BestHub
Sign in
Information Security 9 min read

Master Linux Firewall: Step‑by‑Step firewalld, iptables & fail2ban Guide

This article provides a comprehensive, hands‑on tutorial for securing Linux systems by configuring firewalld with firewall‑cmd, managing iptables rules, enabling port forwarding, setting up fail2ban, and applying advanced techniques such as SELinux, TCP wrappers, and connection‑tracking to harden the firewall.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Master Linux Firewall: Step‑by‑Step firewalld, iptables & fail2ban Guide

Using firewall‑cmd

The firewall-cmd utility, built on firewalld, manages iptables rules via a convenient command‑line interface.

# Enable firewalld service
sudo systemctl start firewalld
sudo systemctl enable firewalld

Viewing firewall status and open ports

# Check firewalld state
sudo firewall-cmd --state
# List currently open ports
sudo firewall-cmd --list-ports

Opening and closing ports

# Open port 80/tcp permanently
sudo firewall-cmd --add-port=80/tcp --permanent
sudo firewall-cmd --reload
# Close port 80/tcp permanently
sudo firewall-cmd --remove-port=80/tcp --permanent
sudo firewall-cmd --reload

Allowing and denying specific IP addresses

# Allow a single IP
sudo firewall-cmd --add-source=192.168.1.2 --permanent
sudo firewall-cmd --reload
# Deny a single IP (drop zone)
sudo firewall-cmd --add-source=192.168.1.3 --permanent --zone=drop
sudo firewall-cmd --reload

Configuring port forwarding

# Forward external port 80 to an internal host
sudo firewall-cmd --add-forward-port=80:internal_ip:80 --permanent
sudo firewall-cmd --reload

Using service definitions

# Open the SSH service
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

Enabling firewall logging

# Log all denied packets
sudo firewall-cmd --set-log-denied=all
sudo firewall-cmd --reload

Creating rich rules

# Drop traffic from a specific IPv4 address
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.2" drop' --permanent
sudo firewall-cmd --reload

Direct iptables commands (for experienced admins)

# Open port 80 using iptables
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo service iptables save
sudo service iptables restart

Backing up and restoring firewalld configuration

# Backup current rules
sudo firewall-cmd --zone=public --list-all > firewall-backup.xml
# Restore from backup
sudo firewall-cmd --restore < firewall-backup.xml
sudo firewall-cmd --reload

Strengthening the firewall with fail2ban

Fail2ban monitors log files and automatically bans malicious IPs.

# Install fail2ban
sudo yum install epel-release
sudo yum install fail2ban
# Start and enable fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Configuring NAT and port forwarding with iptables

# DNAT external port 80 to an internal host and enable masquerading
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination internal_ip:80
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo service iptables save
sudo service iptables restart

Managing IP sets with ipset

# Create an IP set
sudo ipset create blocked_ips hash:ip
# Add an IP to the set
sudo ipset add blocked_ips 192.168.1.2
# Block traffic from the set using iptables
sudo iptables -A INPUT -m set --match-set blocked_ips src -j DROP
sudo service iptables save
sudo service iptables restart

Configuring IPv6 firewall rules

# Open IPv6 port 80 permanently on the public zone
sudo firewall-cmd --add-port=80/tcp --permanent --zone=public
sudo firewall-cmd --reload

Enhancing security with SELinux

SELinux provides mandatory access control policies.

# Check SELinux status
sudo sestatus
# Temporarily disable SELinux
sudo setenforce 0

Restricting access with TCP wrappers

Use /etc/hosts.allow and /etc/hosts.deny to control service access.

# Allow SSH only from 192.168.1.2
echo "sshd: 192.168.1.2" | sudo tee -a /etc/hosts.allow
# Deny SSH from all other hosts
echo "sshd: ALL" | sudo tee -a /etc/hosts.deny

Regularly reviewing firewall rules

# List iptables rules
sudo iptables -L -n
# List firewalld rules
sudo firewall-cmd --list-all

Setting up connection tracking

# Load conntrack module
sudo modprobe nf_conntrack
# View current connection tracking table
sudo cat /proc/net/nf_conntrack

Limiting connection rate

# Limit new TCP connections to port 80 to 20 per IP
sudo iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
sudo service iptables save
sudo service iptables restart

Conclusion

By mastering firewalld, iptables, fail2ban, SELinux, TCP wrappers, and related tools, administrators can build layered defenses, control traffic at granular levels, and maintain a robust security posture for Linux servers.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

firewallLinuxSysadminiptablesfirewalld
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment