Master Linux Firewall: From iptables Basics to Advanced Configurations
This comprehensive guide walks you through Linux's iptables firewall, explaining Netfilter fundamentals, the four-table five-chain architecture, rule syntax, common parameters, NAT and SNAT techniques, logging setup, and practical command examples for building secure and efficient firewall policies.
Introduction
iptables is the user‑space command for configuring Netfilter firewall rules in the Linux kernel. It works with tables and chains to filter packets, perform network address translation (NAT), modify packet attributes, or control connection tracking.
Netfilter framework
Packet filtering – allow or block packets.
Network address translation – modify source or destination addresses.
Packet modification – change TTL, TOS, etc.
Connection tracking – maintain state for stateful firewalls.
iptables tables and chains
filter (default) – chains: INPUT, OUTPUT, FORWARD; priority: low.
nat – chains: PREROUTING, POSTROUTING, OUTPUT; priority: medium.
mangle – chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, FORWARD; priority: high.
raw – chain: PREROUTING; priority: highest.
Rule processing
iptables checks rules in a chain sequentially.
When a rule matches, processing stops and the rule’s target is executed.
If no rule matches, the chain’s default policy (usually ACCEPT or DROP) is applied.
iptables syntax
iptables [-t table] command [chain] [rule‑specification] [-j target]
Basic command format
iptables [-t table] -A|-I|-D|-R|-L ...table: filter (default), nat, mangle, raw. command: -A (append), -I (insert), -D (delete), -R (replace), -L (list), etc. chain: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING. rule‑specification: match criteria such as -p tcp, -s 192.168.1.0/24, --dport 22, etc. target: action to take, e.g., ACCEPT, DROP, REJECT, LOG, DNAT, SNAT, MASQUERADE, REDIRECT.
Common operations
Listing rules
iptables -L INPUT -nv --line-numbersAdding rules
# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established/related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Block external ICMP echo requests (ping)
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Allow SSH (port 22) and HTTP (port 80)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPTDeleting rules
# Delete the first rule in INPUT chain
iptables -D INPUT 1
# Delete a specific rule matching port 80
iptables -D INPUT -p tcp --dport 80 -j ACCEPTSaving and restoring rules
# Save current rules
iptables-save > /etc/iptables/rules.v4
# Restore saved rules
iptables-restore < /etc/iptables/rules.v4Practical examples
Basic firewall policy
# Flush all existing rules
iptables -F
# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback and established connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH and HTTP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPTNAT and port forwarding
REDIRECT (port forwarding)
# Redirect external port 80 to local port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
# Forward a range of ports
iptables -t nat -A PREROUTING -p tcp --dport 1000:2000 -j REDIRECT --to-ports 3000:4000DNAT (destination NAT)
# Forward traffic destined for the public IP to an internal server
iptables -t nat -A PREROUTING -d 192.0.2.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080SNAT / MASQUERADE (source NAT)
# Static SNAT – change source address of an internal host
iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 -j SNAT --to-source 192.0.2.1
# MASQUERADE – dynamic source NAT for interfaces with changing public IPs
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADELogging
Configure rsyslog to store iptables logs in /var/log/iptables.log.
Add logging rules:
# Log all incoming packets
iptables -A INPUT -j LOG --log-prefix "IPTABLES-INPUT: " --log-level 7
# Log outgoing packets
iptables -A OUTPUT -j LOG --log-prefix "IPTABLES-OUTPUT: " --log-level info
# Rate‑limit logs to avoid flooding
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTABLES-INPUT: "Log level numbers: emerg 0, alert 1, crit 2, error 3, warn 4, notice 5, info 6, debug 7.
Advanced matching extensions
multiport – match multiple ports.
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
iptables -A INPUT -p tcp --dports 8000:9000 -j ACCEPTiprange – match a range of source IP addresses.
iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROPmac – match source MAC address.
iptables -A INPUT -m mac --mac-source 00:1A:2B:3C:4D:5E -j ACCEPTconntrack – match connection state.
# Allow established and related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow new SSH connections
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPTCommon ctstate values: NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED, SNAT, DNAT, NONE.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Raymond Ops
Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.