Master Linux iptables: From Basics to Advanced Firewall Rules

Firewalls, whether hardware or software, implement access control in Linux by defining policies and rules that inspect incoming and outgoing IP packets.

Common firewalls operate at layers 3 (network) and 7 (application proxy), with layer‑3 firewalls checking source and destination addresses, while layer‑7 firewalls examine ports and protocols, offering higher security at the cost of performance.

1. iptables history and operation

iptables evolved from ipfirewall (kernel 1.x) to ipchains (kernel 2.x) and finally to iptables, which builds rule lists for detailed access control. These tools run in user space and feed rules to the kernel's netfilter subsystem, which processes packets at five hook points: PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING.

2. iptables rule chains

The five built‑in chains correspond to specific packet traversal points in the kernel. Each packet passes through exactly one of these chains, allowing granular filtering.

3. Firewall policies

Two policy types exist: "allow" (default‑deny) and "block" (default‑allow). The filter table handles packet acceptance/rejection, the nat table manages address translation, and the mangle table modifies packet headers.

4. Rule syntax

iptables [-t table] COMMAND chain CRITERIA -j ACTION

Key options include -t (table: filter, nat, mangle), -P (set default policy), -A (append), -I (insert), -R (replace), -D (delete), and -L (list).

Examples:

iptables -t filter -A INPUT -s 172.16.0.0/16 -p tcp --dport 22 -j ACCEPT

State matching with -m state --state NEW,ESTABLISHED refines traffic control.

5. Matching criteria

General matches include source ( -s) and destination ( -d) IPs, protocol ( -p), and interfaces ( -i, -o). Extended matches cover ports ( --dport, --sport), TCP flags, and ICMP types.

6. Actions

Common actions are DROP, REJECT, ACCEPT, custom chains, DNAT, SNAT, MASQUERADE, REDIRECT, MARK, and RETURN.

7. NAT implementation

SNAT rewrites source addresses for outbound traffic, e.g.,

iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 172.16.100.1

. MASQUERADE handles dynamic external IPs. DNAT rewrites destination addresses for inbound traffic, e.g.,

iptables -t nat -A PREROUTING -d 192.168.10.18 -p tcp --dport 80 -j DNAT --to-destination 172.16.100.2

.

8. Persisting rules

Use service iptables save or iptables-save > /etc/sysconfig/iptables to store configurations, and iptables-restore to load them on boot.

Conclusion

iptables is essential for Linux firewalls, providing deep insight into packet flow and system security; mastering it enables robust network protection and effective management of complex environments.