Mastering Linux Firewalls: From IDS/IPS to iptables and Netfilter

Security Technologies

Intrusion Detection System (IDS) : Monitors network traffic without blocking, quantifies and locates threats, and provides alerts and post‑incident guidance.

Intrusion Prevention System (IPS) : Works in transparent mode, inspects packets for attacks (overflow, DoS, malware, vulnerabilities) and blocks them immediately.

Firewall : Placed at network or host edges, inspects packets against rule sets, typically default‑deny and allow‑only policies, often using a DMZ for externally accessible hosts.

Waterwall : Prevents internal data leakage by protecting network, peripheral, storage, and printing channels; works alongside anti‑virus and other security products.

Firewalls can be classified by protection scope (host‑based vs. network‑based), implementation (hardware vs. software), and protocol layer (network‑layer packet filter vs. application‑layer proxy).

Netfilter

Netfilter is the Linux kernel subsystem that provides packet filtering, address translation, and other network services. It integrates with the IP stack and offers a modular, extensible framework for building firewall functionality.

Firewall Tools Introduction

iptables : User‑space command‑line tool that defines rules which are handed to Netfilter.

firewalld : Front‑end management tool introduced in CentOS 7.

nftables : Successor to iptables, merged into the Linux kernel since 2014, reusing Netfilter’s connection tracking and NAT features while providing a unified syntax.

iptables Overview

iptables operates at the network layer and implements a four‑table, five‑chain architecture:

The tables are filter , nat , mangle , and raw . An additional security table is used for MAC‑based access control (e.g., SELinux). Chain order from highest to lowest priority is: security → raw → mangle → nat → filter.

Each table contains built‑in chains:

PREROUTING

INPUT

FORWARD

OUTPUT

POSTROUTING

Packets traverse these chains depending on their direction and destination.

iptables Installation

# Stop firewalld (CentOS 7 default)
systemctl stop firewalld.service
systemctl disable firewalld.service
# Install iptables packages
yum -y install iptables iptables-services
# Enable iptables at boot
systemctl start iptables.service
systemctl enable iptables.service

iptables Command Syntax

General form:

iptables [-t table] <option> chain [match...] -j target

-t

: specify table (default is filter) -A: append rule to chain -I: insert rule at beginning or specified position -P: set default policy for a chain -D: delete rule -R: replace rule -L: list rules -F: flush all rules in a chain -X: delete user‑defined chain

Adding Rules

# Flush all rules
iptables -F
# Reject all ICMP ping requests
iptables -t filter -A INPUT -p icmp -j REJECT
# Allow ICMP ping
iptables -t filter -A INPUT -p icmp -j ACCEPT
# Insert rule at the top
iptables -t filter -I INPUT 1 -p icmp -j ACCEPT
# Block TCP traffic on port 22
iptables -t filter -A INPUT -p tcp --dport 22 -j REJECT
# Allow specific IP address on port 80
iptables -t filter -A INPUT -s 192.168.233.0/24 -p tcp --dport 80 -j REJECT

Deleting Rules

# Delete rule by number
iptables -D INPUT 1
# Delete rule by matching criteria
iptables -D INPUT -p icmp -j REJECT

Modifying Rules (Not Recommended)

# Replace rule
iptables -R INPUT 1 -p icmp -j REJECT
# Change default policy
iptables -P INPUT DROP
# Add exception after dropping
iptables -t filter -A INPUT -p icmp -j ACCEPT

SNAT and DNAT

SNAT (Source NAT) rewrites the source address of outbound packets, allowing multiple internal hosts to share a single public IP. DNAT (Destination NAT) rewrites the destination address of inbound packets, enabling external access to internal services such as web servers.

tcpdump Usage

# Capture 100 TCP packets destined for port 80 from a specific subnet
tcpdump tcp -i ens33 -t -s0 -c 100 and dst port 80 and src net 192.168.154.0/24 -w ./target.cap
# Capture all traffic on interface ens33
tcpdump -i ens33 -s0 -w ./ens33.cap