iptables Tutorial: Port Forwarding, Tables, Chains, Commands, and Security Best Practices
This article provides a comprehensive guide to using iptables for port forwarding, explains the four tables and five chains, details common command syntax, match criteria, actions, additional modules, and includes practical examples for NAT configuration and protecting against small‑scale attacks.
Interview question example: how to forward the local port 80 to port 8080 on a host with IP 192.168.200.10 using iptables.
iptables -t nat -A PREROUTING -d 192.168.200.10 -p tcp --dport 80 -j DNAT --to-destination 192.168.200.10:8080
iptables four tables:
filter – packet filtering, nat – network address translation (port and address mapping), mangle – packet modification, raw – bypass connection tracking.
Five built‑in chains:
INPUT – packets destined for the local host, OUTPUT – locally generated packets, FORWARD – packets routed through the host, PREROUTING – destination address modification (DNAT) before routing, POSTROUTING – source address modification (SNAT) after routing.
Common command options:
iptables -A … (append), -I (insert), -D (delete, e.g., iptables -D INPUT 3 ), -F (flush), -L (list, use -vnL for detailed view), -P (set default policy).
Match criteria examples:
-i (incoming interface), -o (outgoing interface), -s (source address, e.g., -s 192.168.1.0/24 ), -d (destination address), -p (protocol), --sport (source port, range possible), --dport (destination port).
Actions:
ACCEPT – allow packet, DROP – discard packet, REJECT – discard and send error, SNAT – source NAT in POSTROUTING, DNAT – destination NAT in PREROUTING, MASQUERADE – dynamic source NAT for changing IPs.
Additional modules:
state – match connection state (e.g., iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ), mac – match source MAC address, limit – rate limiting, multiport – match multiple ports separated by commas.
Preventing small‑scale attacks:
Allow established connections: iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
Limit concurrent connections per IP: iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 30 -j REJECT
Limit connections per second (DDOS mitigation): iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT and iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
Configuring NAT mapping:
Enable IP forwarding: echo "1" > /proc/sys/net/ipv4/ip_forward
SNAT for internal network to external: iptables -t nat -A POSTROUTING -s [internal IP/subnet] -j SNAT --to [public IP]
DNAT for external access to internal service: iptables -t nat -A PREROUTING -d [public IP] -p tcp --dport [public port] -j DNAT --to [internal IP:internal port]
Example to forward local port 80 to 8080: iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-ports 8080
Basic user configuration example:
iptables -F
iptables -t nat -F
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,80,8080 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 53 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
Practical DevOps Architecture
Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.