liminfo

Firewall Reference

Free reference guide: Firewall Reference

25 results

About Firewall Reference

The Linux Firewall Reference is a searchable cheat sheet covering the essential firewall tools and commands for Linux server and network security. It covers iptables (rule listing, INPUT/OUTPUT/FORWARD chains, IP-based filtering, default policies, rule insertion/deletion, save/restore, conntrack state tracking), nftables (table/chain/rule management, modern replacement for iptables), common rule patterns (ACCEPT, DROP, REJECT, port ranges, multiport, rate limiting, ICMP control), NAT configuration (SNAT, DNAT port forwarding, MASQUERADE for dynamic IPs), packet logging (LOG target, nflog), and firewall management tools (firewalld zones on CentOS/RHEL, ufw on Ubuntu).

Designed for system administrators, network engineers, DevOps practitioners, and security professionals managing Linux servers. Each entry includes ready-to-use command examples that can be copied directly into your terminal. The reference covers both legacy iptables and modern nftables syntax.

All processing happens locally in your browser with no data sent to any server. The interface supports dark mode and works on desktop, tablet, and mobile devices.

Key Features

  • iptables reference: rule listing (-L), chain rules (-A/-I/-D), IP filtering (-s), default policies (-P), save/restore, conntrack state tracking
  • nftables reference: table creation, chain management, rule add/delete with handle-based deletion
  • Common firewall rules: ACCEPT/DROP/REJECT, port range specifications, multiport matching, and ICMP control
  • Rate limiting rules for DDoS protection with --limit and --limit-burst parameters
  • NAT configuration: SNAT (source address translation), DNAT (port forwarding), MASQUERADE for dynamic IPs
  • Packet logging with iptables LOG target and nftables log prefix for traffic analysis
  • firewalld zone management (CentOS/RHEL) with --permanent and --reload commands
  • ufw (Ubuntu Uncomplicated Firewall) commands for simplified firewall management

Frequently Asked Questions

What is the difference between iptables and nftables?

iptables is the traditional Linux packet filtering framework that has been the standard for decades. nftables is its modern replacement, offering a unified syntax for IPv4, IPv6, ARP, and bridging (replacing iptables, ip6tables, arptables, ebtables). nftables provides better performance through a new kernel subsystem, supports sets and maps for complex matching, and uses a cleaner syntax. While iptables is still widely used, nftables is the default in newer distributions like Debian 10+, RHEL 8+, and Ubuntu 20.04+.

How do I allow SSH and block everything else with iptables?

Set the default policy to DROP for INPUT, then explicitly allow SSH and established connections: "iptables -P INPUT DROP", "iptables -P FORWARD DROP", "iptables -P OUTPUT ACCEPT", "iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT", "iptables -A INPUT -p tcp --dport 22 -j ACCEPT", "iptables -A INPUT -i lo -j ACCEPT". Save with "iptables-save > /etc/iptables.rules". Always allow established connections first to avoid locking yourself out.

How do I set up port forwarding (DNAT) with iptables?

Use the nat table PREROUTING chain with DNAT: "iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:8080". This forwards external port 80 to internal server 192.168.1.10 on port 8080. You also need to allow the forwarded traffic: "iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 8080 -j ACCEPT". Enable IP forwarding with "echo 1 > /proc/sys/net/ipv4/ip_forward" and make it permanent in /etc/sysctl.conf.

What is the difference between DROP and REJECT in iptables?

DROP silently discards the packet without sending any response to the sender. The sender must wait for a timeout, making it harder for attackers to determine if the port exists. REJECT sends an ICMP "port unreachable" or TCP RST response, immediately informing the sender that the connection was refused. DROP is generally preferred for external-facing firewalls (security through obscurity), while REJECT is better for internal networks (faster failure for legitimate applications).

How do I protect against DDoS attacks with rate limiting?

Use the iptables limit module: "iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 5 -j ACCEPT" followed by "iptables -A INPUT -p tcp --dport 22 -j DROP". This allows a burst of 5 connections and then limits to 3 per minute. For HTTP, you might use higher limits. The connlimit module can limit connections per IP: "iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j DROP". Combine with fail2ban for comprehensive protection.

How does conntrack state-based filtering work?

Conntrack (connection tracking) allows iptables to make decisions based on connection state. Key states: NEW (first packet of a connection), ESTABLISHED (part of an already established connection), RELATED (associated with an established connection, like FTP data), and INVALID (packet not identified with any connection). The standard pattern is to accept ESTABLISHED,RELATED first: "iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT", then only allow NEW connections to specific ports.

How do I configure firewalld zones on CentOS/RHEL?

firewalld uses zones to define trust levels for network connections. Use "firewall-cmd --get-active-zones" to see current zones. Add ports with "firewall-cmd --zone=public --add-port=80/tcp --permanent". Add services with "firewall-cmd --zone=public --add-service=http --permanent". Always add --permanent for persistent rules, then "firewall-cmd --reload" to apply. List all zone rules with "firewall-cmd --zone=public --list-all". Common zones: drop (deny all), public (default), trusted (accept all).

How do I use MASQUERADE for internet sharing on a Linux gateway?

MASQUERADE performs dynamic SNAT, automatically using the outgoing interface IP address. Set up: "iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE". This allows the 192.168.1.0/24 internal network to access the internet through eth0. Enable IP forwarding: "echo 1 > /proc/sys/net/ipv4/ip_forward". Allow forwarded traffic: "iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT" and "iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT". MASQUERADE is preferred over SNAT when the external IP is dynamic (DHCP).