The Role of iptables and the Difference from firewalld
1. What is iptables? What is it used for?
iptables is a classic firewall tool on Linux systems, operating at the network layer, with main functions including:
-
Packet Filtering
Allowing or blocking specific network traffic based on rules (such as IP addresses, ports, protocols, etc.)
-
Traffic Forwarding
Controlling the forwarding of packets between different network interfaces
-
Network Address Translation (NAT)
Implementing functions such as port mapping and IP address translation
-
Traffic Monitoring and Statistics
Recording the number of packets and bytes passing through the firewall, which is very useful in network debugging, penetration testing, etc.
Why use iptables instead of firewalld?
firewalld is a newer firewall management tool in RedHat-based Linux, essentially a front-end wrapper for iptables, providing a more user-friendly interface and dynamic update mechanism. However, in the following scenarios, iptables has advantages:
-
Granular Traffic Statistics
iptables can directly log traffic data for specific IP/port through rule chains, making operations simple and direct
-
Scripting Automation
iptables commands are more suitable for scripting, enabling automated configuration of complex firewall policies
-
Compatibility
All Linux distributions support iptables, while firewalld is mainly used in RedHat systems
-
Learning Curve
For simple filtering and monitoring needs, using iptables commands directly is more intuitive than learning the zone concept of firewalld
For more information, see:
-
Linux Security | Detailed Explanation of the Firewall Tool iptables
-
[Red Hat Linux]RHEL 8 and 9 Security Hardening Guide
Teaching you[ How to Use iptables to Measure Traffic ]]
Experimental StepsFirst, check the current status of iptables using the -L option:
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
We can see the three rule chains currently in the system. Assuming there are already some rules in the system, to avoid disrupting the existing rules, we need to create a dedicated rule chain for measuring traffic, which we will call “traffic”.
Use the command iptables -N to create a new rule chain.
[root@localhost ~]# iptables -N traffic
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain traffic (0 references)
target prot opt source destination
Next, add two rules to the traffic chain to measure the traffic between this machine and the server at 192.168.88.100;
[root@localhost ~]# iptables -A traffic -s 192.168.88.100
[root@localhost ~]# iptables -A traffic -d 192.168.88.100
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain traffic (0 references)
target prot opt source destination
all -- 192.168.88.100 anywhere
all -- anywhere 192.168.88.100
[root@localhost ~]#
Next, we need to attach the traffic chain to the original “INPUT” and “OUTPUT” rule chains in the system so that we can monitor the traffic.
[root@localhost ~]# iptables -A INPUT -j traffic
[root@localhost ~]# iptables -A OUTPUT -j traffic
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
traffic all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
traffic all -- anywhere anywhere
Chain traffic (2 references)
target prot opt source destination
all -- 192.168.88.100 anywhere
all -- anywhere 192.168.88.100
[root@localhost ~]#
Use iptables -Z to reset the traffic statistics, everything is ready, and we can trigger traffic for observation.
[root@localhost ~]# iptables -Z
Use the iptables -L rule chain -nvx command to see how many packets and bytes have been transmitted to and from the target server; it is recommended to use the watch command for continuous monitoring.
[root@localhost ~]# watch -d -n1 iptables -L traffic -nvx
Every 1.0s: iptables -L traffic -nvx Wed May 11 14:01:57 2022
Chain traffic (2 references)
pkts bytes target prot opt in out source destination
17 708 all -- * * 192.168.88.100 0.0.0.0/0
364 15940 all -- * * 0.0.0.0/0 192.168.88.100
As you can see, iptables will record how many packets you have sent out and the size of the traffic; it can also record the traffic sent to you by the other party.
After monitoring, restore iptables
1. First, clear the “traffic” rule from the original “INPUT” and “OUTPUT” rule chains; but first check the rule’s number in the chain (which is the line number).
The command format for deleting a rule is: iptables -D INPUT rule_number
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
traffic all -- anywhere anywhere # <-- This is the first rule, in line 1, so the number is 1
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
traffic all -- anywhere anywhere # <-- The first rule under this chain, number 1
Chain traffic (2 references)
target prot opt source destination
all -- 192.168.88.100 anywhere
all -- anywhere 192.168.88.100
Delete the “traffic” rule from INPUT and OUTPUT.
[root@localhost ~]# iptables -D INPUT 1
[root@localhost ~]# iptables -D OUTPUT 1
# Verify again, and find that the rules under the chain have been deleted.
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain traffic (0 references)
target prot opt source destination
all -- 192.168.88.100 anywhere
all -- anywhere 192.168.88.100
2. Clean up the rules inside the traffic chain using the iptables -F option.
[root@localhost ~]# iptables -F traffic
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain traffic (0 references)
target prot opt source destination
[root@localhost ~]#
3. Delete the traffic chain, leaving only the original three rule chains in the system.
[root@localhost ~]# iptables -X traffic
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]#For more Linux security learning:
Weisi Network(Click to view introduction)
Established in 2002, specializing in certified training for over 20 years
Recruiting nationwide → Online live broadcast | Offline teaching
- [Course Introduction]
- [Exam Report]
- [Project Practice]
- [Class Trial]
- [Learning Material Download]
- Technical Column [Network Management]
- Technical Column [Linux Operations]
- Technical Column [Database Management]
- Technical Column [Virtualization Technology]
System Integration
Certification Training
IT Maintenance, contact us
IT Training, contact us Buy equipment, contact us