Mastering Linux Firewalls: iptables vs firewalld – Concepts, Commands, and Best Practices

Firewall Basic Concepts

A firewall enforces administrator‑defined rules to control inbound and outbound packets, protecting the internal network. Linux primarily offers two firewall implementations: the traditional iptables (static) and the newer firewalld (dynamic).

Iptables – Static Firewall

Early Linux distributions used iptables; its configuration file resides at /etc/sysconfig/iptables .

Main characteristics (network layer)

Uses chain‑based rules; can filter only Internet‑facing traffic, not internal‑to‑internal traffic.

Configured exclusively via command line.

Default policy is ACCEPT; restrictions must be added explicitly.

All rules must be reloaded after modification, which can drop existing connections.

Firewalld – Dynamic Firewall

Firewalld replaces iptables as the default firewall. Configuration files are located under /usr/lib/firewalld and /etc/firewalld . It introduces the concept of zones, can filter both Internet and internal traffic, supports both CLI ( firewall-cmd ) and GUI ( firewall-config ), defaults to DROP, and allows dynamic rule changes without breaking existing sessions.

Important Note

Both iptables and firewalld are front‑ends to the kernel's netfilter subsystem, which actually enforces the rules. Mixing the two configuration methods is discouraged; choose one.

Iptables Detailed Components

Four building blocks : tables, chains, rules (match criteria), and target actions.

Tables (independent, priority order high→low)

raw : packet state tracking (chains: OUTPUT, PREROUTING).

mangle : packet alteration, traffic shaping, marking (all chains).

nat : address/port translation (chains: PREROUTING, POSTROUTING, OUTPUT).

filter : primary packet filtering (chains: INPUT, OUTPUT, FORWARD).

Chain Types

INPUT – inbound to the host; OUTPUT – outbound from the host; PREROUTING – before routing (commonly for NAT); POSTROUTING – after routing; FORWARD – packets routed through the host.

Target Actions

ACCEPT, DROP, REJECT, SNAT, DNAT, MASQUERADE, LOG.

When multiple rules exist in a chain, packets are evaluated top‑to‑bottom; the first matching rule terminates the search.

Iptables Command Examples

iptables -P INPUT DROP               # Set default INPUT policy to DROP
iptables -t filter -I INPUT -s 192.168.10.0/24 -j ACCEPT   # Allow a subnet
iptables -A INPUT -p tcp --dport 1000:1024 -j REJECT   # Reject a port range
iptables -D INPUT 1                 # Delete first rule in INPUT chain
iptables -F                         # Flush all rules
iptables-save > /etc/iptables.rules # Save current rules

Note: Adding a rule identical to an existing one creates a duplicate entry; runtime changes are lost after reboot unless saved.

Firewalld Detailed Components

Tools : firewall-cmd (CLI) and firewall-config (GUI). Both synchronize in real time.

Zones define default trust levels for interfaces and sources. Common zones include:

trusted – allow all traffic.

public – default, allows only essential services (e.g., ssh, dhcpv6).

external – permits ssh, performs masquerading for outbound traffic.

home, internal – similar to trusted for private networks.

work – limited services.

dmz – isolated, minimal services.

block – reject with response.

drop – silently drop all traffic.

Packet matching order: source‑address zone > interface‑bound zone > default zone.

Firewalld Configuration Modes

Runtime (temporary) : changes take effect immediately but disappear after reboot.

Permanent : stored in configuration files; applied on boot or after firewall-cmd --reload.

Use --permanent to add a rule permanently, or firewall-cmd --runtime-to-permanent to promote runtime changes.

Firewalld Command Examples

# List zones and default zone
firewall-cmd --get-zones
firewall-cmd --get-default-zone

# Set default zone to trusted
firewall-cmd --set-default-zone=trusted

# Bind a subnet to a zone (drop all traffic from it)
firewall-cmd --zone=drop --add-source=192.168.20.0/24

# Bind an interface to a zone (trusted)
firewall-cmd --zone=trusted --add-interface=ens160

# List services allowed in a zone
firewall-cmd --zone=public --list-all

# Allow HTTP service in public zone
firewall-cmd --zone=public --add-service=http

# Open a specific port
firewall-cmd --zone=public --add-port=123/tcp

# Port forwarding (public zone forwards 888 to 22 on 192.168.10.1)
firewall-cmd --permanent --zone=public --add-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168.10.1

# Rich rule example (reject traffic from 192.168.100.1/24)
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.100.1/24" reject'

Rich Rules

Rich rules have the highest priority, allowing fine‑grained control based on source/destination addresses, ports, and services.

Graphical Configuration with firewall-config

Install the GUI tool: dnf install firewall-config The interface lets you:

Select Runtime or Permanent mode.

Choose a zone.

View the active zone.

Manage services, ports, protocols, and SNAT.

Configure rich rules and view black/white lists.

By understanding the underlying netfilter architecture, the differences between iptables and firewalld, and the proper use of tables, chains, zones, and rich rules, administrators can design robust, maintainable firewall policies for Linux servers.