Firewalld vs Iptables Comparison

Both Firewalld and Iptables are applications which are used to filter the incoming and the outgoing packets in a network.

In most of the latest Linux distributions Iptable is replaced by Firewalld, For example in Red Hat OS from RHEL, had Iptables as the inbuilt firewall application till RHEL 6.5, and from RHEL 7 onwards firewalld is the inbuilt firewall application, It is possible for the user to run iptables in the latest Linux OSs by deactivating default firewalld application and by installing iptables package. And it is not possible to run both iptables and firewalld applications at a time in a system. And also it is not possible to run a firewalld on older versions of the Linux OSs.


Iptables are built in kernel-level administration tool that comes with all Linux distributions, which is used for IPv4/IPv6 packet filtering and NAT [Network Address translation],

Netfilter framework is used by Linux Kernel for various firewall/network related operations, Here
Iptables acts as an interface to the Netfilter firewall, which allow the user to add, remove, or modify the packet rules [Policy Chain rules].

The packet filtering is based on the rules specified in the Policy chains, so each packet coming in or out of the firewall has to match the rules specified in the chain rules to proceed through the firewall.

The chain rule specifies what to do with the packet that matches, this “what to do” is called “target”, which may also be a jump to a user-defined chains. If the packet does not match the rule, then next rule specified by the target, the user-defined chain rule is followed.

The targets can be :

ACCEPT : means let the packet through the firewall.

DROP : drop the packet on the floor.

RETURN : means stop traversing this chain and resume at the next rule in the previous chain.

Iptable extensions -These user-defined targets are described in “iptables-extension”, which is a section for the user-defined set of rules.

Each built-in chain rules and user-defined chains are stored in tables, the most important table is :

– Filter table : It is the default table, it contains built-in chains

INPUT : are chains meant to control the behaviour of incoming connection.these contain packets destined to local sockets.
FORWARD : This chain is used for incoming connection that are not actually being delivered locally. That is,, it contains chain rules for packets being routed through the box.
OUTPUT : used for outgoing connections, table containing chain rules for locally generated packets.

Below shown are the basic option that comes command iptables :

-A, –append : Used for appending one or more rules to the end of a selected chain.
-D, –delete : Delete one or more rules from the selected chain.
-C, –check : check whether a rule matching the specification does exist in the selected chain.
-I, –insert : Insert one or more rule in the selected chain.
-R, –replace : Replace a rule in the selected chain.
-L, –list : Lists all the rules in the selected chain.
-F –flush : Flush the selected chain [deleting all the chains one by one].
-N, –new : Create a new-user-defined chain by the given name.
-P , –policy : a policy is set to the chain to the given target.

Syntax – iptables [-t table] {-A|-C|-D} chain rule-specification
iptables [-t table] {-I,-R,-N,etc.} chain [rulenum] rule-specification

[Note – rule-specification = [matches…] [target], match = -m matchname [per-match-options] target = -j targetname [options for each target] ]


The Firewalld is the replacement for iptables in the previous versions of Linux OSs. It offers a dynamically managed firewall which make use of zone concept, each zone defines the trust level of each network connection or interface. Firewalld supports both IPv4 and IPv6 firewall settings separately. Configuration options are separated as rutime and permanent configurations, In iptables when it was running it requires a complete firewall restart for every changes made, so every kernel module which was currently using had to be unloaded and kernel modules required for the new configuration had to be loaded.

On the other hand firewall daemon manages the firewall dynamically and without reloading the entire firewall the changes are applied. The firewalld makes sure that the daemon and kernel modules are synchronized while the changes are made.

The zones used in firewalld based on their trust level are listed below :

Drop – Allows only outgoing network connections.

Block – Only the connections initiated from the system are allowed.

Public – dhcpv6-client and ssh are allowed.

External – ssh is allowed.

Dmz – ssh is allowed.

Work – dhcpv6-client, ipp-client, mdns, samba-client, ssh services are allowed.

Home – dhcpv6-client, ipp-client, mdns, samba-client, ssh services are allowed.

Internal – dhcpv6-client, ipp-client, mdns, samba-client, ssh services are allowed.

Trusted – All network connections are allowed.

Command for using firewalld is firewalld-cmd

As we discussed earlier, there are 2 configuration mode : Runtime and Permanent. In Runtime mode the changes we made in the firewall configuration will not persist after the next system reboot, If the changes are made to persist over the next reboot we need to add the changes using the permanent mode for that –permanent option is used after the firewall-cmd, and need to run command firewall-cmd –reload to make the changes effective immediately, By default Runtime configuration mode is the default configuration mode.

The firewalld-cmd command is used mainly for the purposes listed below, [along with explanations and examples] :

1. How to check the sate of firewalld :
root@cybex# firewall-cmd –state
running // –state : option specifies the state of the firewall daemon

2. Command to list the current configuration of the default zone in firewalld
root@cybex# firewall-cmd –list-all
public (default)
services: dhcpv6-client ftp https kerberos http ssh
ports: 80/tcp 21/tcp 990/tcp 20/tcp 22/tcp

// –list-all : options list the firewall-rules and configurations for the //default zone unless a particular zone is specified by –zone=zone_name option

3. Command to list the available zones and services :
root@cybex# firewall-cmd –get-zones
block dmz drop external home internal public trusted work // list of available zones.
root@cybex# firewall-cmd –list-services
dhcpv6-client ftp http ssh
[ Note the default locations of these services and zones are in /usr/lib/firewalld , the services folder contains the details of each service required by the firewall in the form of .xml file ]

5. Command to see and set the default zone :
root@cybex# firewall-cmd –get-default-zone
root@cybex# firewall-cmd –permanent –set-default-zone=home

7. Command to add and remove a port in firewall :
root@cybex# firewall-cmd –permanent –add-port=993/tcp
// while specifying the port always you need to specify the protocol used in that port.
root@cybex# firewall-cmd –permanent –remove-port=993/tcp

9.Command to add a service in the firewall :
root@cybex# firewall-cmd –permanent –add-service=mysql

10. Command to add multiple ports to firewall:
root@cybex# firewall-cmd –dd-port={1000/tcp, 2000/tcp, 3000/tcp}

root@cybex# firewall-cmd –add-port=1000-1010/tcp Command to open a series of port

11. Command to add and remove multiple services in firewall :
root@cybex# firewall-cmd –add-service={https,ldap,kerberos}

root@cybex# firewall-cmd –remove-service={https,ldap,kerberos}

12. Command for port-forwarding : Here we are forwarding traffic coming to port 80 to port 8080, so port 8080 should added before forwarding :
root@cybex# firewall-cmd –permanent –add-forward- port=port=80:proto=tcp:toport=8080

13.Command to reject and accept a particular ip address :
root@cybex# firewall-cmd –permanent –add-rich-rule=”rule family=’ipv4′ source address=’′ reject”
root@cybex# firewall-cmd –permanent –add-rich-rule=”rule family=’ipv4′ source address=’′ accept”