BestHub
Sign in
Information Security 24 min read

Master Linux iptables: A Complete Guide to Software Firewalls and Netfilter

This article provides a comprehensive overview of Linux's software firewall, explaining how iptables works with the netfilter framework, detailing tables, chains, hook functions, packet flow, common commands, rule‑management techniques, best‑practice optimizations, and methods for persisting firewall configurations.

Raymond Ops
Raymond Ops
Raymond Ops
Master Linux iptables: A Complete Guide to Software Firewalls and Netfilter

Software Firewall

Linux provides a software firewall called iptables, which acts as a user‑space client that passes user‑defined security policies to the kernel’s netfilter framework. iptables is a command‑line tool that operates in user space; it manipulates the underlying netfilter framework located in kernel space. Together they form Linux’s software firewall, commonly used to replace expensive hardware firewalls for packet filtering, NAT, etc.

On CentOS 7 the firewalld service replaces iptables by default.

iptables is the tool that hands configured rules to the kernel‑space netfilter packet filter
firewalld service hands configured rules to the kernel‑space nftables packet filter
These two tools are mutually exclusive, both are command‑line tools

What is iptables

iptables is an open‑source packet‑filtering firewall tool.

iptables Use Cases

1、Host firewall (filter table’s INPUT chain).
2、LAN sharing (nat table’s POSTROUTING chain) – half router, NAT function.
3、Port and IP mapping (nat table’s PREROUTING chain) – hard‑NAT function.
4、One‑to‑one IP mapping.

netfilter’s five hook functions and packet flow

Netfilter places five hook functions (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING) in the kernel. Users can write rules to these hooks with the iptables command. Rules are grouped into tables, which contain chains that hold rule sets.

Three packet flow directions

1) Incoming to the host: PREROUTING → INPUT → user‑space process
2) Outgoing from the host: user‑space process → OUTPUT → POSTROUTING
3) Forwarded: PREROUTING → FORWARD → POSTROUTING

iptables components

Five built‑in chains (one per hook) and optional user‑defined chains. The five built‑in chains are INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING. Five tables: filter, nat, mangle, raw, security, each with specific purposes.

Diagram
Diagram

The priority order of tables from high to low is: security → raw → mangle → nat → filter.

Adding iptables rules – considerations

1) Determine the required function to decide which table to use.
2) Determine the packet path to decide which chain to use.
3) Determine packet direction to decide source and destination.
4) Match conditions based on business needs.

Common actions

1) Built‑in actions: ACCEPT, DROP, REJECT, SNAT, DNAT, MASQUERADE, MARK, LOG…
2) Custom actions: user‑defined chains for complex scenarios.
3) Whitelist: only specified hosts are allowed; everything else is denied.
4) Blacklist: only specified hosts are denied; everything else is allowed (default).

Disabling firewalld for iptables

# systemctl disable --now firewalld

iptables usage

Help: man 8 iptables Syntax examples:

iptables [-t table] {-A|-C|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] -S [chain [rulenum]]
iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name
rule-specification = [matches...] [target]
match = -m matchname [per‑match‑options]
target = -j targetname [per‑target‑options]

Rule management commands

-N: create new chain
-E: rename chain
-X: delete empty custom chain
-P: set default policy (ACCEPT or DROP)
-L: list rules
-n: numeric output
-v / -vv: verbose
-x: exact counters
--line-numbers: show rule numbers
-A: append
-I: insert at specific position
-D: delete by number or rule
-R: replace
-F: flush
-Z: zero counters

Examples

# iptables -F OUTPUT
# iptables -A INPUT -s 172.31.0.18,172.31.0.7 -j REJECT
# iptables -I INPUT -i lo -j ACCEPT
# iptables -A INPUT -s 172.31.0.1 -j ACCEPT
# iptables -A INPUT -s 172.31.0.18 -j DROP
# iptables -A INPUT -s 172.31.0.0/16 -j REJECT

Best‑practice rule optimization

1. Allow ESTABLISHED/RELATED connections first.
2. Carefully allow new inbound requests.
3. Place restrictive rules before permissive ones.
4. Order similar rules from most specific to least specific.
5. Merge rules where possible.
6. Prefer a whitelist default policy.

Saving iptables rules

Temporary rules disappear after reboot. To persist them:

Method 1

# iptables-save > /home/iptables.rules
# iptables-restore < /home/iptables.rules
# echo "iptables-restore < /home/iptables.rules" >> /etc/rc.d/rc.local
# chmod +x /etc/rc.d/rc.local

Method 2 (CentOS 7/8)

# yum install iptables-services
# iptables-save > /etc/sysconfig/iptables
# systemctl start iptables
# systemctl enable --now iptables
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

networkfirewalliptablesnetfilter
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment