Linux Firewall Administration: firewalld, iptables, and Network Routing
Daemon Control and State Monitoring
Manage the background daemon using standard systemd utilities.
systemctl enable --now firewalld # Start service and activate on boot
systemctl status firewalld # Display runtime state
systemctl stop firewalld # Terminate active sessions
systemctl restart firewalld # Reload daemon configuration
Zone Configurasion and Port Access
Define network exposure through zone-specific rules. All persistent modifications require a reload to take effect in the runtime environment.
Open a TCP port globally:
firewall-cmd --zone=public --add-port=3000/tcp --permanent
Apply granular source restrictions using rich rule syntax:
firewall-cmd --permanent \
--add-rich-rule='rule family="ipv4" source address="10.0.0.5" port protocol="tcp" port="3001" accept'
Remove previously defined source filters:
firewall-cmd --permanent \
--remove-rich-rule='rule family="ipv4" source address="10.0.0.5" port protocol="tcp" port="3002" accept'
NAT and Traffic Forwarding
Enable IP masquerading to allow internal networks to route outbound traffic:
firewall-cmd --permanent --add-masquerade
firewall-cmd --query-masquerade
echo $(cat /proc/sys/net/ipv4/ip_forward) # Kernel flag must return 1
firewall-cmd --permanent --remove-masquerade
Configure bidirectional port redirection from the gateway host to backend endpoints:
# Map local port 9090 -> target 10.0.0.20:443
firewall-cmd --permanent --add-forward-port=port=9090:proto=tcp:toaddr=10.0.0.20:toport=443
firewall-cmd --permanent --remove-forward-port=port=9090:proto=tcp:toaddr=10.0.0.20:toport=443
Configuraton Synchronization and Inspection
Flush cached configurations and apply pending changes without interrupting existing connections:
firewall-cmd --reload # Syncs permanent rules to runtime
firewall-cmd --list-all # Dumps comprehensive zone details
Alternatively, edit the raw XML definition at /etc/firewalld/zones/public.xml. After saving structural changes, trigger firewall-cmd --reload to propagate updates.
Low-Level Packet Filtering with iptables
Inspect current chain policies and manipulate legacy filter tables directly:
iptables -S # Dump full rule set
iptables -P FORWARD ACCEPT # Set default forward policy to allow transit
Replace an existing rule within the custom container bridge chain:
iptables -R DOCKER 1 -p tcp -s 127.0.0.1 -d 172.20.0.8 --dport 8080 -j ACCEPT
Container Network Integration
Docker manages its own iptables subsets. Target these chains for isolated container access control:
iptables -L DOCKER -n --line-number # List with numeric indices for precise targeting
# Prepend an allow rule to the top of the DOCKER chain
iptables -I DOCKER -p tcp -s 192.168.50.10/32 -d 172.20.0.8 --dport 8080 -j ACCEPT
Diagnostic Utilities
Verify end-to-end reachability across intermediate nodes:
traceroute -n -T -p700 192.168.10.10
Capture live packet streams bound to specific interfaces and ports:
tcpdump -i eth0 -nn 'port 3000'
Restricting Remote Shell Access
Hardening SSH entry points requires careful sequencing to prevent lockout. Maintain an active terminal session throughout the process.
Initial audit and cleanup of default allowances:
firewall-cmd --list-all
firewall-cmd --permanent --remove-service=sshd
firewall-cmd --zone=public --remove-port=22/tcp --permanent
firewall-cmd --reload
If residual access persists due to underlying zone defaults, remove the bundled service profile entirely:
mv /usr/lib/firewalld/services/ssh.xml /tmp/ssh.xml.backup
firewall-cmd --reload
