firewall & pinguin: iptables where do thou go?

it is said that when using “ip-sets” iptables and nftables achieve almost same performance (amounts of ips possible to block, without server becoming slow/unresponsive)

Redhat and nftables on DDoS “so the only thing to fall back to is establishing a blacklist for all the different source IP addresses” (src) (which is exactly what iptables + cron + a simple bash script does)

the #3rd concept: bpfilter

2018-02: “The Linux kernel currently supports two separate network packet-filtering mechanisms: iptables and nftables.
For the last few years, it has been generally assumed that nftables would eventually replace the older iptables implementation;
few people expected that the kernel developers would, instead, add a third packet filter.
But that would appear to be what is happening with the newly announced bpfilter mechanism.
Bpfilter may eventually replace both iptables and nftables, but there are a lot of questions that will need to be answered first.” (src:
even faster X-D

and: will already established iptables scripts keep on working?

We like iptables after all, this tool has been serving us (and will likely keep serving still for a while in many deployments) to filter out traffic on both per-packet and per-flow basis, log suspicious traffic activity, perform NAT and many other things.

It comes with more than a hundred of extensions that have been contributed along the last 15 years!.

Nevertheless, the iptables framework suffers from limitations that cannot be easily worked around:

  • Avoid code duplication and inconsistencies:
    • Many of the iptables extensions are protocol specific
    • so there is no a consolidated way to match packet fields
    • instead there is one extension for each protocol that it supports
    • this bloats the codebase with very similar code to perform a similar task: payload matching
  • Faster packet classification through enhanced generic set and map infrastructure
  • Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic
  • Better dynamic ruleset updates support
  • Provide a Netlink API for third party applications, just as other Linux Networking and Netfilter subsystem do
  • Address syntax inconsistencies and provide nicer and more compact syntax (aha aha X-D)

These, among other things not listed here, triggered the nftables development which was originally presented to the Netfilter community in the 6th Netfilter Workshop in Paris (2008, France).” (src:

rule of thumb:

test if the rules perform as expected/the firewall behaves as expected, from a second machine with a different ip (otherwise self-lockout).


FirewallD is written in Python, by some guy that works at RedHat.

(Python is even slower than PHP… so whenever one adds like 1000x rules… the reload takes AGES! X-D (overall one is pretty pissed right now, and again and again it seems iptables was better (with all it’s shortcomings, like interrupting running connections)

CentOS7 uses firewalld which is a frontend for nftables or iptables.

(whatever is installed)

(WARNING! nftables mimiks backward compatibility with iptables (the command is available and seems to work, but actually nftables is in charge, this could lead to confusion)

(it is even possible that both nftables AND iptables are installed

Debian Wiki says:

Should I mix nftables and iptables/ebtables/arptables rulesets?

No, unless you know what you are doing.


overall firewalld is a pretty complex tool.

firewalld ships by default on the following Linux distributions:[6]

firewalld is enabled by default in all the distributions that rely on it as their default firewall. firewalld is also available as one of many firewall options in the package repository of many other popular distributions such as Debian.[10](src)

grafical frontend / gui gnome2 / mate desktop:

# install gui
yum install firewall-applet

tested with:

  Operating System: CentOS Linux 7 (Core)
  Architecture: x86-64
  Kernel: Linux 3.10.0-693.17.1.el7.x86_64

firewall-cmd -V

yum list installed|grep firewall
firewalld.noarch                                @anaconda
firewalld-filesystem.noarch                       @anaconda
python-firewall.noarch                          @anaconda

lets get started:

# list all opened ports
firewall-cmd --list-ports

# list all rules
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
services: ssh dhcpv6-client
masquerade: no
rich rules: 
rule family="ipv4" source address="" reject
rule family="ipv4" source address="" reject

firewall-cmd --get-active-zones
 interfaces: eth0

# list rules for a specific zone
firewall-cmd --zone=home --list-all

for example, if your zone is public and you want to open port 80:

firewall-cmd --zone=public --add-port=80/tcp --permanent

reload the firewall for changes to take effect:

firewall-cmd --reload

to check scan port from client:

nmap -v -p 0-65535 -sS
22/tcp open  ssh
80/tcp open  http
# monitor your logs
# without color
find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} +
# with color (needs ccze, not available anymore in CentOS8)
apt install ccze
find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} + | ccze

# when you found and abusive ip

# ban/block ip (also ping)
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='' reject"
# "Destination Port Unreachable"
# strange enough: this seems to only be valid/working for newly created connections, not existing connections
# (if ping started before block is activated, ping continues X-D)
# unban/unblock ip (also ping)
# also: had to "unban" --remove-rich-rule and reload several times, until it was unbanned 
firewall-cmd --permanent --remove-rich-rule="rule family='ipv4' source address='' reject"

# overview over all rules
firewall-cmd --list-all

# maybe works better
# ban ip (but ping still allowed)
firewall-cmd --permanent --zone=drop --add-source=
# unban ip
firewall-cmd --permanent --zone=drop --remove-source=

# block specific ip for 15min
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='' reject" --timeout 15m
# block specific ip forever
firewall-cmd --timeout 15m --add-rich-rule="rule family='ipv4' source address='' reject"

# block specific subnet
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='' reject"

# you can view the rules in this config file
# ... "great" this file was removed in CentOS8...
cat /etc/firewalld/direct.xml


nice tutorial:

ip to country mapping:

project website:

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!