How To Check Firewall In Linux – Inspect Active Firewall Rules

by

Securing your network requires knowing how to check firewall in Linux to verify active rules and zones. Whether you’re a system administrator or a curious user, understanding your firewall status is essential for protecting your system from unauthorized access. This guide walks you through every major method, from command-line tools to graphical interfaces, so you can confidently manage your Linux firewall.

Firewalls in Linux come in different flavors—iptables, nftables, firewalld, and ufw are the most common. Each has its own commands and syntax, but the core goal is the same: control incoming and outgoing traffic based on predefined rules. Let’s start with the basics and work our way up to advanced checks.

Understanding Linux Firewall Basics

Before you run any commands, it helps to know what you’re looking at. A firewall is essentially a set of rules that filter network packets. These rules can allow, block, or log traffic based on IP addresses, ports, protocols, and interfaces.

Most modern Linux distributions use one of these firewall systems:

  • iptables – The classic, older framework, still widely used.
  • nftables – The modern replacement for iptables, offering better performance and syntax.
  • firewalld – A dynamic firewall daemon that manages iptables or nftables rules with zones.
  • ufw (Uncomplicated Firewall) – A user-friendly frontend for iptables, popular on Ubuntu.

Your distribution likely uses one of these by default. For example, CentOS and RHEL lean on firewalld, while Ubuntu often uses ufw. But you can check manually, which we’ll cover next.

How To Check Firewall In Linux

Now let’s get into the meat of the article. The exact keyword “How To Check Firewall In Linux” applies to multiple methods, so we’ll break them down by tool. You’ll learn to verify if your firewall is active, list current rules, and understand what each rule does.

Check Firewall Status With Systemctl

The quickest way to see if a firewall service is running is using systemctl. This command works for firewalld, ufw, and other systemd-managed services.

  1. Open your terminal.
  2. Run sudo systemctl status firewalld for firewalld.
  3. Or sudo systemctl status ufw for ufw.
  4. Look for “active (running)” in the output. If it says “inactive” or “dead,” the service isn’t running.

If the service isn’t running, you might still have iptables rules loaded manually. Don’t assume no firewall means no protection—check the rules directly.

List Iptables Rules

Iptables is the granddaddy of Linux firewalls. Even if you use a frontend, the underlying rules often live in iptables. To see all current rules:

sudo iptables -L -n -v

This command lists rules with numeric IP addresses and verbose output. The -L flag lists rules, -n shows numeric addresses (no DNS lookups), and -v gives packet counts.

You’ll see three default chains: INPUT, FORWARD, and OUTPUT. Each chain has a policy (ACCEPT, DROP, or REJECT) and a list of rules. If the policy is ACCEPT and no rules block traffic, your firewall is essentially open.

For a cleaner view, try:

sudo iptables -S

This shows rules in a format you can copy-paste into scripts. It’s great for debugging.

Check Nftables Rules

If your system uses nftables (common on newer Fedora, Arch, or Debian), the command is different. Nftables replaces iptables with a single framework.

To list all rules:

sudo nft list ruleset

This dumps the entire ruleset, including tables, chains, and rules. It can be verbose, so pipe it to less if needed:

sudo nft list ruleset | less

You can also list specific tables. For example, sudo nft list table inet filter shows only the filter table. Nftables syntax is more consistent than iptables, but it takes some getting used to.

Use Firewalld Commands

Firewalld is the default on Red Hat-based systems like CentOS, Fedora, and RHEL. It uses zones to manage trust levels. To check its status:

sudo firewall-cmd --state

This returns “running” or “not running.” Simple as that.

To list all zones and their rules:

sudo firewall-cmd --list-all-zones

Or check the default zone:

sudo firewall-cmd --list-all

This shows services, ports, protocols, and sources allowed in the current zone. For example, you might see “ssh” and “dhcpv6-client” as allowed services.

To see which zone is active on an interface:

sudo firewall-cmd --get-active-zones

Firewalld is dynamic, meaning changes take effect immediately without restarting the service. That’s a big advantage over raw iptables.

Check Ufw Status

Ubuntu and its derivatives often use ufw. It’s designed to be simple. To check if ufw is enabled:

sudo ufw status

This shows “Status: active” or “Status: inactive.” If active, it lists rules like “22/tcp ALLOW Anywhere” for SSH.

For more detail, use verbose mode:

sudo ufw status verbose

This adds logging info and default policies. You’ll see whether incoming traffic is denied by default (which is the secure setting).

To see numbered rules (useful for deleting):

sudo ufw status numbered

Ufw is great for beginners, but power users might find it limiting. Still, it’s perfectly fine for most desktop and server setups.

Check Firewall Logs

Sometimes rules don’t tell the whole story. Logs show what’s actually being blocked or allowed. Firewall logs are usually in /var/log/.

For iptables, logs often go to /var/log/kern.log or /var/log/messages. You can grep for firewall-related entries:

sudo grep -i "iptables" /var/log/kern.log

For firewalld, logs are in /var/log/firewalld or via journalctl:

sudo journalctl -u firewalld

Ufw logs to /var/log/ufw.log. Check it with:

sudo tail -f /var/log/ufw.log

Logs are invaluable for troubleshooting. If a service isn’t working, the firewall log might show dropped packets.

Check Firewall With Graphical Tools

Not everyone loves the command line. Some Linux desktops offer GUI tools for firewall management.

  • firewall-config – For firewalld. Install it with sudo apt install firewall-config (Debian/Ubuntu) or sudo dnf install firewall-config (Fedora). It shows zones, services, and rules in a clean interface.
  • gufw – For ufw. Install with sudo apt install gufw. It’s a simple on/off switch with basic rule editing.
  • nftables GUI – Less common, but tools like nft have no official GUI. You’d rely on command line or third-party scripts.

Graphical tools are fine for quick checks, but they often hide details. For serious auditing, stick with the terminal.

Verify Firewall Rules With Nmap

Nmap is a network scanner that can test your firewall from outside. It’s not installed by default, so you’ll need to add it:

sudo apt install nmap

Then scan your own machine from another device (or localhost):

nmap -sT localhost

This shows open ports. If a port is open but your firewall should block it, you have a misconfiguration. Nmap can also do stealth scans (-sS) and service detection (-sV).

Be careful: scanning other people’s machines without permission is illegal. Only scan your own network.

Check Firewall For Specific Ports

Often you just want to know if a particular port is open. For example, checking if SSH (port 22) is allowed.

With iptables:

sudo iptables -L -n | grep :22

With firewalld:

sudo firewall-cmd --query-service=ssh

With ufw:

sudo ufw status | grep 22

You can also use ss or netstat to see listening ports, but that shows what’s running, not what the firewall allows. Combine both for a complete picture.

Check Firewall Rules For IPv6

IPv6 is often overlooked. If your network uses IPv6, you need to check those rules too.

For iptables, use the ip6tables command:

sudo ip6tables -L -n -v

For nftables, the same nft list ruleset command shows IPv6 rules if they exist. Firewalld handles IPv6 automatically in its zones. Ufw also supports IPv6, but you may need to enable it in /etc/default/ufw.

Don’t skip IPv6. Many attacks target it because admins forget to configure it.

Common Firewall Checking Mistakes

Even experienced users make errors. Here are pitfalls to avoid:

  • Assuming a service is running – Always check with systemctl status or --state.
  • Ignoring default policies – If the default policy is ACCEPT, your rules might not matter.
  • Forgetting to check both IPv4 and IPv6 – They are separate rule sets in iptables.
  • Relying only on GUI – GUIs can hide complex rules. Use command line for accuracy.
  • Not testing from outside – Local checks don’t simulate real traffic. Use nmap or a remote scan.

Double-check everything. A single typo in a rule can leave your system exposed.

Automating Firewall Checks

If you manage multiple servers, manual checks are tedious. Write a script to check firewall status across machines.

Here’s a simple bash script for firewalld:

#!/bin/bash
for host in server1 server2 server3; do
    ssh $host "sudo firewall-cmd --state"
done

For iptables, you can parse the output with awk or grep. Tools like Ansible or Puppet can also enforce firewall rules and report status.

Automation saves time and reduces human error. But always test scripts in a safe environment first.

Troubleshooting Firewall Issues

If you suspect your firewall is blocking something, here’s a systematic approach:

  1. Check if the service is running.
  2. List all rules and look for explicit denies.
  3. Check logs for dropped packets.
  4. Temporarily disable the firewall to test (use sudo systemctl stop firewalld or sudo ufw disable).
  5. Re-enable and add rules as needed.

Remember: disabling the firewall leaves you vulnerable. Only do it for a few seconds during testing.

Firewall Checking For Different Distributions

Commands vary slightly by distro. Here’s a quick reference:

  • Ubuntu/Debian – Use ufw status or sudo iptables -L.
  • CentOS/RHEL – Use sudo firewall-cmd --state or sudo iptables -L.
  • Fedora – Firewalld is default, but nftables is also available.
  • Arch Linux – Usually iptables or nftables; check with sudo systemctl status iptables.
  • openSUSE – Uses firewalld or SuSEfirewall2; check with sudo systemctl status firewalld.

Know your distro’s default. It saves time and confusion.

Security Best Practices After Checking

Once you’ve verified your firewall, consider these tips:

  • Only allow necessary ports and services.
  • Use default deny policies for incoming traffic.
  • Log dropped packets for monitoring.
  • Update rules regularly as your network changes.
  • Combine firewall with other security tools like fail2ban or SELinux.

A firewall is just one layer. Defense in depth is the real goal.

Frequently Asked Questions

How Do I Check If My Firewall Is Blocking A Port In Linux?

Use sudo iptables -L -n | grep :port or sudo firewall-cmd --query-port=port/tcp. You can also try connecting from another machine with telnet or nc and see if it times out.

What Is The Difference Between Iptables And Firewalld?

Iptables is a low-level tool that manages rules directly. Firewalld is a daemon that provides a dynamic interface with zones, making it easier to manage. Firewalld can use iptables or nftables as its backend.

Can I Check Firewall Rules Without Root Access?

No, most firewall commands require root privileges because they affect system security. You can use sudo or log in as root. Some systems allow non-root users to view status with systemctl status but not detailed rules.

How Often Should I Check My Linux Firewall?

Check after any system update, after installing new services, or when you suspect a security issue. For production servers, automate daily checks with scripts and monitoring tools.

Why Does My Firewall Show No Rules But Still Blocks Traffic?

Check the default policy. If the INPUT chain policy is DROP, all incoming traffic is blocked unless explicitly allowed. Also, check for hardware firewalls or network-level filters outside your server.

Now you have a complete toolkit to check your Linux firewall. Start with the basic status command, then drill down into rules and logs. Regular checks keep your system safe and your mind at ease. Remember, a firewall is only effective if you know it’s working—so make checking a habit.