In the daily operation and maintenance of Linux servers, security is always a key concern. Imagine if your server has no protection, malicious external attacks could easily infiltrate, leading to data breaches or system outages. A firewall acts as the “gatekeeper” of the server, filtering unnecessary access and only allowing legitimate traffic through, thus protecting server security.
一、What is a Linux Firewall? Why is it Needed?¶
A firewall is essentially a set of rules that operates at the kernel level of Linux servers, examining incoming and outgoing network packets to decide which requests are allowed and which are rejected. To illustrate with a real-world analogy: if the server is a house, the firewall is like a security guard at the entrance—only visitors with “legitimate passes” (requests matching the rules) are admitted, while others are turned away.
Why is a firewall necessary?
- Prevent hackers from scanning server ports without authorization, exposing system vulnerabilities.
- Block malicious programs (e.g., viruses, trojans) from invading through open ports.
- Protect sensitive services (e.g., databases, SSH) on the server from unauthorized access.
二、Common Linux Firewall Tools¶
There are two mainstream firewall tools in Linux systems. Beginners can start with firewalld (more intuitive), while older systems or specific scenarios may use iptables (a lower-level tool).
1. firewalld (Recommended for Beginners, Zone-Based Management)¶
firewalld is the default firewall tool for major distributions like CentOS 7+, Fedora, etc. It manages rules through “zones,” each with predefined policies:
- public (Public Zone): Denies most inbound connections by default, allows outbound (suitable for internet-facing servers).
- trusted (Trusted Zone): Allows all connections (suitable for internal trusted networks).
- blocked (Blocked Zone): Rejects all inbound connections (suitable for temporary server isolation).
2. iptables (Low-Level Tool, Advanced Configuration)¶
iptables is a lower-level firewall tool that manages packet filtering through “rule chains,” offering powerful but complex configurations. For example:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Open port 80
Older CentOS (e.g., CentOS 6) or Debian/Ubuntu may default to iptables; beginners should focus on basic concepts.
三、firewalld Configuration Practical (CentOS 7+/RHEL 7+ Example)¶
1. Check firewalld Status¶
First, confirm if firewalld is installed and running:
# Check status (active/running = normal)
systemctl status firewalld
# If not running, start the service
sudo systemctl start firewalld
# Enable auto-start on boot
sudo systemctl enable firewalld
2. Basic Operations: Opening Ports¶
Scenario: You’ve deployed a website and need to temporarily open port 80 (HTTP) or permanently open port 22 (SSH) for remote management.
Temporarily Open a Port (Valid Only for Current Session, Lost After Reboot)¶
# Open port 80 (TCP) for the default public zone
sudo firewall-cmd --add-port=80/tcp
After execution, the firewall will allow external devices to access the server via port 80 (ensure the website is deployed on the server).
Permanently Open a Port (Persistent After Reboot)¶
To make changes permanent, use --permanent and reload rules:
# Permanently open port 80
sudo firewall-cmd --add-port=80/tcp --permanent
# Reload rules to apply changes
sudo firewall-cmd --reload
Key: Rules added with
--permanenttake effect only after--reloadis executed.
3. View Current Firewall Rules¶
# List temporary open ports in the public zone
sudo firewall-cmd --list-ports
# List permanent open ports in the public zone
sudo firewall-cmd --list-ports --permanent
# View all rules for all zones (ports, services, IP restrictions, etc.)
sudo firewall-cmd --list-all
4. Configure Security Policies¶
Block Specific IPs from Accessing a Port¶
If an IP repeatedly attacks the server, block it from accessing port 22 (SSH):
# Block IP 192.168.1.100 from port 22 (TCP)
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="22" drop' --permanent
# Reload rules
sudo firewall-cmd --reload
Restrict Outbound Connections¶
Limit server access to specific IPs for outbound requests:
# Allow outbound access to port 8080 for 192.168.1.0/24 subnet
sudo firewall-cmd --add-rich-rule='rule family="ipv4" destination address="192.168.1.0/24" port protocol="tcp" port="8080" accept' --permanent
四、Precautions: Avoid Firewall Configuration Mistakes¶
- Test Rules Before Saving: After modifying rules, temporarily open ports (e.g., allow only your IP) to verify connectivity before saving permanent rules to prevent locked-out scenarios.
- Backup Existing Rules: Export current rules before making changes:
sudo firewall-cmd --get-active-zones > firewall_backup.txt
- Avoid Multiple Firewalls: Prevent conflicts between
iptablesandfirewalld; use one tool only. - Monitor Firewall Logs: Check
/var/log/firewalldfor rule application records and identify repeated denied IPs.
五、Other Common Firewall Tools (For Ubuntu/Debian Users)¶
For Ubuntu/Debian, use the simplified ufw (“Uncomplicated Firewall”) with similar commands:
# Enable ufw (first use)
sudo ufw enable
# Open port 80 (temporary)
sudo ufw allow 80/tcp
# Allow SSH (port 22) from a specific IP
sudo ufw allow from 192.168.1.0/24 to any port 22
# Check status
sudo ufw status
总结¶
The core of Linux firewall configuration is “clear requirements, reasonable restrictions, and avoiding mistakes”:
- Identify necessary ports (e.g., 80 for HTTP, 22 for SSH), distinguishing between temporary and permanent rules.
- Use zone-based tools (firewalld) or simplified tools (ufw); recommend firewalld/ufw for beginners.
- Always test configurations after setup to avoid server access issues due to misrules.
Mastering basic firewall configurations minimizes security risks while providing services. As you gain experience, explore advanced policies (e.g., connection rate limiting), but foundational operations remain the first step in secure server maintenance.