Master Linux Firewalls: iptables, firewalld, and Netfilter Explained

Linux Firewall

RHEL includes several firewall tools that can coexist: iptables, firewalld, ip6tables, and ebtables. These programs manage and maintain rules in user space, while the actual packet filtering is performed by the kernel's netfilter subsystem.

The Linux internal structure consists of three layers: hardware → kernel space → user space.

CentOS 7 uses firewalld as the default manager for the netfilter subsystem, but it still invokes iptables commands underneath. Different firewall tools may conflict, so only one should be active at a time.

Netfilter

Netfilter, introduced in the Linux 2.4 kernel, is a packet‑filtering engine composed of several tables that hold rule sets used by the kernel. Tools like iptables modify these tables from user space.

Netfilter defines five hook points where packets are inspected, each represented by a chain:

PREROUTING – before routing, when a packet first enters a network interface.

INPUT – when a packet enters the kernel from user space.

FORWARD – when a packet is forwarded between interfaces inside the kernel.

OUTPUT – when a packet leaves user space toward the kernel.

POSTROUTING – after routing, just before the packet leaves the network interface.

When a packet reaches a chain, the kernel checks the rules sequentially from the first rule. If a rule matches, the associated action is applied; otherwise the next rule is examined. If no rule matches, the chain’s default policy is used.

The packet enters PREROUTING; the kernel decides whether to forward it.

If the packet is destined for the local host, it proceeds to INPUT, then to the appropriate user‑space process. Outgoing packets from the host travel through OUTPUT and then POSTROUTING.

If the packet is to be forwarded, it passes through FORWARD before reaching POSTROUTING.

iptables

iptables originated from the FreeBSD ipfirewall project. It uses tables to organize rule chains. The five default tables are:

filter – handles packet filtering for INPUT, FORWARD, and OUTPUT (default table).

nat – performs network address translation; affects PREROUTING, OUTPUT, and POSTROUTING.

mangle – allows packet modification on any chain.

raw – provides a high‑priority shortcut for packets that match its rules.

security – works with SELinux; usually disabled.

iptables also supports custom chains, which must be attached to a built‑in chain. Rule order matters: more restrictive rules should appear earlier.

iptables Service Management

service iptables start|stop|restart|status</code><code>service iptables save   // Save current rules to /etc/sysconfig/iptables</code><code>iptables-save           // Export rules</code><code>iptables-restore        // Load rules (automatically on boot)</code><code>iptables-restore < /etc/sysconfig/iptables2   // Load custom rule file</code><code>echo "1" > /proc/sys/net/ipv4/ip_forward   // Enable IP forwarding

iptables Command Reference

-A|--append CHAIN               // Append rule to end of chain</code><code>-D|--delete CHAIN [RULENUM]   // Delete rule by number or content</code><code>-I|--insert CHAIN [RULENUM]   // Insert rule at beginning (or specified position)</code><code>-R|--replace CHAIN RULENUM    // Replace rule</code><code>-L|--list [CHAIN [RULENUM]]   // List rules</code><code>-F|--flush [CHAIN]            // Flush all rules in chain</code><code>-N|--new-chain CHAIN          // Create custom chain</code><code>-X|--delete-chain [CHAIN]      // Delete custom chain</code><code>-P|--policy CHAIN TARGET      // Set default policy for chain

Criteria Matching

Basic matches:

-p|--proto PROTO               // Protocol (tcp, udp, icmp, all)</code><code>-s|--source ADDRESS[/mask]    // Source address</code><code>-d|--destination ADDRESS[/mask] // Destination address</code><code>-i|--in-interface IFACE      // Incoming interface</code><code>-o|--out-interface IFACE     // Outgoing interface

Extended matches use -m (e.g., -m tcp --dport 80) and can be implicit (e.g., -m tcp is equivalent to -p tcp) or explicit (e.g., -m state --state NEW,ESTABLISHED).

Action Targets (TARGET)

ACCEPT – stop processing current chain and continue to next chain.

DROP – discard packet silently.

REJECT – discard packet and send response.

LOG – log packet then continue.

ULOG – extended logging.

QUEUE – hand packet to userspace program.

RETURN – stop processing current chain and return to calling chain.

DNAT – destination NAT (change destination address).

SNAT – source NAT (change source address).

MASQUERADE – dynamic source NAT for interfaces with changing IP.

REDIRECT – redirect to another port.

MARK – set firewall mark.

State Matching

NEW – first packet of a new connection.

ESTABLISHED – packet belongs to an existing connection.

INVALID – packet cannot be identified.

RELATED – packet related to an existing connection (e.g., FTP data channel).

Example usage:

iptables -F                                   // Flush all rules</code><code>iptables -L -v -n                           // List rules verbosely</code><code>iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT</code><code>iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT</code><code># Limit SSH connection rate</code><code>iptables -I INPUT 1 -p tcp --dport 22 -m state --state NEW -m limit --limit 2/minute -j ACCEPT

firewalld

firewalld is a dynamic firewall daemon supporting IPv4 and IPv6. In CentOS 7 it replaces iptables as the default firewall. Its advantages include dynamic rule changes without a full reload and a more user‑friendly interface.

Key Concepts

Zones are collections of rules; a packet must pass through a zone to be accepted or rejected. Each zone has a default target (default, ACCEPT, REJECT, DROP) and its own XML configuration file. Common zones: drop, block, public, external, dmz, work, home, internal, trusted.

Services map a service name to one or more ports, simplifying rule management.

Rules can filter by source address, interface, service, port, icmp‑type, masquerade, forward‑port, or custom rich rules. Priority order: source → interface → default zone.

Configuration Files

firewalld stores XML files in two locations: /etc/firewalld/ for user‑modified configs (overrides) and /usr/lib/firewalld/ for defaults. Main files include firewalld.conf, zones/, services/, direct.xml, etc.

<?xml version="1.0" encoding="utf-8"?></code><code><zone target="default"></code><code>  <short>Public</short></code><code>  <description>For use in public areas...</description></code><code>  <service name="ssh"/></code><code>  <service name="dhcpv6-client"/></code><code></zone>

<?xml version="1.0" encoding="utf-8"?></code><code><service></code><code>  <short>SSH</short></code><code>  <description>Secure Shell (SSH)...</description></code><code>  <port protocol="tcp" port="22"/></code><code></service>

firewall‑cmd Commands

firewall-cmd --state                         // Show firewalld status</code><code>firewall-cmd --reload                        // Reload configuration without disconnecting</code><code>firewall-cmd --get-active-zones              // List zones with sources/interfaces</code><code>firewall-cmd --set-default-zone=public      // Change default zone</code><code>firewall-cmd --zone=public --list-all        // Show all settings for a zone</code><code>// Manage sources</code><code>firewall-cmd --permanent --zone=public --add-source=192.168.1.0/24</code><code>// Manage interfaces</code><code>firewall-cmd --permanent --zone=public --add-interface=eth0</code><code>// Manage services</code><code>firewall-cmd --permanent --zone=public --add-service=ssh</code><code>// Manage ports</code><code>firewall-cmd --permanent --zone=public --add-port=80/tcp</code><code>// Manage icmp‑blocks</code><code>firewall-cmd --permanent --zone=public --add-icmp-block=echo-request</code><code>// Manage masquerade</code><code>firewall-cmd --permanent --zone=public --add-masquerade</code><code>// Rich rule example</code><code>firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" reject'

Configuration files are edited directly only after copying from /usr/lib/firewalld/ to /etc/firewalld/. After editing, firewall-cmd --reload applies the changes.

Source: https://www.cnblogs.com/pixy/p/5156739.html