No matter what Linux distribution I use, the first choice of firewall must be iptables. Even if a Linux distribution does not support iptables, I will decisively give up the choice to use it. It can be said that I absolutely prefer iptables. Today Mingyue will share with you my personal views and opinions.
First of all, usage habits are a very important factor. When Mingyue started learning Linux, the first firewall she knew was iptables. It can be said that her study of firewall principles and practical operations are based on iptables, and she has been constantly learning…
From a purely technical point of view, ptables is a kernel-level firewall tool, so it has high performance and efficiency. It can directly operate the kernel’s packet filtering mechanism, while third-party firewall applications need to interact with the kernel through system calls, which will cause certain performance loss. This may be related to the fact that when Mingyue first learned Linux, the computer configuration was not high and the performance loss requirements were relatively high. I care about this advantage.
In addition, iptables supports various advanced features, such as port forwarding, load balancing, and NAT. Most third-party firewall applications have limited functions, and iptables is very flexible in configuration, so users can customize firewall rules according to their specific needs. The configuration of third-party firewall applications is usually rigid and lacks flexibility. So far, Mingyue has not encountered a firewall that can be configured as flexibly as iptables, including firewalld, which I still think is not as flexible as iptables in configuration flexibility.
Finally, it is for security considerations. Especially on Linux, using a third-party firewall always gives me a feeling of “letting a wolf into the house”. In addition, many third-party firewalls require payment. Compared with the free and open source iptables, I must choose iptables first.Of course, iptables is not all good. The lack of a graphical interface is a big shortcoming, which can be a big barrier for people who are not used to command line console terminals. However, Mingyue believes that as a qualified operation and maintenance personnel, it is still necessary to understand and be proficient in using iptables.