T
linux security firewall devops sysadmin

Modern Linux Firewall Configuration Guide: From Iptables to Nftables

Master modern Linux firewall configuration. Learn how to use nftables rules generators, firewalld rules generators, and secure your infrastructure.

2026-04-12

Modern Linux Firewall Configuration Guide

In the world of Linux security, the firewall is your first line of defense. For decades, iptables was the undisputed king of packet filtering. However, the Linux kernel has evolved, and with it, the tools we use to manage network traffic. Today, nftables has replaced iptables as the preferred backend, and higher-level tools like firewalld have made complex configurations more accessible.

This guide will walk you through the modern landscape of Linux firewalls, helping you transition from legacy commands to modern, high-performance rule sets.

1. The Evolution: From Iptables to Nftables

While iptables is still widely used, it has several structural limitations, including a monolithic design that makes it slow to update large rule sets and difficult to extend.

Nftables Rules Generator

nftables was designed to solve these problems. It uses a much cleaner syntax and a single framework for both IPv4 and IPv6. A nftables rules generator is a great way to build high-performance rules without memorizing the new syntax.

Key advantages of nftables:

  • Performance: Atomic updates and a faster matching engine.
  • Combined Rules: No need for separate iptables and ip6tables commands.
  • Sets and Maps: Efficiently handle thousands of IP addresses in a single rule.

Example of an nftables rule to allow SSH:

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        tcp dport 22 accept
    }
}

2. Dynamic Firewall Management: Firewalld

For many distributions (like RHEL, Fedora, and CentOS), firewalld is the default management tool. It provides a dynamic, zone-based approach to firewalling.

Firewalld Rules Generator

Unlike traditional firewalls that require a full reload to apply changes (dropping existing connections), firewalld allows for dynamic updates. A firewalld rules generator helps you manage:

  • Zones: Assign interfaces to different trust levels (e.g., public, internal, dmz).
  • Services: Enable pre-defined services like http, https, or ssh.
  • Rich Rules: Create more complex rules, such as rate-limiting or logging specific traffic.

Common firewalld commands:

  • firewall-cmd --get-active-zones
  • firewall-cmd --zone=public --add-service=https --permanent
  • firewall-cmd --reload

3. Best Practices for Modern Firewalls

Regardless of the tool you choose, certain security principles remain universal:

  1. Default Deny: Always start with a policy that drops all incoming traffic and only explicitly allow what is necessary.
  2. Least Privilege: Limit access to specific services by IP address whenever possible (e.g., only allow SSH from your office VPN).
  3. Stateful Inspection: Ensure your firewall tracks the state of connections (e.g., allowing "related" and "established" traffic).
  4. Logging and Auditing: Log dropped packets to help diagnose attacks and misconfigurations.
  5. IPv6 Readiness: Ensure your firewall rules cover both IPv4 and IPv6 stacks.

4. Summary: Choosing the Right Tool

  • Use Nftables if you need maximum performance, are building a router/gateway, or prefer a clean, scriptable syntax.
  • Use Firewalld if you are on a Red Hat-based system and want a user-friendly, zone-based management interface that supports dynamic updates.
  • Use UFW (Uncomplicated Firewall) if you are on Ubuntu or Debian and need the simplest possible way to manage a few open ports.

By utilizing modern nftables and firewalld rules generators, you can move away from brittle, legacy scripts and build a robust, scalable security posture for your Linux infrastructure.

Back to Blog