When running Linux OS, there are a variety of firewalls that can be deployed in your system, all of which require their own commands to operate. As a result, managing and maintaining your system’s firewall can often be difficult without something convenient to use for reference. The goal of this article is to provide you with a basic reference list of common commands useful for handling your Linux OS firewall.
To keep things succinct, the commands will be provided within a table format below following a brief precursor explanation on the various firewalls we’ll be covering here.
Common Firewalls Used in Linux
The following section covers basic background information regarding what firewall types are available within your Linux OS.
iptables
The Linux kernel requires rules for IP packet filtering to be managed in tables. iptables is used to set up, maintain, and inspect these tables of IP packet filtering rules with each table containing built-in chains. The iptables chains are lists of rules which match a set of packets, specifying instructions for each rule on how to handle the packet.
ConfigServer Security & Firewall (CSF)
ConfigServer Security & Firewall or CSF, is a tool that manipulates iptables chains while also providing additional functionality that iptables does not offer. CSF filtering is done on IP addresses, services, and ports.
CSF uses the Login Failure Daemon (lfd) which provides a tool that scans the latest log file entries for login attempts against your server. This is useful for detecting brute-force attacks, allowing lfd to automatically detect the pattern and block the offending IP.
Uncomplicated Firewall (UFW)
Uncomplicated Firewall (UFW) is the default firewall configuration tool for Ubuntu and has been developed to ease iptables firewall configuration by providing a friendly method to create an Ipv4 or Ipv6 host-based firewall.
Firewalld
Firewalld is a service daemon with D-bus interface which provides easy management of the network/firewall zones, assigning different levels of trust to a network and its associated connections. Additionally, the interface also provides the ability to add iptables rules directly.
Table of Commands for Firewall Management
The following is a list of common commands that can be made for the four the Firewall types discussed above.
| Action | iptables | CSF | UFW | Firewalld |
| Check Firewall Status | N/A | service csf status or systemctl status csf | service ufw status or systemctl status ufw | service firewalld status (Not required as CSF won’t run if it’s not working) |
| Viewing/Searching Firewall Rules | iptables -n -L -v –line-numbers | csf -g [IP] | sudo ufw status numbered will show a list of rules, then use sudo ufw delete # with the rule number. |
firewall-cmd –list-all firewall-cmd –list-services firewall-cmd –list-ports |
| Restart Firewall | Occasionally rebooting the system can help if iptables rules do not take effect. | service csf restart or csf -r or even better to flush rules csf -ra | service ufw restart | service firewalld restart |
| Adding and Blocking a Port [Make sure to modify the #### entry] |
Adding: iptables -I INPUT 1 -p tcp –dport=#### -j ACCEPT — Blocking: iptables -I INPUT 1 -p tcp –dport=#### -j DROP |
Edit csf.conf file in /etc/csf/csf.conf and add the following lines with whichever ports you need. *Note: The snippet below was taken from the file to show you where you will place the ports in/out. Do not change anything in the file other than the numbers in the following lines: # Allow incoming TCP ports TCP_IN = “20,443,465,21,22,587,993,25,53,80,110,143,995” # Allow outgoing TCP ports TCP_OUT = “20,21,443,587,22,25,80,110,43,53” |
Adding: sudo ufw allow ####, you can use /tcp or /udp here as well — Blocking: sudo ufw deny ####, you can use /tcp or /udp |
Adding: firewall-cmd –permanent –add-port=##/TCP or use /UDP — Blocking: firewall-cmd –permanent –remove-port=### /tcp or /udp can be added at the end of that line without a space |
|
Adding and Removing an IP [Make sure to modify the x.x.x.x with an IP] |
Adding: iptables -A INPUT -s x.x.x.x -j ACCEPT — Removing: iptables -A INPUT -s ###.###.###.### -j DROP |
Adding: csf -a [x.x.x.x] [Optional comment] (Writes information to /etc/csf/csf.allow) — Removing: csf -tr [IP.add.re.ss] (Writes information to /etc/csf/csf.deny) |
sudo ufw allow from x.x.x.x [sudo ufw status numbered will show a list of rules, then use sudo ufw delete # with the rule number.] |
firewall-cmd –permanent –add-source=###.###.###.### firewall-cmd –permanent –remove-source=###.###.###.### |
|
Blocking an IP [Make sure to modify the x.x.x.x with an IP] |
iptables -A INPUT -s x.x.x.x -j DROP |
csf -d [x.x.x.x] [Optional comment] (Writes information to /etc/csf/csf.deny) |
sudo ufw deny from x.x.x.x | firewall-cmd –permanent –add-rich-rule=”rule family=’ipv4′ source address=x.x.x.x’ reject” |
| Adding and Removing a Service | N/A | N/A |
Allow: sudo ufw allow service — Remove: sudo ufw deny service |
Allow: firewall-cmd –permanent –add-service=ssh — Remove: firewall-cmd –permanent –remove-service=mysql |
-written by Pascal Suissa