Why Do Network and Firewall Commands Differ by Distribution?
Linux network diagnostic commands (ip, ss, curl, etc.) are mostly common across distributions. However, firewall tools vary significantly depending on the distribution and version. Ubuntu uses ufw, RHEL/CentOS uses firewalld, and older versions use iptables directly.
This article first covers common network commands, then compares firewall configuration across distributions.
Network Diagnostic Commands (Common)
The following commands can be used identically across almost all distributions.
IP Address and Interface Information
# Check IP address (replaces ifconfig)
ip addr show
# Or abbreviated
ip a
# Check a specific interface only
ip addr show eth0
# Check routing table
ip route show
# default via 192.168.1.1 dev eth0
# Check DNS servers
cat /etc/resolv.conf
# nameserver 8.8.8.8ifconfig is a legacy tool that is not installed by default on many modern distributions. The ip command is its official replacement.
| Legacy Command | New Command | Purpose |
|---|---|---|
ifconfig | ip addr | Check IP address |
ifconfig eth0 up | ip link set eth0 up | Activate interface |
route | ip route | Routing table |
netstat | ss | Socket/port information |
arp | ip neigh | ARP table |
Port and Connection Checks
# Check open ports (listening TCP, including processes)
ss -tlnp
# State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
# LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1234))
# LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=567))
# Check which process is using a specific port
ss -tlnp | grep :3000
# All connection states (ESTABLISHED, TIME_WAIT, etc.)
ss -tan
# Check UDP ports
ss -ulnp| Option | Meaning |
|---|---|
-t | TCP only |
-u | UDP only |
-l | LISTEN state only |
-n | Show port numbers numerically (no name resolution) |
-p | Include process info (requires root) |
-a | All sockets (LISTEN + ESTABLISHED, etc.) |
Connectivity Testing
# ICMP ping (4 times)
ping -c 4 8.8.8.8
# DNS lookup
nslookup example.com
dig example.com A # Detailed DNS query
# TCP port connectivity test (replaces telnet)
nc -zv 192.168.1.100 3306
# Connection to 192.168.1.100 3306 port [tcp/mysql] succeeded!
# HTTP request test
curl -I https://example.com # Headers only
curl -o /dev/null -s -w "%{http_code}\n" https://example.com # Status code only
# Route tracing
traceroute 8.8.8.8 # ICMP-based
tracepath 8.8.8.8 # UDP-based (no installation needed)nc (netcat) replaces telnet for TCP/UDP port connectivity testing. -z tests the connection without sending data, and -v outputs the result.
Firewall: Tool Comparison by Distribution
The core of Linux firewalls is the kernel’s netfilter framework. iptables, nftables, ufw, and firewalld are all user-facing tools (frontends) that control netfilter.
| Distribution | Version | Default Firewall Tool | Backend |
|---|---|---|---|
| Ubuntu 16.04+ | LTS | ufw | iptables -> nftables |
| Debian 10+ | Buster+ | nftables (ufw installable) | nftables |
| RHEL/CentOS 7 | 7.x | firewalld | iptables |
| RHEL/Rocky/Alma 8+ | 8.x, 9.x | firewalld | nftables |
| Alpine | 3.x | iptables (direct use) | iptables |
| Arch | Rolling | nftables (firewalld installable) | nftables |
UFW (Ubuntu/Debian)
UFW (Uncomplicated Firewall) is, as the name suggests, a simple firewall tool. It uses iptables/nftables internally while providing intuitive commands.
# === UFW basic commands (Ubuntu/Debian) ===
# Enable/disable firewall
sudo ufw enable
sudo ufw disable
sudo ufw status verbose # Check status (detailed)
# Set default policies
sudo ufw default deny incoming # Block incoming by default
sudo ufw default allow outgoing # Allow outgoing by default
# Allow ports
sudo ufw allow 22/tcp # SSH
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow 3000:3100/tcp # Port range
# IP-based rules
sudo ufw allow from 192.168.1.0/24 to any port 22 # Allow SSH from internal network only
sudo ufw deny from 10.0.0.5 # Block specific IP
# Delete rules
sudo ufw delete allow 80/tcp
sudo ufw status numbered # Check by number
sudo ufw delete 3 # Delete rule #3
# Reset all rules
sudo ufw resetUFW rules are evaluated in order. The first matching rule is applied, so more specific rules should be placed first.
firewalld (RHEL/CentOS/Rocky)
firewalld is a zone-based firewall that assigns network interfaces to zones and manages rules per zone. It is controlled with the firewall-cmd command.
# === firewalld basic commands (RHEL/CentOS/Rocky) ===
# Check status
sudo firewall-cmd --state # running
sudo firewall-cmd --list-all # All rules for current zone
# Allow services (predefined service names)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=ssh
# Allow ports directly
sudo firewall-cmd --permanent --add-port=3000/tcp
sudo firewall-cmd --permanent --add-port=8000-8100/tcp # Range
# IP-based rules (rich rule)
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept'
# Delete rules
sudo firewall-cmd --permanent --remove-service=http
sudo firewall-cmd --permanent --remove-port=3000/tcp
# Apply changes (important!)
sudo firewall-cmd --reload
# Zone management
sudo firewall-cmd --get-zones # List available zones
sudo firewall-cmd --get-default-zone # Default zone (usually public)
sudo firewall-cmd --zone=trusted --add-source=10.0.0.0/8 --permanentIn firewalld, running without --permanent applies only at runtime and is lost on reboot. It’s safest to always use --permanent and apply with --reload.
iptables (Legacy/Alpine)
iptables is the oldest and most direct firewall tool. It is used directly on Alpine and legacy Linux systems. Rules operate through a chain -> table structure.
# === iptables basic commands ===
# View current rules
sudo iptables -L -n -v # Detailed output without line numbers
sudo iptables -L -n --line-numbers # With line numbers
# Allow ports (append to INPUT chain)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS
# IP-based allow/block
sudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 3306 -j ACCEPT
sudo iptables -A INPUT -s 10.0.0.5 -j DROP
# Default policy (caution: allow SSH first!)
sudo iptables -P INPUT DROP # Block incoming by default
sudo iptables -P FORWARD DROP # Block forwarding by default
sudo iptables -P OUTPUT ACCEPT # Allow outgoing by default
# Delete rule (by line number)
sudo iptables -D INPUT 3 # Delete rule #3 from INPUT chain
# Persist rules (varies by distribution)
# Ubuntu/Debian
sudo apt install iptables-persistent
sudo netfilter-persistent save
# CentOS/RHEL 6
sudo service iptables save
# Alpine
sudo rc-service iptables saveiptables rules are reset on reboot. You must run the persist command. Be careful about order: if you set the default policy to DROP before allowing SSH port (22), you will be locked out of the server.
Firewall Command Comparison Table
| Task | UFW (Ubuntu) | firewalld (RHEL) | iptables (Legacy) |
|---|---|---|---|
| Check status | ufw status | firewall-cmd --list-all | iptables -L -n |
| Enable | ufw enable | systemctl start firewalld | (always active) |
| Allow HTTP | ufw allow 80/tcp | firewall-cmd --permanent --add-service=http | iptables -A INPUT -p tcp --dport 80 -j ACCEPT |
| Port range | ufw allow 8000:8100/tcp | firewall-cmd --permanent --add-port=8000-8100/tcp | iptables -A INPUT -p tcp --dport 8000:8100 -j ACCEPT |
| Allow IP | ufw allow from 10.0.0.0/8 | firewall-cmd --add-rich-rule=... | iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT |
| Apply rules | Immediate | firewall-cmd --reload | Immediate (persist separately) |
| Save rules | Auto-saved | --permanent flag | netfilter-persistent save, etc. |
| Difficulty | Easy | Moderate | Hard |
Summary
The key to Linux network management is that diagnostic commands are common, but firewalls differ by distribution.
- Network diagnostics:
ip a,ss -tlnp,curl,nc -zvare common across all distributions ifconfig/netstatare legacy — replaced byipandss- Ubuntu:
ufw— simplest, suitable for personal servers - RHEL/CentOS/Rocky:
firewalld— zone-based, enterprise standard - Alpine/legacy:
iptables— direct chain management, rule persistence required - Before configuring a firewall, always allow SSH (22) first — to prevent lockout