Practical Guide to Configuring Linux Firewalls with iptables, ufw, and firewalld

Overview

When a newly launched server is flooded with SSH brute‑force attempts, the first line of defense is a Linux firewall. The article compares the three mainstream firewall utilities—iptables, ufw, and firewalld—explaining that they all sit on top of the netfilter framework but differ in command syntax and feature set.

1. iptables – Classic and Most Flexible

iptables operates directly on netfilter rule chains. The four built‑in chains are INPUT (incoming traffic), OUTPUT (outgoing traffic), FORWARD (routing/NAT), and PREROUTING / POSTROUTING (pre‑ and post‑routing for NAT and port forwarding). Each chain can have a default ACCEPT , DROP , or REJECT policy.

Scenario 1: Allow SSH, block everything else

# Allow SSH (skip this and you lose connection!)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow established/related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback interface
iptables -A INPUT -i lo -j ACCEPT
# Set default policy to DROP
iptables -P INPUT DROP
# List current rules
iptables -L -n -v

A hard lesson is highlighted: always add the SSH rule before changing the default policy, otherwise you lock yourself out and must resort to the cloud provider’s console.

Scenario 2: Block a specific IP or subnet

# Block a single IP
iptables -I INPUT -s 192.168.1.100 -j DROP
# Block an entire subnet
iptables -I INPUT -s 192.168.1.0/24 -j DROP

The -I (insert) option is used instead of -A (append) because rules are evaluated top‑down; inserting at the top ensures the block takes effect first.

Scenario 3: Open specific ports

# Open HTTP and HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow a trusted IP to access MySQL
iptables -A INPUT -s 10.0.0.50 -p tcp --dport 3306 -j ACCEPT

Persisting rules

iptables rules disappear after a reboot. Persistence methods:

Ubuntu/Debian: iptables-save > /etc/iptables/rules.v4 CentOS/RHEL: service iptables save or iptables-save > /etc/sysconfig/iptables Install iptables-persistent on Debian for automatic loading.

Common quick‑reference commands are listed, such as -L -n -v to list rules, -F to flush, -D INPUT 3 to delete a rule, and -Z to zero counters.

2. ufw – Ubuntu’s Simplified Firewall

ufw (Uncomplicated Firewall) wraps iptables with an easy‑to‑use syntax. It is recommended for Ubuntu users.

Installation & default policy

# Install (usually pre‑installed)
apt install ufw
# Default policies: deny incoming, allow outgoing
ufw default deny incoming
ufw default allow outgoing

Common operations

# Allow SSH
ufw allow 22/tcp
# Or by service name
ufw allow ssh
# Allow HTTP/HTTPS
ufw allow 80/tcp
ufw allow 443/tcp
# Allow a port range
ufw allow 60000:61000/udp
# Restrict access to a specific IP
ufw allow from 10.0.0.50 to any port 3306
# Delete a rule (use numbered list)
ufw status numbered
ufw delete 3

Enabling the firewall with ufw enable prompts a warning about possible SSH disconnection; the user must confirm that port 22 is already allowed.

Rules are stored in /etc/ufw/user.rules and persist across reboots automatically.

Limitations

ufw works well for most single‑server scenarios but lacks advanced NAT and port‑forwarding capabilities; for those cases, iptables or firewalld is required.

3. firewalld – Dynamic Firewall for CentOS/RHEL 8+

Starting with CentOS 7, Red Hat replaces the iptables service with firewalld, which supports dynamic reloading without breaking existing connections.

Zone concept

Zones define security levels per network interface. Common zones:

drop : drop all inbound traffic.

public : default zone, only SSH and DHCP are allowed.

home / internal : higher trust for internal networks.

trusted : accept all connections.

Each NIC can be bound to a specific zone.

Typical commands

# Start and enable service
systemctl start firewalld
systemctl enable firewalld
# Show active zones
firewall-cmd --get-active-zones
# Add services permanently
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
# Open a port permanently
firewall-cmd --permanent --zone=public --add-port=8080/tcp
# Reload to apply changes without dropping connections
firewall-cmd --reload
# List all settings for a zone
firewall-cmd --zone=public --list-all

Blocking an IP with a rich rule

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="192.168.1.100" drop'
firewall-cmd --reload

Port forwarding (NAT)

Example: forward traffic from port 8080 to port 80.

# Enable masquerading (NAT)
firewall-cmd --permanent --zone=public --add-masquerade
# Add forward rule
firewall-cmd --permanent --zone=public --add-forward-port=port=8080:proto=tcp:toport=80
firewall-cmd --reload

Runtime vs permanent

Commands without --permanent take effect immediately but disappear after a reboot. Adding --permanent writes to the configuration file; a subsequent --reload is required to apply them. The recommended workflow is to test with runtime commands first, then add --permanent and reload.

4. Choosing the Right Tool

Personal VPS / small projects : use ufw for quick, readable rules.

CentOS/RHEL enterprise environments : use firewalld for zone management and dynamic reload.

Complex NAT / router scenarios : use iptables for full flexibility.

All three utilities share the same netfilter backend; do not run two of them simultaneously to avoid rule conflicts.

5. Common Pitfalls

Pitfall 1 : Changing the default policy before allowing SSH locks you out.

Pitfall 2 : Adding --permanent in firewalld without reloading leaves the rule inactive.

Pitfall 3 : Placing a DROP rule before an ACCEPT rule in iptables renders later rules ineffective.

Pitfall 4 : Docker writes its own iptables rules; if the default policy is DROP, you must add necessary rules after Docker starts.