After configuring security policies, you should know how to check firewall on Linux to confirm your changes took effect. Whether you’re a system administrator or a curious user, verifying your firewall rules is a critical step in maintaining a secure server. This guide walks you through every major method, from simple commands to graphical tools, so you can always stay in control.
Firewalls are your first line of defense against unauthorized access. On Linux, you have multiple options like iptables, nftables, firewalld, and ufw. Each tool has its own way of showing rules, but the core goal is the same: see what’s allowed and what’s blocked. Let’s start with the most common approaches.
How To Check Firewall On Linux
Before diving into specific tools, understand that Linux firewalls work at the kernel level. The most widely used backend is netfilter, and iptables or nftables manage its rules. Modern distributions often use firewalld or ufw as frontends. Knowing how to check each one gives you flexibility across different systems.
Checking Iptables Firewall Rules
Iptables is the classic firewall tool on Linux. Even if your system uses a frontend, iptables is often running underneath. To check its current rules, open a terminal and run:
sudo iptables -L -n -vThis command lists all rules with numeric output and verbose details. The -L flag shows the rules, -n prevents DNS resolution (faster), and -v adds packet and byte counts. You’ll see tables like INPUT, OUTPUT, and FORWARD. Each chain shows its policy (ACCEPT, DROP, or REJECT) and individual rules.
If you want to see rules for a specific table, add the table name:
sudo iptables -t nat -L -n -vCommon tables include filter (default), nat, and mangle. For a quick overview, just use -L without flags. Remember that iptables rules are ephemeral unless saved. On some systems, changes disappear after reboot.
Checking Nftables Firewall Rules
Nftables is the modern replacement for iptables. It’s the default on newer distributions like Fedora and Debian. To check nftables rules, use:
sudo nft list rulesetThis command displays the entire ruleset, including tables, chains, and rules. The output is more structured than iptables. You can also list specific tables:
sudo nft list table inet filterReplace inet filter with your table name. Nftables uses a simpler syntax, but the logic is similar. If you see no output, it means no rules are loaded, which is a security risk.
Checking Firewalld Status And Rules
Firewalld is a dynamic firewall manager used on RHEL, CentOS, and Fedora. It uses zones to group rules. To check if firewalld is running:
sudo systemctl status firewalldIf active, you can list all rules with:
sudo firewall-cmd --list-allThis shows the default zone, interfaces, services, ports, and masquerade settings. For a specific zone, use:
sudo firewall-cmd --zone=public --list-allTo see all zones and their rules:
sudo firewall-cmd --list-all-zonesFirewalld also supports rich rules. Check them with:
sudo firewall-cmd --list-rich-rulesIf firewalld is not running, iptables or nftables may be handling rules directly. Always verify the active backend.
Checking Ufw Firewall Rules
Ufw (Uncomplicated Firewall) is popular on Ubuntu and Debian. It’s a frontend for iptables or nftables. To check ufw status:
sudo ufw status verboseThis shows whether ufw is active, the default policy, and all rules. For a numbered list (useful for deleting rules):
sudo ufw status numberedIf ufw is inactive, you’ll see “Status: inactive”. To see the underlying iptables rules that ufw created, use:
sudo ufw show addedUfw rules are stored in /etc/ufw/ but the command line is easier. Remember that ufw may not show all rules if other tools modified iptables directly.
Checking Firewall Rules With System Tools
Sometimes you need to check firewall status without the specific tool. Use these generic commands:
sudo iptables -L– works on most systemssudo nft list ruleset– if nftables is presentsudo ss -tlnp– shows listening ports (not firewall rules, but helps verify)
The ss command is useful for checking which ports are actually open. Combine it with firewall checks to confirm policies. For example, if a port is listening but blocked by the firewall, you’ll see it in ss but not in external scans.
Using Graphical Tools To Check Firewall
If you prefer a GUI, Linux offers several options. On GNOME, install firewall-config for firewalld:
sudo apt install firewall-configThen launch it from the menu. You can view zones, services, and ports visually. For ufw, use gufw:
sudo apt install gufwGufw shows a simple interface with status, incoming/outgoing policies, and rule lists. These tools are great for beginners but may not show all advanced rules.
Checking Firewall Logs For Blocked Traffic
Firewalls log blocked packets if configured. To check logs, use:
sudo journalctl -u firewalldFor iptables logs, look in /var/log/messages or /var/log/syslog:
sudo grep "iptables" /var/log/syslogNftables logs can be viewed with:
sudo nft monitorLogs help you understand why traffic is being blocked. If you see unexpected drops, review your rules.
Common Issues When Checking Firewall
Sometimes commands return no output or errors. Here are fixes:
- Command not found: Install the tool. For iptables:
sudo apt install iptables - Permission denied: Always use
sudo - No rules shown: The firewall may be disabled. Check with
sudo ufw statusorsudo systemctl status firewalld - Rules don’t match expectations: Another tool may have modified the ruleset. Check all backends
If you’re using Docker or other container tools, they may add iptables rules automatically. These can conflict with your firewall. Use sudo iptables -L to see Docker’s rules.
How To Check Firewall On Linux For Specific Services
To verify if a service like SSH or HTTP is allowed, use targeted commands:
sudo firewall-cmd --query-service=sshFor ufw:
sudo ufw status | grep sshFor iptables, search for the port:
sudo iptables -L -n | grep 22This helps you confirm that critical services are accessible. If a service is blocked, you’ll see the port missing from allowed lists.
Checking Firewall Rules On Remote Servers
When managing a remote Linux server, checking the firewall is risky. A wrong command can lock you out. Always test rules locally first, or use a persistent SSH session. Before making changes, save current rules:
sudo iptables-save > /tmp/iptables-backup.txtThen check rules with the same commands. If you accidentally block SSH, you may need physical access or a recovery console.
Automating Firewall Checks With Scripts
For regular audits, create a simple script:
#!/bin/bash
echo "Checking iptables rules..."
sudo iptables -L -n -v
echo "Checking firewalld..."
sudo firewall-cmd --list-all
echo "Checking ufw..."
sudo ufw status verboseRun it with cron for daily checks. This ensures you never miss configuration drifts.
Understanding Firewall Rule Output
When you check rules, you’ll see columns like target, prot, opt, source, and destination. Here’s what they mean:
- target: ACCEPT, DROP, REJECT, or LOG
- prot: Protocol (tcp, udp, icmp)
- opt: Options (usually empty)
- source: Source IP or network
- destination: Destination IP or network
For example, a rule allowing SSH from anywhere looks like: ACCEPT tcp -- anywhere anywhere tcp dpt:22. Understanding this helps you debug quickly.
Checking Firewall On Different Linux Distributions
Commands vary slightly across distros:
- Ubuntu/Debian: Use ufw, iptables, or nftables
- RHEL/CentOS/Fedora: Use firewalld, iptables, or nftables
- Arch Linux: Use iptables or nftables, optionally firewalld
- openSUSE: Use firewalld or SuSEfirewall2
Always check which firewall service is active with sudo systemctl list-units | grep firewall. This prevents confusion.
When To Check Your Firewall
Regular checks are important after:
- Installing new software that opens ports
- Changing network configurations
- Security incidents or audits
- System updates that may reset rules
Make it a habit to verify after every change. A single misconfigured rule can expose your system.
Tools For Advanced Firewall Checking
For deeper analysis, use nmap to scan your own system:
sudo nmap -sS localhostThis shows open ports from an external perspective. Compare with firewall rules to ensure consistency. Also use tcpdump to capture packets:
sudo tcpdump -i eth0 port 22This helps verify if packets are being dropped or accepted.
Securing Your Firewall After Checking
Once you’ve verified rules, consider these best practices:
- Set default policies to DROP
- Allow only necessary ports
- Use stateful rules to track connections
- Log dropped packets for monitoring
Regular checks help you maintain a strong security posture. Don’t rely on a single tool; cross-verify with multiple methods.
Frequently Asked Questions
How Do I Check If My Firewall Is Active On Linux?
Use sudo ufw status for ufw, sudo systemctl status firewalld for firewalld, or sudo iptables -L to see if rules exist. If commands return no rules or show inactive, the firewall may be off.
What Is The Difference Between Iptables And Nftables?
Iptables is older and uses separate tools for IPv4 and IPv6. Nftables is newer, unified, and faster. Both check firewall rules but with different syntax. Use iptables -L or nft list ruleset.
Can I Check Firewall Rules Without Sudo?
No, firewall commands require root privileges for security reasons. Always use sudo or log in as root. Without it, you’ll get permission errors.
Why Does My Firewall Show No Rules Even Though I Configured It?
Possible reasons: the firewall service is not running, rules were not saved, or another tool overwrote them. Check the service status and reload rules if needed.
How Often Should I Check My Linux Firewall?
At least weekly, or after any system change. Automated scripts can run daily. Regular checks prevent configuration drift and security gaps.
Now you have a complete guide on how to check firewall on Linux. From iptables to firewalld, you can verify rules, debug issues, and keep your system secure. Remember to test changes in a safe environment first. Happy securing!