and rebooting.
Install the iptables-services package and ensure that this service is enabled.
Save Rules
sudo service iptables save(rules are saved to /etc/sysconfig/iptables)
Ubuntu/Debian
Most Debian based systems by default don't use firewalld. They will have iptables and nftables installed by default.
Install the iptables-persistent package.
Save Rules
sudo netfilter-persistent saveSaves IPv4 rules to:/etc/iptables/rules.v4
Saves IPv6 rules to:/etc/iptables/rules.v6
firewalld
firewalld at its core is essentially a wrapper for iptables, but it does include some extra features and improved functionality.
- With
iptables, when you reload a rule, connections can drop. This is a big problem on production servers. Firewalld uses in-place rule updates to prevent this.
firewall-cmd --get-zonesfirewall-cmd --zone=dmz --list-all