Information Security 10 min read

Mastering Linux Firewalls: From Basics to iptables and firewalld Commands

This guide explains firewall fundamentals, classifications, and detailed usage of Linux iptables and firewalld commands, covering tables, chains, rule priorities, NAT/ SNAT examples, and zone-based configurations to help secure network traffic effectively.

MaGe Linux Operations

Jun 8, 2024

Mastering Linux Firewalls: From Basics to iptables and firewalld Commands

1 Firewall Definition

A firewall is an advanced access control device placed between different network security domains, controlling (allow, deny, monitor, log) network traffic based on policies.

A firewall is a set of rules that inspect packet attributes (source, destination, protocol, etc.) when crossing a protected network zone to decide whether to permit it.

2 Firewall Classification

Hardware firewall Software firewall

Host firewall Network firewall

3 iptables

3.1 iptables Four Tables Five Chains

3.1.1 Functions (Tables)

filter: firewall packet filtering, default table
nat: network address translation
mangle: packet alteration
raw: disables connection tracking on the nat table

3.1.2 Chains

PREROUTING (pre-routing)
INPUT
OUTPUT
FORWARD
POSTROUTING (post-routing)

3.1.3 Chains in Each Table

filter: INPUT,FORWARD,OUTPUT
nat: PREROUTING(DNAT),INPUT,OUTPUT,POSTROUTING(SNAT)
mangle: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
raw: PREROUTING,OUTPUT

3.2 Priority

Policy application priority: raw, mangle, nat, filter
Common priority order: filter, nat, mangle, raw

3.3 Using iptables Commands

iptables tool:
 -t: specify table
 -L: list rules
 -n: numeric output
 -F: flush all rules
 -X: delete user-defined chains
 -P: set default policy for a chain
 -j: specify target action (ACCEPT, DROP, REJECT, DNAT, SNAT)
 -A: append rule
 -s: source IP/network
 -d: destination IP/network
 -I: insert rule
 -p: protocol
 --dport: destination port
 --sport: source port
 --line-num: show rule numbers
 -D: delete rule by number
 -i: interface

3.3.1 filter table

Flush all policies: iptables -F
Flush user-defined chains: iptables -X
Create a chain: iptables -N old_forward
Rename a chain: iptables -E old_forward new_forward
Set default policy of filter's FORWARD chain to DROP: iptables -P FORWARD DROP
List filter table with line numbers: iptables -L -n --line-number
Delete the 9th rule in FORWARD chain: iptables -t filter -D FORWARD 9

# Block all hosts (0.0.0.0) from pinging this host
iptables -t filter -A INPUT -s 0.0.0.0 -d 192.168.254.24 -p icmp -j REJECT

# Reject ping from all hosts via interface ens33
iptables -t filter -A INPUT -d 192.168.254.24 -i ens33 -p icmp -j REJECT

# Allow only 10.159.32.65 to access local port 80
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -s 10.159.32.65 -p tcp --dport 80 -j ACCEPT

# Set default INPUT chain policy to DROP
iptables -P INPUT -j DROP
iptables -I INPUT -s 10.159.32.65 -p tcp --dport 80 -j ACCEPT

iptables command reference: https://developer.aliyun.com/article/273904

3.3.2 nat table

# Enable IP forwarding
cat /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
# or edit /etc/sysctl.conf and set net.ipv4.ip_forward = 1 then sysctl -p

# SNAT example: translate source 192.168.250.0/24 to 192.168.31.100
iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -d 192.168.250.0/24 -j SNAT --to-source 192.168.31.100

# DNAT example: forward traffic destined to 192.168.31.200:80 to 192.168.250.1
iptables -t nat -A PREROUTING -d 192.168.31.200 -p tcp --dport 80 -j DNAT --to-destination 192.168.250.1:80

# DNAT to different port: forward to 192.168.31.100:9999
iptables -t nat -A PREROUTING -d 192.168.31.200 -p tcp --dport 80 -j DNAT --to-destination 192.168.31.100:9999

4 Firewall Configuration with firewalld

firewall-cmd --state               # view status
firewall-cmd --list-all            # list all zones and rules
firewall-cmd --add-port=80/tcp --permanent   # permanently add port 80
firewall-cmd --remove-port=4444/tcp            # remove port
firewall-cmd --reload               # reload firewalld

firewalld uses zones concept.

# Get zones
firewall-cmd --get-zones
# Output: work drop internal external trusted home dmz public block

drop – discards all incoming traffic without reply.

block – rejects connections with icmp-host-prohibited (IPv4) or icmp6-adm-prohibited (IPv6).

public – untrusted networks; only selected connections are accepted.

external – for external networks, especially routers with masquerading; only selected connections are accepted.

dmz – demilitarized zone; publicly accessible but limited entry to internal network.

work – trusted work network; only selected connections are accepted.

home – home network; generally trusted.

internal – internal network; generally trusted.

trusted – accepts all connections.

Link: https://www.cnblogs.com/du-z/p/11089983.html (copyright original author)

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.

access control firewall Linux network security iptables firewalld

Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.