BestHub
Sign in
Information Security 10 min read

Mastering Linux Firewalls: iptables, firewalld, and Zone Configurations Explained

This guide defines firewalls, outlines their classifications, explains iptables' four tables and five chains, details command usage for filtering and NAT, and demonstrates firewalld zone management, providing practical examples and code snippets for Linux network security.

Raymond Ops
Raymond Ops
Raymond Ops
Mastering Linux Firewalls: iptables, firewalld, and Zone Configurations Explained

1. Firewall Definition

A firewall is an advanced access control device placed between different network security domains, using policies to allow, deny, monitor, and log network traffic.

A firewall consists of a set of rules that inspect packet source, destination, protocol, etc., to decide whether to permit passage.

2. Firewall Classification

Hardware firewall Software firewall
Host firewall Network firewall

3. iptables

3.1 iptables Four Tables and Five Chains

3.1.1 Tables (Functions)

<code>filter: firewall packet filtering (default table)
nat: network address translation
mangle: packet alteration
raw: disables connection tracking for the nat table</code>

3.1.2 Chains

<code>PREROUTING   (pre‑routing)
INPUT
OUTPUT
FORWARD
POSTROUTING (post‑routing)</code>
iptables diagram
iptables diagram

3.1.3 Chains Within Each Table

<code>filter: INPUT, FORWARD, OUTPUT
nat: PREROUTING (DNAT), INPUT, OUTPUT, POSTROUTING (SNAT)
mangle: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
raw: PREROUTING, OUTPUT</code>

3.2 Priority

<code>Policy application priority: raw, mangle, nat, filter
Commonly used priority order: filter, nat, mangle, raw</code>

3.3 Using iptables Commands

<code>iptables tool:
-t   : specify table
-L   : list rules
-n   : numeric output
-F   : flush all rules
-X   : delete user‑defined chains
-P   : set default policy for a chain
-j   : specify target action
  ACCEPT : accept packet
  DROP   : drop packet
  REJECT : reject packet
  DNAT   : destination NAT
  SNAT   : source NAT
-A   : append rule
-s   : source IP/network
-d   : destination IP/network
-I   : insert rule
-p   : protocol
--dport : destination port
--sport : source port
--line-num : show rule line numbers
-D   : delete rule by line number
-i   : specify interface</code>

3.3.1 filter Table Examples

<code># Flush all rules
iptables -F
# Delete user‑defined chains
iptables -X
# Create a new chain
iptables -N old_forward
# Rename a user‑defined chain
iptables -E old_forward new_forward
# Set default policy of FORWARD chain to DROP
iptables -P FORWARD DROP
# List filter table with line numbers
iptables -L -n --line-number
# Delete the 9th rule in FORWARD chain
iptables -t filter -D FORWARD 9

# Block all hosts from pinging this host
iptables -t filter -A INPUT -s 0.0.0.0 -d 192.168.254.24 -p icmp -j REJECT
# Block ping on a specific interface
iptables -t filter -A INPUT -d 192.168.254.24 -i ens33 -p icmp -j REJECT
# Allow only 10.159.32.65 to access local port 80
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -s 10.159.32.65 -p tcp --dport 80 -j ACCEPT
# Or set default INPUT policy to DROP then allow the IP
iptables -P INPUT -j DROP
iptables -I INPUT -s 10.159.32.65 -p tcp --dport 80 -j ACCEPT</code>

Reference: iptables command guide

3.3.2 nat Table Examples

<code># Enable IP forwarding
cat /proc/sys/net/ipv4/ip_forward   # shows 0
echo 1 > /proc/sys/net/ipv4/ip_forward
# or edit /etc/sysctl.conf and set net.ipv4.ip_forward = 1 then sysctl -p

# SNAT: change source of 192.168.250.0/24 to 192.168.31.100
iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -d 192.168.250.0/24 -j SNAT --to-source 192.168.31.100

# DNAT: forward traffic destined for 192.168.31.200:80 to 192.168.250.1:80
iptables -t nat -A PREROUTING -d 192.168.31.200 -p tcp --dport 80 -j DNAT --to-destination 192.168.250.1:80

# DNAT with port translation: forward to 192.168.31.100:9999
iptables -t nat -A PREROUTING -d 192.168.31.200 -p tcp --dport 80 -j DNAT --to-destination 192.168.31.100:9999</code>

4. firewalld Configuration and Zones

<code># Check firewalld state
firewall-cmd --state
# List all active settings
firewall-cmd --list-all
# Permanently add port 80/tcp (survives reboot)
firewall-cmd --add-port=80/tcp --permanent
# Remove port 4444/tcp
firewall-cmd --remove-port=4444/tcp
# Reload firewalld to apply changes
firewall-cmd --reload</code>

firewalld supports zones, which define trust levels for network interfaces.

<code># List available zones
firewall-cmd --get-zones
# Output example:
work drop internal external trusted home dmz public block
</code>

drop – discard all incoming packets without reply.

block – reject packets with ICMP host‑prohibited messages.

public – untrusted public networks; only selected connections are allowed.

external – for external networks, especially when masquerading is enabled; only selected connections are allowed.

dmz – demilitarized zone; publicly accessible but limited access to internal network.

work – trusted work network; most connections are allowed.

home – trusted home network; most connections are allowed.

internal – trusted internal network; most connections are allowed.

trusted – all connections are accepted.

firewalld zones illustration
firewalld zones illustration
NATnetwork securityiptablesfirewalldLinux firewallzone configuration
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment