Master Linux Firewall with iptables: From Basics to Real-World Deployment
This article provides a comprehensive guide to Linux iptables, covering its Netfilter foundation, table‑chain‑rule architecture, core syntax, common options, and practical examples for firewall policies, NAT, and logging, enabling readers to configure and manage Linux firewalls from basics to real‑world deployment.
iptables Full Guide: From Basics to Practice
iptables is the Linux kernel tool for configuring firewall rules. Built on the Netfilter framework, it can filter, modify, and redirect packets passing through network interfaces, allowing precise control over which packets enter or leave the system.
It operates at the network layer, making decisions based on source/destination addresses, protocol type (TCP, UDP, ICMP, etc.), and port numbers.
1. Introduction
Netfilter is the kernel framework that provides packet filtering, modification, and redirection. It inserts hooks at various stages of the packet processing pipeline (receive, forward, send).
iptables is the user‑space utility that configures Netfilter rules. It defines tables, each containing chains of rules. Key functions include:
Define rules (allow or block specific traffic).
Manage chains (INPUT, OUTPUT, FORWARD are the most common).
1.1 iptables Structure
Tables consist of chains, and chains consist of rules. The hierarchy can be visualized as:
iptables: Table → Chain → Rule.
1.2 Four‑Table Five‑Chain Architecture
The core architecture includes four tables (filter, nat, mangle, raw) and five built‑in chains (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING). Each table has a priority level that determines the order in which packets are processed.
1.3 Rule Matching Process
iptables checks rules in a chain sequentially.
When a packet matches the first applicable rule, processing stops and the rule's target is executed.
If no rule matches, the chain's default policy (usually ACCEPT or DROP) is applied.
2. iptables Syntax
2.1 Basic Syntax
iptables [-t table] command [chain] [rule-specification] [-j target]table: specify the table (filter, nat, mangle, raw). command: -A (append), -I (insert), -D (delete), -R (replace), -L (list), etc. chain: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING. rule-specification: match criteria such as source, destination, protocol, ports. target: action to take (ACCEPT, DROP, REJECT, LOG, DNAT, SNAT, MASQUERADE, REDIRECT).
2.2 Common Parameters
2.2.1 View Rules
iptables -t filter -L -nv --line-numbers2.2.2 Add Rules
# Set default policy to DROP for INPUT and FORWARD
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback interface
iptables -A INPUT -i lo -j ACCEPT
# Allow established/related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop incoming ICMP echo requests (disable ping)
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Allow SSH (port 22) and HTTP (port 80)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT2.2.3 Delete Rules
# Delete the first rule in INPUT chain
iptables -D INPUT 1
# Delete a specific rule matching port 80
iptables -D INPUT -p tcp --dport 80 -j ACCEPT2.2.4 Save/Restore Rules
service iptables save
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v43. Practical Examples
3.1 Basic Firewall Rules
# Flush all existing rules
iptables -F
# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block external ping
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Allow SSH and HTTP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT3.2 NAT Rules
# Port redirection (REDIRECT) from 80 to 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
# Destination NAT (DNAT) to internal server 192.168.1.100:8080
iptables -t nat -A PREROUTING -d 192.0.2.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080
# Source NAT (SNAT) for internal host 192.168.1.100
iptables -t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to-source 192.0.2.1
# Masquerade for outbound traffic on eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE3.3 Firewall Logging
# Log all incoming packets (low priority)
iptables -A INPUT -j LOG --log-prefix "IPTABLES-INPUT: " --log-level 7
# Log all outgoing packets (info level)
iptables -A OUTPUT -j LOG --log-prefix "IPTABLES-OUTPUT: " --log-level info
# Rate‑limit logging to avoid log flood
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTABLES-INPUT: "By combining these rules, administrators can build a secure, stateful firewall, perform address translation, and maintain detailed logs for troubleshooting and audit purposes.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.