Should i use Firewalld or Iptables for Fail2ban in Centos 7?

I'm setting up Fail2ban to protect ssh, and I use firewalld, I saw a lot of people recommending to use anaction = iptables-multiport and other solutions using iptables instead of firewalld claiming that it is faster or consumes less resources.

As I said before I already configured firewalld(actualy I just blocked all the ports except the ones I use which took me 3 min), and I wanted to know if I should use iptables or firewalld by setting firewallcmd-ipset instead of the above configuration(whichever will be faster).

Also I noticed that I have an iptables package installed even tough I don't remember installing it, however it's not running nor can be run.

So just to clarify:

  1. Which one is better for performance?

  2. Which is the default firewall that fail2ban uses on centos7?

  3. Does firewalld replaces Iptables, or is it just a different way to interact with it?

Thanks ahead!


If you already use firewalld, then you should have fail2ban also use firewalld. There's no point in having it use iptables directly in this scenario. Not to mention that firewallcmd-ipset has much better performance for large ban lists than iptables-multiport.