iptables Tutorial: Port Forwarding, Tables, Chains, Commands, and Security Best Practices
This article provides a comprehensive guide to using iptables for port forwarding, explains the four tables and five chains, details common command syntax, match criteria, actions, additional modules, and includes practical examples for NAT configuration and protecting against small‑scale attacks.
Interview question example: how to forward the local port 80 to port 8080 on a host with IP 192.168.200.10 using iptables.
iptables -t nat -A PREROUTING -d 192.168.200.10 -p tcp --dport 80 -j DNAT --to-destination 192.168.200.10:8080iptables four tables:
filter – packet filtering, nat – network address translation (port and address mapping), mangle – packet modification, raw – bypass connection tracking.
Five built‑in chains:
INPUT – packets destined for the local host, OUTPUT – locally generated packets, FORWARD – packets routed through the host, PREROUTING – destination address modification (DNAT) before routing, POSTROUTING – source address modification (SNAT) after routing.
Common command options: iptables -A … (append), -I (insert), -D (delete, e.g., iptables -D INPUT 3), -F (flush), -L (list, use -vnL for detailed view), -P (set default policy).
Match criteria examples:
-i (incoming interface), -o (outgoing interface), -s (source address, e.g., -s 192.168.1.0/24), -d (destination address), -p (protocol), --sport (source port, range possible), --dport (destination port).
Actions:
ACCEPT – allow packet, DROP – discard packet, REJECT – discard and send error, SNAT – source NAT in POSTROUTING, DNAT – destination NAT in PREROUTING, MASQUERADE – dynamic source NAT for changing IPs.
Additional modules:
state – match connection state (e.g.,
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT), mac – match source MAC address, limit – rate limiting, multiport – match multiple ports separated by commas.
Preventing small‑scale attacks:
Allow established connections:
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPTLimit concurrent connections per IP:
iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 30 -j REJECTLimit connections per second (DDOS mitigation):
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPTand
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPTConfiguring NAT mapping:
Enable IP forwarding: echo "1" > /proc/sys/net/ipv4/ip_forward SNAT for internal network to external:
iptables -t nat -A POSTROUTING -s [internal IP/subnet] -j SNAT --to [public IP]DNAT for external access to internal service:
iptables -t nat -A PREROUTING -d [public IP] -p tcp --dport [public port] -j DNAT --to [internal IP:internal port]Example to forward local port 80 to 8080:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-ports 8080Basic user configuration example:
iptables -Fiptables -t nat -Fiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p tcp -m multiport --dports 22,80,8080 -j ACCEPTiptables -A INPUT -p udp -m multiport --dports 53 -j ACCEPTiptables -A INPUT -s 192.168.1.0/24 -j ACCEPTiptables -A INPUT -p icmp -j DROPiptables -A INPUT -i lo -j ACCEPTiptables -P INPUT DROPSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Practical DevOps Architecture
Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.