BestHub
Sign in
Information Security 12 min read

Linux Firewall: iptables and firewalld Overview and Usage

This article explains the Linux firewall architecture, compares iptables and firewalld, details the netfilter chain and table model, and provides practical commands and examples for configuring, managing, and troubleshooting firewall rules on RHEL systems.

Laravel Tech Community
Laravel Tech Community
Laravel Tech Community
Linux Firewall: iptables and firewalld Overview and Usage

Linux firewalls operate at the network layer and are typical packet‑filtering firewalls. In RHEL, the two common tools are iptables and firewalld , which are user‑space utilities that manage kernel netfilter rule tables.

Netfilter is the kernel packet‑filtering framework that stores rules in tables, each containing chains (hooks) where packets are examined at five processing points: PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING.

Differences between iptables and firewalld

Firewalld uses zones and services instead of raw chain rules.

Firewalld can modify individual rules dynamically without flushing the entire rule set, whereas iptables requires a full reload after changes.

By default firewalld denies all traffic unless a service is explicitly allowed; iptables allows services by default and requires explicit denial.

iptables stores its configuration in /etc/sysconfig/iptables , while firewalld stores XML files under /usr/lib/firewalld/ and /etc/firewalld/ .

Netfilter Chains and Tables

Chain

Description

PREROUTING

Packet enters network interface before routing

INPUT

Packet from kernel to user space

FORWARD

Packet forwarded between interfaces

OUTPUT

Packet from user space to kernel

POSTROUTING

Packet leaves network interface after routing

Default tables:

Table

Purpose

filter

All local traffic (INPUT, OUTPUT, FORWARD)

nat

Network address translation (PREROUTING, POSTROUTING, etc.)

mangle

Special packet alterations when filter and nat are insufficient

Using iptables

Because iptables and firewalld conflict, disable firewalld before using iptables:

yum install iptables-services
systemctl mask firewalld
systemctl enable --now iptables.service

Save rules:

iptables-save > /etc/sysconfig/iptables

Or:

service iptables save

Common iptables options:

Option

Meaning

-t

Specify table

-n

No name resolution

-L

List rules

-A

Append rule

-p

Protocol

--dport

Destination port

-s

Source address

-j

Target action (ACCEPT, DROP, REJECT, SNAT, DNAT, etc.)

Note: Rules are evaluated top‑down; the first matching rule wins.

iptables operation examples

iptables -t filter -nL               # List filter table
iptables -t filter -F               # Flush all rules
iptables -A INPUT -j ACCEPT        # Allow all INPUT traffic
iptables -D INPUT 1                # Delete first INPUT rule
iptables -P INPUT DROP             # Set default INPUT policy to DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT   # Allow SSH

Using firewalld

systemctl enable --now firewalld.service   # Enable firewalld
systemctl disable --now iptables.service   # Disable iptables
systemctl mask iptables.service           # Freeze iptables
systemctl unmask firewalld.service         # Unfreeze firewalld

Common zones (trusted, home, work, public, dmz, block, drop, internal, external) define default policies for incoming traffic.

Firewalld command options

--get-default-zone

--set-default-zone=<zone>

--get-active-zone

--add-interface=<iface> --zone=<zone>

--remove-interface=<iface> --zone=<zone>

--add-service=<service> --zone=<zone>

--remove-service=<service> --zone=<zone>

--add-port=<port>/<proto> --zone=<zone>

--remove-port=<port>/<proto> --zone=<zone>

--add-icmp-block=<type> --zone=<zone>

--remove-icmp-block=<type> --zone=<zone>

Management commands

firewall-cmd --state                         # Show firewalld state
firewall-cmd --get-active-zones            # List active zones
firewall-cmd --get-default-zone           # Show default zone
firewall-cmd --list-all                    # List rules in default zone
firewall-cmd --list-all --zone=work       # List rules in specific zone
firewall-cmd --set-default-zone=trusted    # Set default zone
firewall-cmd --permanent --remove-service=cockpit   # Remove a service
firewall-cmd --reload                       # Reload firewalld
firewall-cmd --permanent --add-source=172.25.254.0/24 --zone=block   # Add source to zone
firewall-cmd --permanent --remove-source=172.25.254.0/24 --zone=block
firewall-cmd --permanent --remove-interface=ens224 --zone=public
firewall-cmd --permanent --add-interface=ens224 --zone=block
firewall-cmd --permanent --change-interface=ens224 --zone=public

Advanced rules and NAT

firewall-cmd --direct --get-all-rules   # Show direct rules

Enable masquerading (NAT) in firewalld:

firewall-cmd --add-masquerade
firewall-cmd --reload
iptablesnetfiltersystemdfirewalldfirewall rulesLinux firewall
Laravel Tech Community
Written by

Laravel Tech Community

Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment