Firewalls¶
29 cards — 🟢 5 easy | 🟡 9 medium | 🔴 6 hard
🟢 Easy (5)¶
1. What are the three built-in chains in the iptables filter table?
Show answer
INPUT (packets destined for the local host), OUTPUT (packets originating from the local host), and FORWARD (packets routed through the host).Remember: IOF — Input (TO me), Output (FROM me), Forward (THROUGH me). Three iptables filter chains.
Example: web server uses INPUT (requests) and OUTPUT (responses). Router uses FORWARD for pass-through traffic.
2. What is the difference between DROP and REJECT targets in iptables?
Show answer
DROP silently discards the packet (sender gets no response), while REJECT discards the packet and sends an ICMP error back to the sender.Gotcha: DROP = stealth (timeout). REJECT = immediate error. Use DROP externally, REJECT internally for faster debugging.
3. How do you allow SSH traffic using ufw?
Show answer
ufw allow ssh (or equivalently, ufw allow 22/tcp).Name origin: ufw = Uncomplicated Firewall. Created by Canonical for Ubuntu to simplify iptables.
Gotcha: ufw is a frontend to iptables/nftables. Rules are persistent by default (unlike raw iptables).
Example: `ufw allow from 10.0.0.0/8 to any port 22` — allow SSH only from internal network.
Remember: `ufw enable` activates the firewall. `ufw status verbose` shows active rules with defaults.
4. How do you save iptables rules so they survive a reboot on Debian/Ubuntu?
Show answer
Run iptables-save > /etc/iptables/rules.v4 and install the iptables-persistent package, which restores rules from that file on boot.Gotcha: Without iptables-persistent, all rules are lost on reboot — a common production surprise.
Remember: On RHEL/CentOS, use `firewall-cmd --runtime-to-permanent` or `iptables-save > /etc/sysconfig/iptables`.
Debug clue: After reboot, run `iptables -L -n` to verify rules were restored.
5. What is the difference between stateful and stateless firewalls?
Show answer
Stateless firewalls evaluate each packet independently against rules — you must explicitly allow both request and response traffic. Stateful firewalls track connections (using conntrack) so return traffic for established connections is automatically allowed.Example: with stateful, allowing outbound port 443 automatically permits the response. Almost all modern host firewalls (iptables, nftables, firewalld) are stateful.
🟡 Medium (9)¶
1. Why is the ESTABLISHED,RELATED rule critical in an iptables INPUT chain?
Show answer
Without it, the host can initiate outbound connections but never receive the responses. This rule allows return traffic for connections the host itself started, and is typically placed near the top of the INPUT chain.Remember: this rule goes FIRST in INPUT chain. Without it, outbound requests succeed but responses are dropped.
2. Name two advantages nftables has over iptables.
Show answer
Atomic rule replacement (load an entire ruleset at once with no window of partial rules) and native set support (no need for the separate ipset tool). It also unifies iptables, ip6tables, arptables, and ebtables into a single framework.3. What is the difference between runtime and permanent rules in firewalld?
Show answer
Runtime rules take effect immediately but are lost on reload/reboot. Adding --permanent saves the rule to disk but does not apply it until you run firewall-cmd --reload. You typically need both flags or --permanent followed by --reload.4. How do you use the LOG target to debug dropped packets in iptables?
Show answer
Insert a LOG rule before the DROP rule: iptables -I INPUT 1 -j LOG --log-prefix "FW-DEBUG: " --log-level4. Then watch /var/log/kern.log or journalctl -k -f for entries with that prefix. Remove the rule when done to avoid log flooding.
5. What are the key differences between iptables and nftables?
Show answer
iptables: legacy, separate tools per protocol family (iptables, ip6tables, ebtables), rules applied one at a time (non-atomic), requires ipset for IP sets.nftables: modern replacement (kernel 3.13+), single tool (nft) for all families, atomic rule replacement, native sets and maps, better performance with large rulesets. RHEL 9+ and Debian 11+ default to nftables. Migration: iptables-translate converts rules.
6. How does connection tracking work and what are the key tuning parameters?
Show answer
The conntrack subsystem tracks every connection through the firewall in a hash table. Key parameters: nf_conntrack_max (max entries, default ~65536), nf_conntrack_tcp_timeout_established (default 432000s = 5 days), nf_conntrack_buckets (hash table size). For high-traffic servers, increase max to 256K+ and set buckets to max/4. Monitor with conntrack -C (current count) or /proc/sys/net/netfilter/nf_conntrack_count.7. How do you effectively log firewall drops without flooding the system?
Show answer
Use LOG with rate limiting: iptables -A INPUT -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "FW-DROP: " followed by the actual DROP rule. The limit module prevents log flooding. In nftables: log prefix "FW-DROP: " limit rate 5/minute. Send firewall logs to a separate file via rsyslog (match on the prefix) and set log rotation to prevent disk exhaustion.8. How does fail2ban protect services and how do you configure it for SSH?
Show answer
fail2ban monitors log files for authentication failures and dynamically creates firewall rules to ban offending IPs. For SSH: it watches /var/log/auth.log, and after maxretry failures (default5) within findtime (10m), it adds an iptables DROP rule for bantime (10m). Configuration: /etc/fail2ban/jail.local. Use fail2ban-client status sshd to check banned IPs. Always whitelist your own IPs with ignoreip.
9. What is the key difference between zone-based (firewalld) and chain-based (iptables) firewall design?
Show answer
Zone-based assigns interfaces to trust zones and applies policies between zones. Chain-based processes packets through sequential rule chains (INPUT, OUTPUT, FORWARD). Zones are easier to reason about for multi-interface hosts; chains give finer per-packet control.Example: firewalld zones — trusted, public, drop. Assign interfaces by trust level. Simpler mental model than chains.
🔴 Hard (6)¶
1. Why is running iptables -F on a Kubernetes node catastrophic?
Show answer
It flushes ALL rules including the thousands of kube-proxy Service routing rules (KUBE-SVC-*, KUBE-SEP-*, KUBE-SERVICES chains). All Service ClusterIPs stop working immediately, breaking pod-to-service communication. Flushing the nat table also breaks NodePort and LoadBalancer services.2. What is conntrack table exhaustion and how do you detect it?
Show answer
When the connection tracking table (nf_conntrack) reaches its maximum size, new connections are silently dropped even if firewall rules allow them. Detect it by checking dmesg for "nf_conntrack: table full" or comparing /proc/sys/net/netfilter/nf_conntrack_count against nf_conntrack_max. Fix by increasing the max with sysctl.3. A host has an iptables rule that DROPs all traffic to port 22, followed by a rule that ACCEPTs port 22 from 10.0.0.0/8. Will the internal network be able to SSH in? Why?
Show answer
No. iptables uses first-match-wins processing. The DROP rule matches all port 22 traffic before the more specific ACCEPT rule is evaluated. The ACCEPT for the internal subnet must be placed before the general DROP rule.4. How does Docker bypass host INPUT chain firewall rules when publishing ports?
Show answer
Docker creates DNAT rules in the nat PREROUTING chain and ACCEPT rules in the FORWARD chain. Published ports (-p 8080:80) route traffic through FORWARD, not INPUT, so INPUT DROP rules do not block access to Docker-published ports. This is a common security surprise.5. How do AWS Security Groups differ from Network ACLs?
Show answer
Security Groups: stateful (return traffic auto-allowed), instance-level, allow-only rules (no deny), evaluated as a group.Network ACLs: stateless (must allow return traffic explicitly), subnet-level, support allow and deny rules, evaluated in order (lowest number wins).
Best practice: use Security Groups as the primary control (per-instance), NACLs as a subnet-wide safety net. SGs are the most commonly used; NACLs are rarely needed unless you need explicit deny rules.
6. How do nftables named sets improve firewall performance compared to long iptables rule lists?