Mastering CentOS 7 Firewalls: firewalld vs iptables and Zone Management

1. Introduction

In CentOS 7, both firewalld and iptables can coexist; by default firewalld manages the netfilter subsystem, but the underlying commands are still iptables.

2. Differences between firewalld and iptables

firewalld can modify individual rules dynamically, whereas iptables requires a full reload to apply changes.

firewalld is more user‑friendly and does not require deep knowledge of tables, chains, or TCP/IP to perform most functions.

firewalld defaults to denying services unless explicitly allowed; iptables defaults to allowing services and requires explicit deny rules.

Both firewalld and iptables rely on the kernel netfilter for actual packet filtering; they only provide rule‑management interfaces.

3. Zone Management Concept

Zone management

By dividing the network into zones, different access‑control policies can be applied between zones. For example, the Internet is an untrusted zone, while an internal network is a trusted zone. Zones are selected during installation, first boot, or when a new connection is established.

Common initialization zones:

block – any incoming network packets are blocked.

work – trusts other computers on the network.

home – trusts other computers on the network.

public – does not trust any computer; only selected inbound connections are accepted.

dmz – a demilitarized zone that buffers internal and external networks; only selected inbound connections are accepted.

trusted – all network connections are accepted.

drop – any inbound network connection is rejected.

internal – trusts other computers on the network; only selected inbound connections are accepted.

external – does not trust other computers; only selected inbound connections are accepted.

Note: firewalld’s default zone is public.

firewalld provides nine zone configuration files (block.xml, dmz.xml, drop.xml, external.xml, home.xml, internal.xml, public.xml, trusted.xml, work.xml) located in /usr/lib/firewalld/zones/.

4. iptables Configuration

1. Overview

iptables is part of the Netfilter project, integrated into the Linux kernel since kernel 2.4 (2001). Netfilter provides the framework for packet filtering and modification; iptables uses this framework to implement firewall functionality.

2. Basic Principles

Rules define conditions (source/destination address, protocol, service, etc.) and actions (ACCEPT, REJECT, DROP). Adding, modifying, or deleting rules configures the firewall.

3. Packet Flow in iptables

Incoming packets first traverse the PREROUTING chain to determine routing.

If destined for the local host, they move to the INPUT chain; locally generated packets go through the OUTPUT chain and then POSTROUTING.

Forwarded packets (if forwarding is enabled) pass through the FORWARD chain before POSTROUTING.

4. Tables and Chains

Tables: filter (default), nat, mangle, raw. Each serves a specific purpose (filter for packet filtering, nat for address translation, mangle for packet marking, raw for bypassing connection tracking).

Chains: Built‑in chains (INPUT, OUTPUT, FORWARD) define the path packets follow; user‑defined chains can be created for custom processing.

5. Table Processing Order

Raw → mangle → nat → filter

6. Managing iptables Rules

(Illustrative images omitted for brevity.)

7. Disabling firewalld before using iptables

# systemctl stop firewalld.service   // stop firewalld
# systemctl disable firewalld.service // prevent firewalld from starting at boot

8. Installing iptables

Check if iptables is installed:

# rpm -qa | grep iptables
iptables-1.4.21-16.el7.x86_64   // output indicates installation

Install if missing:

# yum install -y iptables
# yum install -y iptables-services

9. Basic iptables Syntax

iptables [-t table] command [chain] [match] -j target

10. Common Command Options

-A Append a rule to the end of a chain.

-D Delete a specific rule.

-I Insert a rule at the beginning of a chain.

-R Replace a rule.

-L List all rules in a chain.

-E Rename a user‑defined chain.

-F Flush all rules.

-N Create a new user‑defined chain.

-X Delete a user‑defined chain.

-P Set the default policy for a chain.

-Z Zero packet and byte counters.

-n Show numeric output.

-v Verbose output.

-V Show version.

-h Display help.

11. Saving iptables Rules

# service iptables save

12. Basic iptables Operations

Clear all rules:

# iptables -F
# iptables -X
# iptables -Z
# iptables -F -t nat

Set default policies (two approaches):

# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT

# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP

Allow SSH (port 22) inbound and outbound:

# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

Allow ICMP (ping) inbound and outbound:

# iptables -A INPUT -p icmp -j ACCEPT
# iptables -A OUTPUT -p icmp -j ACCEPT

Editing the configuration file directly:

# vim /etc/sysconfig/iptables
# systemctl restart iptables.service   // apply changes
# systemctl enable iptables.service    // enable at boot
# iptables -L   // list current rules