Mastering firewalld vs iptables on CentOS 7: Zones, Rules, and Configuration

1. Introduction

In CentOS 7 there are several coexisting firewalls: firewalld and iptables. By default CentOS uses firewalld to manage the netfilter subsystem, but the underlying commands are still iptables.

2. Differences between firewalld and iptables

firewalld can modify a single rule dynamically, unlike iptables which requires a full reload.

firewalld is more user‑friendly; you can use it without deep knowledge of tables, chains, or TCP/IP.

firewalld defaults to deny; each service must be explicitly allowed, whereas iptables defaults to allow and you must add rules to block.

Both firewalld and iptables are front‑ends to the kernel netfilter; they only manage rules, the kernel enforces them.

3. Zone concept

Zone management

Network can be divided into zones with different access policies. For example, the Internet is an untrusted zone, while the internal network is highly trusted. Zones define the trust level of the host’s network environment and how new connections are handled.

Common predefined zones

block – all incoming packets are blocked

work – trusted computers on the network

home – trusted computers on the network

public – untrusted; only selected incoming connections are accepted

dmz – demilitarized zone; only selected incoming connections are accepted

trusted – all connections are accepted

drop – all incoming connections are rejected

internal – trusted network, only selected incoming connections are accepted

external – untrusted network, only selected incoming connections are accepted

Note: firewalld’s default zone is public.

firewalld provides nine zone configuration files (block.xml, dmz.xml, drop.xml, external.xml, home.xml, internal.xml, public.xml, trusted.xml, work.xml) located in /usr/lib/firewalld/zones/.

4. iptables configuration

1. Overview

iptables firewall is developed by the Netfilter project and has been part of Linux since kernel 2.4.

Netfilter is the official name for Linux’s packet filtering and modification facilities; iptables uses Netfilter to hook functions into the network stack.

2. Basic principle

Rules are predefined conditions that match packet headers; matching packets are processed according to the rule’s target (ACCEPT, REJECT, DROP, etc.). Managing a firewall consists of adding, modifying, and deleting these rules.

3. Packet flow in iptables

Incoming packets first traverse the PREROUTING chain.

If the packet is destined for the local host, it goes through the INPUT chain; locally generated packets go through OUTPUT then POSTROUTING.

If the packet is to be forwarded and forwarding is enabled, it passes the FORWARD chain before POSTROUTING.

4. iptables tables and chains

Tables

iptables has four tables: filter (packet filtering), nat (network address translation), mangle (packet marking for QoS), and raw (bypasses connection tracking).

Chains

Chains are sequences of rules. When a packet reaches a chain, iptables checks each rule in order; if no rule matches, the chain’s default policy is applied.

5. Table processing order

Raw → mangle → nat → filter

6. Managing iptables rules

Stop and disable firewalld before using iptables:

<code># systemctl stop firewalld.service
# systemctl disable firewalld.service</code>

Install iptables if not present:

<code># rpm -qa | grep iptables
# yum install -y iptables
# yum install -y iptables-services</code>

7. Basic iptables syntax

<code>iptables [-t table] command [chain] [match] -j target</code>

8. Common command options

-A append rule, -D delete rule, -I insert rule, -R replace rule, -L list rules, -E rename chain, -F flush, -N new chain, -X delete user chain, -P set default policy, -Z zero counters, -n numeric output, -v verbose, -V version, -h help.

9. Saving rules

<code># service iptables save</code>

10. Basic operations

Clear all filter rules:

<code># iptables -F
# iptables -X
# iptables -Z</code>

Set default policies (accept all or drop all):

<code># iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP</code>

Add rule to allow SSH:

<code># iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT</code>

Add rule to allow ping:

<code># iptables -A INPUT -p icmp -j ACCEPT
# iptables -A OUTPUT -p icmp -j ACCEPT</code>

Edit configuration file directly:

<code># vim /etc/sysconfig/iptables
# systemctl restart iptables.service
# systemctl enable iptables.service
# iptables -L</code>