Master Linux iptables: Build and Manage Robust Firewalls

1. Introduction

Firewalls implement access control on Linux, existing as hardware or software devices positioned at the network edge. Their behavior is defined by policies and rules that inspect inbound and outbound IP traffic.

Common firewalls operate at layers 3‑4 (network layer) or layer 7 (application proxy). Layer‑3 firewalls filter based on source and destination addresses, while layer‑7 firewalls examine all packet attributes, offering higher security at the cost of performance.

2. iptables Evolution

iptables and its predecessors are user‑space tools that define rules for the kernel‑space Netfilter subsystem, which actually enforces firewall functionality.

Netfilter resides within the Linux TCP/IP stack, allowing packet processing directly in the kernel.

3. iptables Structure

Netfilter defines five hook points, represented as five built‑in chains. Rules are grouped into tables (Filter, NAT, Mangle, Raw), each serving a specific purpose. The default table is Filter.

Typical tables and their priority: Raw > Mangle > NAT > Filter.

4. Tables and Chains

Each table contains chains, which are ordered lists of rules. Packets are examined against these rules sequentially; the first matching rule determines the action, and processing stops.

If no rule matches, the default policy of the chain is applied.

5. Workflow

iptables analyzes packet headers and matches them against user‑defined rules to decide whether to accept, drop, or modify the packet.

Rule order is crucial because processing stops at the first match.

6. Common Commands and Options

Adding a rule to the end of a chain: -A chain rule-specification Inserting a rule at the beginning (or a specific position): -I chain [rulenum] rule-specification Typical use cases include blocking SSH login or disabling ICMP ping.

7. Enterprise Cases

Two firewall deployment modes are illustrated:

"Park" mode – permissive default, rejecting illegal traffic.

"Movie" mode – default deny, allowing only explicitly permitted traffic (e.g., server firewalls).

Configuration steps for a Linux gateway include enabling IP forwarding, loading necessary kernel modules, ensuring internal servers can ping the gateway, and setting up appropriate Filter and NAT rules.

8. Port Mapping and NAT

Port forwarding maps external IP/port requests to internal server addresses, useful for both internal services and external load‑balancing scenarios.

When the connection‑tracking table fills, options are to temporarily disable the firewall or increase the tracking table size via system parameters.