Should i use Firewalld or Iptables for Fail2ban in Centos 7?

Samuel Elgozi asked:

I’m setting up Fail2ban to protect ssh, and I use firewalld,
I saw a lot of people recommending to use anaction = iptables-multiport
and other solutions using iptables instead of firewalld claiming that it is faster or consumes less resources.

As I said before I already configured firewalld(actualy I just blocked all the ports except the ones I use which took me 3 min), and I wanted to know if I should use iptables or firewalld by setting firewallcmd-ipset instead of the above configuration(whichever will be faster).

Also I noticed that I have an iptables package installed even tough I don’t remember installing it, however it’s not running nor can be run.

So just to clarify:

  1. Which one is better for performance?

  2. Which is the default firewall that fail2ban uses on centos7?

  3. Does firewalld replaces Iptables, or is it just a different way to interact with it?

Thanks ahead!

My answer:


If you already use firewalld, then you should have fail2ban also use firewalld. There’s no point in having it use iptables directly in this scenario. Not to mention that firewallcmd-ipset has much better performance for large ban lists than iptables-multiport.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.