dotlinux guide

Comprehensive Guide to Linux Firewall Configuration

In an era where cyber threats are increasingly sophisticated, securing Linux systems is paramount. A firewall acts as the first line of defense, controlling incoming and outgoing network traffic based on predefined security rules. Whether you’re managing a personal server, a enterprise-grade infrastructure, or a cloud-based deployment, understanding Linux firewall configuration is critical to safeguarding your systems from unauthorized access, data breaches, and malicious attacks. This guide demystifies Linux firewall concepts, explores popular tools (e.g., iptables, ufw, firewalld), and provides actionable steps to configure, manage, and optimize firewalls. By the end, you’ll have the knowledge to implement robust firewall rules, adhere to best practices, and troubleshoot common issues.

Table of Contents

  1. Fundamental Concepts
    • What is a Firewall?
    • Stateless vs. Stateful Firewalls
    • Key Terminology: Chains, Tables, Zones, and Protocols
  2. Linux Firewall Tools Overview
    • iptables: The Legacy Workhorse
    • ufw: Uncomplicated Firewall (User-Friendly Frontend)
    • firewalld: Dynamic Firewall Manager (RHEL/CentOS/Fedora)
  3. Usage Methods: Practical Configuration
    • Configuring iptables
    • Configuring ufw
    • Configuring firewalld
  4. Common Practices: Real-World Scenarios
    • Allowing Essential Services (SSH, HTTP/HTTPS)
    • Blocking Malicious IPs
    • Limiting SSH Brute-Force Attacks
    • Port Forwarding
  5. Best Practices for Secure Firewall Management
    • Least Privilege Principle
    • Regular Rule Audits
    • Logging and Monitoring
    • Testing Rules Before Deployment
  6. Troubleshooting Firewall Issues
  7. Conclusion
  8. References

Fundamental Concepts

What is a Firewall?

A firewall is a network security device or software that monitors and filters incoming/outgoing traffic based on a set of rules. Its primary goal is to allow legitimate traffic while blocking unauthorized or malicious activity. Linux firewalls are typically software-based, integrated into the kernel (via netfilter framework) and managed via user-space tools.

Stateless vs. Stateful Firewalls

  • Stateless Firewalls: Evaluate each packet in isolation, using rules based on static criteria (e.g., source/destination IP, port, protocol). They do not track connection state (e.g., whether a packet is part of an existing connection).
  • Stateful Firewalls: Track the state of network connections (e.g., NEW, ESTABLISHED, RELATED). They allow packets that are part of an existing, trusted connection (e.g., a response to a request you initiated), making them more secure than stateless firewalls.

Most modern Linux firewalls (e.g., iptables, firewalld) are stateful.

Key Terminology

  • Chains: Sequences of rules applied to traffic. Common chains in iptables include INPUT (incoming traffic), OUTPUT (outgoing traffic), and FORWARD (traffic routed through the system).
  • Tables: Groups of chains for specific purposes. The filter table (default) handles packet filtering; nat (network address translation) modifies IP addresses/ports; mangle alters packet headers.
  • Zones (firewalld): Predefined sets of rules for different environments (e.g., public for untrusted networks, home for trusted networks). Interfaces are assigned to zones to apply zone-specific rules.
  • Ports/Protocols: Firewalls filter traffic by port (e.g., 22 for SSH, 80 for HTTP) and protocol (TCP/UDP/ICMP).

Linux Firewall Tools Overview

Linux offers multiple tools to configure firewalls, each with unique use cases:

ToolPurposeComplexityBest For
iptablesLow-level, direct netfilter managementHighAdvanced users, custom rule sets
ufw (Uncomplicated Firewall)Frontend for iptables/nftablesLowBeginners, simple server setups
firewalldDynamic firewall manager (frontend)MediumRHEL/CentOS/Fedora, dynamic environments

iptables

The legacy standard for Linux firewall configuration, iptables interacts directly with the kernel’s netfilter framework. It is powerful but requires manual rule management (rules are lost on reboot unless saved).

ufw

A lightweight frontend for iptables (and nftables on newer systems), ufw simplifies firewall configuration with intuitive commands. It is preinstalled on Ubuntu and popular for desktop/server setups.

firewalld

A dynamic firewall manager that supports zones and runtime rule changes (no service restart required). It is the default on RHEL, CentOS, and Fedora, ideal for systems needing flexible, environment-aware rules.

Usage Methods: Practical Configuration

1. Configuring iptables

Basic Commands

  • View Rules:

    sudo iptables -L -v  # List all rules with verbose output
sudo iptables -t nat -L  # List rules in the 'nat' table

  • Allow Inbound SSH (TCP/22):

    sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT  # Append rule to INPUT chain

  • Allow Established Connections:
    Stateful rule to allow responses to outgoing requests:

    sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  • Deny All Other Inbound Traffic:
    Default deny policy (critical for security):

    sudo iptables -P INPUT DROP  # Set default policy for INPUT chain to DROP
sudo iptables -P FORWARD DROP  # Block forwarded traffic (if not a router)

  • Save Rules (Persistent Across Reboots):
    On Debian/Ubuntu:

    sudo apt install iptables-persistent  # Install persistent rules tool
sudo netfilter-persistent save  # Save current rules to /etc/iptables/rules.v4

    On RHEL/CentOS:

    sudo service iptables save  # Saves to /etc/sysconfig/iptables

2. Configuring ufw

Basic Commands

  • Enable ufw:

    sudo ufw enable  # Starts ufw and enables on boot

  • Set Default Policies:
    Block all inbound, allow all outbound (recommended):

    sudo ufw default deny incoming
sudo ufw default allow outgoing

  • Allow Services/Ports:

    sudo ufw allow ssh  # Allow SSH (uses /etc/services to map 'ssh' to port 22)
sudo ufw allow 80/tcp  # Allow HTTP (TCP port 80)
sudo ufw allow 443/udp  # Allow HTTPS over UDP (rare, but example)

  • View Status:

    sudo ufw status verbose  # Show active rules and policies

  • Deny Specific IP:

    sudo ufw deny from 192.168.1.100  # Block all traffic from 192.168.1.100

3. Configuring firewalld

Basic Commands

  • Start/Enable firewalld:

    sudo systemctl start firewalld
sudo systemctl enable firewalld  # Start on boot

  • View Zones and Interfaces:

    sudo firewall-cmd --get-zones  # List all zones
sudo firewall-cmd --get-active-zones  # Show active zones and assigned interfaces

  • Add Service to a Zone:
    Allow HTTP in the public zone (persistent across reboots):

    sudo firewall-cmd --zone=public --add-service=http --permanent  # --permanent saves to config
sudo firewall-cmd --reload  # Apply changes (no downtime)

  • Allow Custom Port:
    Allow TCP port 8080 in the home zone:

    sudo firewall-cmd --zone=home --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

  • Assign Interface to Zone:
    Assign eth0 to the public zone:

    sudo firewall-cmd --zone=public --add-interface=eth0 --permanent
sudo firewall-cmd --reload

Common Practices: Real-World Scenarios

Allow Essential Services

Every server needs SSH access. Here’s how to allow it across tools:

  • ufw:

    sudo ufw allow ssh  # or sudo ufw allow 22/tcp

  • firewalld:

    sudo firewall-cmd --zone=public --add-service=ssh --permanent
sudo firewall-cmd --reload

  • iptables:

    sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT  # Allow responses

Block Malicious IPs

To block a known attacker IP (e.g., 203.0.113.45):

  • ufw:

    sudo ufw deny from 203.0.113.45

  • firewalld:

    sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="203.0.113.45" reject' --permanent
sudo firewall-cmd --reload

  • iptables:

    sudo iptables -A INPUT -s 203.0.113.45 -j DROP

Limit SSH Brute-Force Attacks

Use iptables to allow only 3 SSH attempts per IP in 60 seconds:

sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name SSH --rsource -j DROP

Port Forwarding (NAT)

Forward incoming traffic on port 80 to port 8080 (e.g., for a web app running on 8080):

  • iptables (nat table):

    sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

  • firewalld:

    sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
sudo firewall-cmd --reload

Best Practices for Secure Firewall Management

1. Least Privilege Principle

Only allow traffic necessary for your use case. For example:

  • A web server needs port 80/443 open, not port 22 (unless remote management is required).
  • Use firewalld zones to restrict access (e.g., home zone allows more services than public).

2. Regular Rule Audits

Firewall rules can become outdated. Review rules quarterly with:

  • sudo ufw status numbered (ufw)
  • sudo firewall-cmd --list-all-zones (firewalld)
  • sudo iptables -L -v (iptables)

Remove unused rules (e.g., old ports for deprecated services).

3. Logging and Monitoring

Enable logging to detect attacks:

  • ufw:

    sudo ufw logging medium  # Log denied/allowed packets (medium verbosity)

  • firewalld:

    sudo firewall-cmd --set-log-denied=all --permanent  # Log denied packets
sudo firewall-cmd --reload

  • iptables:

    sudo iptables -A INPUT -j LOG --log-prefix "UNAUTHORIZED: " --log-level 4  # Log denied traffic

Logs are stored in /var/log/kern.log (Debian/Ubuntu) or /var/log/messages (RHEL/CentOS).

4. Test Rules Before Deployment

Avoid locking yourself out! Test rules with:

  • iptables-apply (for iptables): Applies rules and reverts if you lose connectivity.
  • ufw --dry-run: Preview changes before applying: 
    sudo ufw --dry-run allow 2222/tcp  # Shows what would happen without making changes

Troubleshooting Firewall Issues

Common Problems and Fixes

  • Rules Not Applying:

    • ufw: Ensure ufw is enabled (sudo ufw status).
    • firewalld: Check if rules are marked --permanent and reloaded (sudo firewall-cmd --reload).
    • iptables: Rules may not persist across reboots—save them with iptables-save.

  • Service Blocked Despite Allowing Port:

    • Verify the service uses the expected port/protocol (e.g., UDP instead of TCP).
    • Check for conflicting rules (e.g., a DROP rule above an ACCEPT rule in iptables).

  • Logging Not Working:

    • Ensure kernel logging is enabled: sudo dmesg | grep iptables (for iptables logs).

Conclusion

Linux firewall configuration is a critical skill for securing systems and networks. By understanding fundamental concepts (stateful filtering, chains, zones) and leveraging tools like ufw (simple), firewalld (dynamic), or iptables (advanced), you can tailor rules to your needs.

Key takeaways:

  • Start with ufw or firewalld for simplicity; use iptables for custom workflows.
  • Follow the least privilege principle—allow only essential traffic.
  • Regularly audit, log, and test rules to maintain security.

With this guide, you’re equipped to configure, manage, and troubleshoot Linux firewalls effectively.

References