Confused about fedora using firewalld alongside iptables

I have been on linux long enough to think I know how things work in a Linux system, however lately I discovered I still don’t know everything there is to know.

After installing fedora 34 I followed this post installation guide. I followed the advice to change the default port number for ssh to a custom one. To make it pass trough the firewall I also had to add a new firewall rule to allow traffic trough the new port on the firewall aswell as updating the iptables. And thats where the confusion started.

I have never heard of iptables before, but a google search informed me to either use firewalld or iptables. However I discovered both are running on my fedora install, because after typing sudo iptables -L -v in the commandline it actually gave me some output.

So my question is: Do I actually need iptables if I’ m allready using firewalld and do I need to make changes to both when changing a port number? Please tell me all there is to know about it so I can carry on with confidence. Thanks in advance.

By the way to actually allow ssh to make use of this new port you also have to run sudo semanage port -a -t ssh_port_t -p tcp 2222 to except the changes for SElinux.

2 Likes

What is the output of iptables -V

Excuse me, this is the output of iptables -V
iptables v1.8.7 (legacy)

Hi, Fedora moved from iptables to nftables.
The iptables should no longer be needed and is obsolete.
Your installed variant is “iptables v1.8.7 (legacy)”

If you type dnf info iptables-legacy, you’ll find the information about how to still use iptables alongside with nftables.
If you do a rpm -qa | grep iptables and may find “iptables-nft”, you’ll see that this prerequisites match. That means you could use iptables.

However, if you are using firewalld, you don’t need to use neither iptables, nor nft, this does firewalld for you.

Since there are many ways to screw up things with iptables/nft rules (even for professionals), firewalld would be the most recommended way to configure the firewall. Also firewalld is used by default in fedora.

Another point you may think about is, that changing the ssh port not necessarily improves security a big deal. On the intranet, you wont see much difference.

The biggest advantage is on a external port for communicating with the outside world.
You will encounter less automated attacks if you change the port to something really high, like 60000+.

However, since some scan the entire port range - which just takes longer - the port will sooner or later get discovered. And then you’ll see some attacks. However not that many, but elaborated.

To open a port to the outside world through your router is very risky. There are lots of attacks that somehow make it possible to address hosts in you local network that where not forwarded by the routers settings. They also can make it look like that the package came from the internal lan.
So it might be suggested to use another firewall behind or a second router to secure your clients.

1 Like

iptables and nftables are firewalld backends.
iptables is deprecated, but its syntax is still supported for backward compatibility.
firewalld is enough for your task, and there’s no need to resort to those backends.

4 Likes

And if you want to change the port in firewalld, you can edit the service file, like described here, first answer:

1 Like

Thank you for going into the details, thats interesting information. So I actually don’t need to bother about iptables and just use firewalld and indeed because I only use ssh in my local network that should be fine. Also, I allready have a second router to add another layer of protection. Again, thank you very much!

3 Likes

You are welcome. :slight_smile:
Btw, if you want to see, what is going on on your firewall, enable logging
firewall-cmd --set-log-denied=all
(firewall-cmd --set-log-denied=off # to switch it off)
and see your logs with
journalctl -p warning

Edit
Or better:
sudo journalctl --system -fp warning

2 Likes

And at some point it might switch to eBPF. But as someone mentioned, you should really separate the language (or tool) used to describe the rules and the engine that is enforcing them.

1 Like

There is no greater pre-requisite to mastery than the realization of how far one is from it.

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.