Iptables, Nftables and Firewalld

IPTables, nfTables and ﬁrewalld Note Packet # 7

CSN190 - Advanced Linux Ken Mead Genesee Community College

Firewalls on RedHat

A local firewall can be used to allow and/or deny access to services on a system or a network. The standard firewall service on RedHat based systems is firewalld.

For a long time, iptables was the standard command for modifying the ﬁrewall rules.

In Redhat 8, iptables has been replaced with nftables, which is very similar. You can still swap out nftables for iptables if you wish.

In either situation, instead of invoking these commands directly, the desired way to work with these options is to use the firewall-cmd command, or the firewall-config GUI. Firewalls on RedHat

For RHCSA, you need basic knowledge of how to modify the iptables rules to block or allow network communication through one or more ports, and may use iptables, nftables, firewall-cmd, or firewall-config (the GUI).

Redhat doctrine suggests you don't use iptables (of nftables) directly.

We'll directly work with only firewall-cmd and firewall-config in this discussion.

Standard Ports

Some standard ports for well known services. The iptables command

In RedHat 7, iptables is how ﬁrewalls are built behind the scenes.

In RedHat 8, nftables is the replacement for iptables, and is similar in structure. We'll discuss iptables here.

iptables is based on chains, which is a set of rules applied to each network packet, chained together.

There are two basic table types: ﬁlter and nat.

We'll focus on ﬁlter, which allows us to open or close ports to network packets based on certain conditions.

Simple Examples:

# iptables -L (lists the current rules in the filter table)

# iptables -F (flushes out all rules on filter table)

iptables overview

You can allows append or delete rules using -A and -D. These need to be appended to one of three directions:

● INPUT (for all incoming packets) ● OUTPUT (for all outgoing packets) ● FORWARD (to be routed to another machine through this machine)

We'll focus on INPUT for now. iptables overview

You might want to specify a source IP address (or network) for your packets using -s ip_address (e.g. -s 192.168.200.0/24)

You could specify a destination port using --dport portnum (e.g. -p 443)

You could specify a protocol using the -p switch (e.g. -p tcp)

You should specify an action using the -j switch, with three possibilities:

● -j DROP - drop the packet and don't notify the sender ● -j REJECT - drop the packet and send a rejection notice to the sender ● -j ACCEPT - allow the packet to proceed

There are other useful options as well, for instance -m match_rule.

Adding a Rule - examples

To allow http traﬃc to everyone

# iptables -A INPUT -p tcp -m state --state NEW -m tcp \ --dport 80 -j ACCEPT

To deny http traﬃc to one IP address

# iptables -A INPUT -s 65.55.44.100 -p tcp \ --destination-port 80 -j DROP

To deny ssh traﬃc to a whole subnet

# iptables -A INPUT -s 65.55.0.0/16 -p tcp \ --destination-port 22 -j DROP Using ﬁrewalld

Firewalld uses the concept of zones to help you conﬁgure your ﬁrewall.

You can add interfaces and ip ranges to whichever zone you wish.

For example, if you trust all servers on the 192.168.122.0/24 network, you can add them to the internal or trusted zones.

The public zone is the default zone, but that can be changed.

Make sure ﬁrewalld is enabled and started:

# systemctl enable firewalld

# systemctl start firewalld

Firewalld Zones

The zones of firewalld, all of which can be modified and reconfigured. The firewall-config GUI

Modifying Rules and Sources

Here we add 192.168.122.50 to our internal zone Opening Ports for Services

Adding the ftp, http, and https services to the default public zone.

Saving the conﬁguration

If you want your changes to "stick", make sure you conﬁgure in Permanent mode. Standard Services - brief list

Standard Services - continued Adding Custom Ports

ﬁrewall-cmd examples

ﬁrewall-cmd allows you to modify ﬁrewalld at the shell.

A few examples:

# firewall-cmd --get-default-zone public

# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: em1 sources: services: dhcp dhcpv6-client ftp http https ssh ports: 5909/tcp ... ﬁrewall-cmd examples

To add the imap service to the default zone:

# firewall-cmd --add-service imap success

# firewall-cmd --list-all

To do so permanently:

# firewall-cmd --add-service imap --permanent success

# firewall-cmd --reload