Should i use Firewalld or Iptables for Fail2ban in Centos 7?

security iptables fail2ban centos7 firewalld

I'm setting up Fail2ban to protect ssh, and I use firewalld, I saw a lot of people recommending to use anaction = iptables-multiport and other solutions using iptables instead of firewalld claiming that it is faster or consumes less resources.

As I said before I already configured firewalld(actualy I just blocked all the ports except the ones I use which took me 3 min), and I wanted to know if I should use iptables or firewalld by setting firewallcmd-ipset instead of the above configuration(whichever will be faster).

Also I noticed that I have an iptables package installed even tough I don't remember installing it, however it's not running nor can be run.

So just to clarify:

  1. Which one is better for performance?

  2. Which is the default firewall that fail2ban uses on centos7?

  3. Does firewalld replaces Iptables, or is it just a different way to interact with it?

Thanks ahead!


If you already use firewalld, then you should have fail2ban also use firewalld. There's no point in having it use iptables directly in this scenario. Not to mention that firewallcmd-ipset has much better performance for large ban lists than iptables-multiport.

Related

Logstash with journald instead of rsyslog
controlling access while caching video content on-site on client's network
Prevent writing to unmounted sshfs mount point
Is it valid to have SPF records for a domain that is a CNAME?
Secure Graphite installation
How to configure Windows to trust a network share using a GPO?
start systemd service on start of requirement
How do I tell ESXi 5.5 to autostart virtual machines from ssh/CLI only?
What is the good practice for adding known keys/fingerprints to known_hosts
Can I make Nginx automatically OCSP staple certificates at reload/restart?
Is it possible to downgrade Windows Server 2016 Datacenter to Standard?
Register-ClusteredScheduledTask : The parameter is incorrect