Master iptables: From Basic Rules to Persistent NAT and Port Forwarding

Common Scenarios

1. Block IP access to a backend server

To prevent a source IP (e.g., 192.168.64.7) from reaching a backend IP ( 192.168.64.6), add a rule to the INPUT chain:

# Drop matching traffic
iptables -A INPUT -s 192.168.64.7 -d 192.168.64.6 -j DROP

# Or reject with a connection‑refused response
iptables -A INPUT -s 192.168.64.7 -d 192.168.64.6 -j REJECT

# Reject only TCP traffic on port 80
iptables -A INPUT -s 192.168.64.7 -d 192.168.64.6 -p tcp --dport 80 -j REJECT

List, number, delete or flush rules with:

# List rules verbosely with numeric output
iptables -L -n -v

# List with line numbers
iptables -L --line-numbers

# Delete the first rule in INPUT chain
iptables -D INPUT 1

# Flush all rules in INPUT chain
iptables -F INPUT

# Flush all rules in the default (filter) table
iptables -F

2. Port forwarding

Linux disables IPv4 forwarding by default. Enable it temporarily with: sysctl -w net.ipv4.ip_forward=1 To make it permanent, add net.ipv4.ip_forward=1 to /etc/sysctl.conf and apply with sudo sysctl -p.

Forward local port 8080 to port 80 on the same machine:

# PREROUTING for external connections
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80

External clients can reach the service, but the local curl 127.0.0.1:8080 will fail because PREROUTING does not affect locally generated packets.

For local redirection, use the OUTPUT chain:

# Clear existing nat rules
iptables -F -t nat

# Redirect locally generated traffic on port 8080 to port 80
iptables -t nat -A OUTPUT -p tcp --dport 8080 -j REDIRECT --to-port 80

3. Sharing Internet access for an internal network

Typical NAT use‑case: multiple private hosts need to reach the public Internet through a single public IP.

SNAT modifies the source address of outgoing packets.

DNAT modifies the destination address of incoming packets.

MASQUERADE works like SNAT but automatically uses the IP of the outgoing interface.

Example: masquerade a LAN (10.1.2.0/24) behind a public IP (192.168.184.131):

# Enable forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# SNAT example
iptables -t nat -A POSTROUTING -s 10.1.2.0/24 -o ens33 -j SNAT --to-source 192.168.184.131

# Equivalent MASQUERADE rule
iptables -t nat -A POSTROUTING -s 10.1.2.0/24 -j MASQUERADE

Understanding iptables Tables and Chains

iptables organizes rules into tables, each containing specific chains:

filter – default table for packet filtering (chains: INPUT, FORWARD, OUTPUT).

nat – for Network Address Translation (chains: PREROUTING, POSTROUTING, OUTPUT).

mangle – for packet header alterations (chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING).

raw – for early processing before connection tracking (chains: PREROUTING, OUTPUT).

security – for SELinux or other security policies.

Typical packet flow:

Incoming packet destined for the local host: PREROUTING → INPUT.

Incoming packet destined for another host: PREROUTING → FORWARD → POSTROUTING.

Locally generated packet: OUTPUT → POSTROUTING.

The processing order of tables is raw → mangle → nat → filter. Within the same table, only the first matching rule in a chain is applied.

Persisting iptables Rules

Rules exist only in memory; a reboot clears them. Install iptables-persistent to save rules to /etc/iptables/rules.v4:

sudo apt update
sudo apt install iptables-persistent

After configuring rules, run: sudo netfilter-persistent save To restore from the saved file after accidental changes:

sudo netfilter-persistent reload

Link: https://www.cnblogs.com/aaronlinv/p/18628447