Skip to main content

RHCSA Certification Course

Chapter #12: Basics of FirewallD and IPtables

In this chapter, we explore firewalld and iptables in RHEL, covering setup, rules, zones, and key differences between the two firewall tools.

Chapter #12: Basics of FirewallD and IPtables
Learn the basics of firewalld and iptables in RHEL

In simple words, a firewall is a security system that controls the incoming and outgoing traffic in a network based on a set of predefined rules (such as the packet destination/source or type of traffic, for example).

In this chapter, we will review the basics of firewalld, the default dynamic firewall daemon in Red Hat Enterprise Linux, and the iptables service, the legacy firewall service for Linux, with which most system and network administrators are well acquainted, and which is also available in RHEL.

A Brief Comparison Between firewalld and iptables

Under the hood, both firewalld and the iptables service talk to the netfilter framework in the kernel through the same interface, not surprisingly, the iptables command.

However, as opposed to the iptables service, firewalld can change the settings during normal system operation without existing connections being lost.

Firewalld should be installed by default in your RHEL system, though it may not be running. You can verify with the following commands (firewall-config is the package needed for the user interface configuration tool, see Fig. 1):

dnf info firewalld firewall-config
Fig 1: Displaying info about firewalld and firewall-config

And (see Fig. 2):

Fig 2: Checking the running status of firewalld

On the other hand, the iptables service is not included by default, but can be installed through:

dnf update && dnf install iptables-services

Both daemons can be started and enabled to start on boot with the usual systemd commands:

systemctl start {iptables.service,firewalld.service}
systemctl enable {iptables.service,firewalld.service}

As for the configuration files, the iptables service uses /etc/sysconfig/iptables (which will not exist if the package is not installed in your system). On a RHEL box used as a cluster node, this file looks as follows (see Fig. 3):

Fig 3: Viewing iptables rules

whereas firewalld stores its configuration across two directories, /usr/lib/firewalld and /etc/firewalld (see Fig. 4):

ls /usr/lib/firewalld/ /etc/firewalld/
Fig 4: Configuration directories of firewalld

We will examine these configuration files further later in this chapter, after we add a few rules here and there. By now, it will suffice to remind you that you can always find more information about both tools at:

man firewalld.conf
man firewall-cmd
man iptables

Using iptables to Control Network Traffic

Let’s jump right into the examples.