Mastering CentOS7 Firewall: firewalld vs iptables and Zone Management

1. Introduction

On CentOS 7 there are several firewalls that can coexist: firewalld and iptables. By default CentOS uses firewalld to manage the netfilter subsystem, although the underlying commands are still iptables.

2. firewalld and iptables differences

firewalld can modify individual rules dynamically, whereas iptables requires a full reload for changes to take effect.

firewalld is more user‑friendly; it works even without deep knowledge of the "five tables, five chains" model or TCP/IP.

firewalld defaults to denying services, so each service must be explicitly allowed; iptables defaults to allowing services, requiring explicit denial.

firewalld itself does not implement firewall functionality; it relies on the kernel's netfilter just like iptables. Both manage rules, while netfilter enforces them.

3. Zone management concept

Zone management

By dividing the network into zones and defining access‑control policies between zones, administrators can control data flow between programs. For example, the Internet is an untrusted zone, while the internal network is a highly trusted zone. The security model can be initialized during installation, first boot, or first network connection, describing the trust level of the host's network environment and defining how new connections are handled.

There are several predefined zones:

block: all incoming packets are blocked.

work: trusts other computers on the network.

home: trusts other computers on the network.

public: does not trust any computer; only selected incoming connections are accepted.

dmz: a demilitarized zone that buffers between internal and external networks; only selected incoming connections are accepted.

trusted: all network connections are accepted.

drop: all incoming connections are rejected.

internal: trusts other computers on the network; only selected incoming connections are accepted.

external: does not trust other computers; only selected incoming connections are accepted.

Note: firewalld's default zone is public.

firewalld provides nine zone configuration files (block.xml, dmz.xml, drop.xml, external.xml, home.xml, internal.xml, public.xml, trusted.xml, work.xml) located in /usr/lib/firewalld/zones/.

4. iptables configuration

1. Overview

iptables is part of the Netfilter project (http://www.netfilter.org) and has been included in Linux since the 2.4 kernel release in January 2001.

Netfilter is the official name for all packet‑filtering and packet‑modification facilities provided by Linux. It also refers to a kernel framework that allows functions to be hooked into the network stack at various points. iptables uses this framework to attach functions that operate on packets.

Thus, Netfilter provides the underlying framework, while iptables builds firewall functionality on top of it.

2. Basic principle

Rules are predefined conditions such as "if a packet header matches these criteria, handle the packet this way". Rules specify source/destination addresses, transport protocol (TCP, UDP, ICMP), and service type (HTTP, FTP, SMTP, etc.). When a packet matches a rule, iptables processes it according to the rule's action (accept, reject, drop, etc.). Managing a firewall mainly involves adding, modifying, and deleting these rules.

3. iptables packet processing flow

When a packet arrives at a network interface, it first enters the PREROUTING chain, where the kernel decides whether to forward it.

If the packet is destined for the local host, it moves to the INPUT chain. Local processes receive the packet here. Outgoing packets from local processes pass through the OUTPUT chain and then the POSTROUTING chain.

If the packet is to be forwarded and forwarding is allowed, it traverses the FORWARD chain before reaching POSTROUTING .

4. iptables tables and chains

Tables

iptables has four tables: filter, nat, mangle, and raw. filter is used for packet filtering, nat for network address translation, mangle for packet marking (e.g., QoS), and raw operates independently of the connection‑tracking subsystem.

If the goal is host security, focus on the filter table; for NAT (e.g., OpenStack) use the nat table; use mangle for QoS.

Chains

Chains are the paths packets follow. Each chain contains a list of rules. When a packet reaches a chain, iptables checks the rules in order; if a rule matches, the associated action is taken. If no rule matches, the chain's default policy is applied.

5. Rule processing priority

Raw → mangle → nat → filter

For the filter table, the built‑in chains INPUT, OUTPUT, and FORWARD are most important. INPUT handles incoming packets to the host, OUTPUT handles packets sent from the host, and FORWARD handles packets routed through the host.

6. Managing and setting iptables rules

7. Disable firewalld before configuring iptables

CentOS 7 uses firewalld by default; to use iptables you must stop and disable firewalld first.

# systemctl stop firewalld.service    // stop firewalld
# systemctl disable firewalld.service // prevent firewalld from starting on boot

8. Installing iptables

Check whether iptables is already installed: # rpm -qa | grep iptables If the output shows a package such as iptables-1.4.21-16.el7.x86_64, it is installed.

Install iptables and the service package:

# yum install -y iptables
# yum install -y iptables-services

9. Basic syntax

iptables [-t table] command options [chain] [match criteria] [-j target]

The table and chain specify where the rule is applied; command options define the action (append, insert, delete, list, etc.); match criteria select packets; the target defines what to do with matching packets.

10. iptables command options

-A: Append a new rule to the end of the specified chain.

-D: Delete a rule from the specified chain (by number or content).

-I: Insert a new rule at the beginning of the specified chain (or at a given position).

-R: Replace a rule in the specified chain.

-L: List all rules in the specified chain.

-E: Rename a user‑defined chain.

-F: Flush (clear) all rules in the specified table.

-N: Create a new user‑defined chain.

-X: Delete a user‑defined chain.

-P: Set the default policy for a built‑in chain.

-Z: Zero the packet and byte counters in all chains.

-n: Display numeric output.

-v: Verbose output with detailed information.

-V: Show iptables version.

-h: Show help.

11. Saving iptables

# service iptables save

12. Basic iptables operations

Clear all rules

1) Flush all rules in the default filter table: # iptables -F 2) Delete user‑defined chains and zero counters:

# iptables -X
# iptables -Z

3) Flush the nat table: # iptables -F -t nat Set default chain policies (two common approaches)

Method 1 – Accept everything, then drop unwanted traffic:

# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT

Method 2 – Drop everything by default, then allow specific services:

# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP

Add rules (example: allow SSH)

# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

Add rules (example: allow ping)

# iptables -A INPUT -p icmp -j ACCEPT
# iptables -A OUTPUT -p icmp -j ACCEPT

iptables configuration file

Edit the file directly: # vim /etc/sysconfig/iptables Restart the service to apply changes and enable it on boot:

# systemctl restart iptables.service
# systemctl enable iptables.service

View current rules (default -t filter; use -t nat for NAT table):

# iptables -L