Firewalls control access to and from systems based on network packet attributes like IP address, port, payload and more.
The Netfilter framework in the Linux kernel performs packet filtering and provides the means for implementing a software firewall in Linux. Clear Linux* OS has a couple different firewall front-end options for managing the Linux firewall.
Clear Linux OS does not impose a firewall policy out of the box. All traffic is allowed inbound and all traffic is allowed outbound. However, tallow is installed by default and may dynamically create a rule temporarily restricting access from external hosts.
Changing firewall configuration can cause abrupt network disconnection. If this happens on a remote host, local recovery may be required.
Be sure to test your firewall configuration before committing it permanently to ensure your system will remain accessible remotely, if required.
iptables is a well-known user-space administration tool for configuring IPv4 Linux firewall rules. ip6tables is the complimentary tool for configuring IPv6 Linux firewall rules.
Below is information on using iptables on Clear Linux OS:
Make sure the iptables bundle is installed
sudo swupd bundle-add iptables
Define new iptables rules/chains for the running configuration using the iptables command. See man iptables for iptables concepts and configuration options.
Below is a common restrictive firewall configuration which denies all incoming connections, unless the connection was initiated by the host.
# Set default chain policies sudo iptables -P INPUT DROP sudo iptables -P FORWARD DROP sudo iptables -P OUTPUT ACCEPT # Accept on localhost loopback device sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A OUTPUT -o lo -j ACCEPT # Allow established sessions to receive traffic sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Test the running firewall configuration to make sure it behaving as you expect.
Run the iptables-save service to make the running configuration persistent. This will perform a one-time save of the running configuration to
sudo systemctl start iptables-save
Enable the iptables-resolve service the iptables rules to be automatically applied at boot from the
sudo systemctl enable iptables-restore.service
ipset is a framework in the Linux kernel for storing and efficiently indexing combinations of IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, and interface names.
IP sets makes writing network policy rules simpler and processing them against a large and/or changing sets of hosts more efficient.
By themselves, IP sets do not enforce network traffic rules but can be used to extend iptables rules for matching. It is important to note that the ipset must be defined before a netfilter rule can match against it.
- Running IP sets can be manipulated with the ipset utility.
- Custom IP sets can be stored in the
- IP sets in
/etc/ipset.confcan be automatically applied at boot by enabling the ipset service with the command sudo systemctl enable ipset.
See man ipset to learn more about using ipsets.
firewalld is based on nftables, the successor to iptables and parts of the netfilter framework. The description of firewalld helps highlight some of the differences compared to iptables:
firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add firewall rules directly.
See man firewalld for more information.
Below is information on using firewalld on Clear Linux OS:
Install he firewalld bundle:
sudo swupd bundle-add firewalld
Disable iptables and ipset services as they conflict with firewalld:
sudo systemctl mask iptables-restore ipset
firewall-cmd can be used to configure the running or permanent firewall configuration. See the firewalld documentation to learn more about firewalld concepts and configuration options.
Below is a common example to allow HTTPS traffic in public zones:
sudo firewall-cmd --permanent --zone=public --add-service=https
Enable the firewalld service the so that the firewalld daemon is automatically started and rules applied at boot from the
sudo systemctl enable --now firewalld.service
Verify that firewalld is running:
sudo firewall-cmd --state
When troubleshooting connectivity issues that may be related to firewall rules.
- Consider restrictions at the physical network level.
- For inbound connections, make sure your application is listening on the network port you’re expecting with lsof or netstat.
- For outbound connections, make sure the destination host is responding to the network port you’re expecting with nc. If the connection is refused, then there may be a problem with the destination server.
- If you’re using firewalld, check the daemon status with the command: systemctl status firewalld.