Master Linux Netfilter: From Hooks to Advanced iptables NAT Rules
This comprehensive guide explains Linux's netfilter firewall framework, its five hook points, how iptables maps rules to tables and chains, and provides step‑by‑step examples for traffic filtering, NAT, custom chains, and rule persistence using iptables commands.
netfilter Introduction
Firewalls filter traffic between internal and external networks according to defined policies. Linux includes the netfilter firewall module, which enables packet filtering, NAT, and connection tracking directly in the kernel.
User‑space tools such as iptables and firewalld allow administrators to define rules that are passed to the netfilter framework for packet processing.
netfilter Five Hooks
Rules defined in user‑space are attached to one of netfilter's five hook functions. When a packet reaches a hook point in the network stack, netfilter processes the packet according to the rules associated with that hook.
These five hooks are located at different points in the network stack:
PREROUTING – the first point a packet reaches, before routing decisions.
INPUT – handles packets destined for the local system.
FORWARD – handles packets that will be routed through the system (neither local destination nor source).
OUTPUT – handles packets generated by the local system before they leave.
POSTROUTING – captures packets after routing, just before they exit the system.
iptables
The most common user‑space firewall tool is iptables; alternatives include firewalld and nettable.
Before writing filtering rules, understand three iptables concepts: rules , chains , and tables .
Rule : a match condition plus an action.
Chain : an ordered list of rules. Packets are examined sequentially until a match is found or the chain ends.
Table : groups chains by functionality (e.g., filter, nat, mangle, raw).
A packet first enters a specific table, then traverses the chains in order until a matching rule is found or the end of the chain is reached.
Implementing Traffic Filtering
Defining Rules
iptables -t <table> -I|-A <chain> <match‑options> -j <target>Explanation: -I inserts the rule at the beginning of the chain (matched first). -A appends the rule to the end of the chain (matched last).
Example: drop all packets from host 10.0.0.11.
iptables -t filter -I INPUT -s 10.0.0.11 -j DROPExample: drop packets whose destination address is 10.0.0.11. iptables -A INPUT -d 10.0.0.11 -j DROP iptables supports two types of match conditions:
Basic matches : address, interface, and protocol matching, available without extra modules.
Extended matches : require loading additional modules via the -m option (e.g., multiport, tcp, udp).
Basic match examples:
Address match: -s for source, -d for destination.
Interface match: -i for incoming interface, -o for outgoing.
Extended match examples:
Port matching with the multiport module: --sports, --dports, or --ports (up to 15 ports).
Protocol matching: -p tcp, -p udp, -p icmp (module name equals protocol name, so -m can be omitted).
Example: block ports 22, 80, 1884, 1883 on host 10.0.0.29.
iptables -t filter -I INPUT -s 10.0.0.29 -p tcp -m multiport --ports 22,80,1884,1883 -j DROPExample: block SSH access from 10.0.0.29.
iptables -t filter -I INPUT -s 10.0.0.29 -p tcp --dport 22 -j DROPViewing Rules
Use the -t option to select a table and -vnL to list rules.
iptables -t <table> -vnLDeleting Rules
Delete by rule number with -D <chain> <num> or by specifying the exact match.
iptables -t filter -D INPUT 1iptables -t filter -D INPUT -s 10.0.0.11 -j DROPFlushing Chains
Clear all rules in a chain with -F. If no table is specified, filter is used.
iptables -t filter -F INPUTChanging Default Policies
Set the default action for a chain with -P. When a chain has no matching rule, the default policy is applied.
iptables -t filter -P INPUT DROPImplementing Black/White Lists
Black list: set the chain default to ACCEPT and add DROP rules for unwanted traffic. White list: set the chain default to DROP (or REJECT ) and add ACCEPT rules for allowed traffic. Example: open only specific ports. <code># Ensure remote access is not lost
iptables -t filter -I INPUT -s 10.0.0.1 -j ACCEPT
# Change default policy to DROP
iptables -t filter -P INPUT DROP
# Allow selected TCP ports
iptables -t filter -A INPUT -m multiport -p tcp --dports 22,80,8000,8001,1883,1884,9001,9100,9802 -j ACCEPT
# Allow selected UDP ports
iptables -t filter -A INPUT -m multiport -p udp --dports 22,80,8000,8001,1883,1884,9001,9100,9802 -j ACCEPT</code>
Saving Rules
Rules created with iptables are lost after a reboot. Persist them using:
iptables‑save : output current rules to a file. sudo iptables-save > /path/to/iptables.rules iptables‑restore : load rules from a file at boot (add to rc.local, a shell profile, or a systemd service).
sudo iptables-restore < /path/to/iptables.rulesNAT Implementation
NAT (Network Address Translation) rewrites source or destination IP addresses. The netfilter nat table provides three common targets:
DNAT – destination address translation.
SNAT – source address translation.
MASQUERADE – dynamic source NAT, useful for interfaces with changing public IPs.
SNAT Example
# Replace source address for packets leaving the LAN
iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNET -j SNAT --to-source ExtIPExample: LAN 10.0.0.0/24 uses public range 172.18.1.6‑172.18.1.9 for external traffic. <code>iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j SNAT --to-source 172.18.1.6-172.18.1.9</code> When the public IP is dynamic, use MASQUERADE: <code># Dynamic source NAT iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNET -j MASQUERADE</code>
DNAT Example
iptables -t nat -I PREROUTING -d ExtIP -p tcp --dport PORT -j DNAT --to-destination InternalIP[:PORT]Example: forward traffic arriving at 10.0.0.100:80 to internal server 192.168.1.100:80 . <code>iptables -t nat -I PREROUTING -d 10.0.0.100 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80</code>
PNAT (Port NAT / PAT) Example
Redirect external port 80 to an internal service listening on port 8080.
# Method 1 – DNAT to a different port
iptables -t nat -I PREROUTING -d 10.0.0.100 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080
# Method 2 – REDIRECT target (same host, different port)
iptables -t nat -A PREROUTING -d 172.16.100.10 -p tcp --dport 80 -j REDIRECT --to-ports 8080Custom Chains
netfilter provides default chains that match the five hooks. Custom chains can be created and then referenced from default chains.
Creating a Custom Chain
iptables -t filter -N IN_WEBAdd rules to the custom chain, e.g., reject all incoming ICMP echo requests.
iptables -t filter -I IN_WEB -p icmp --icmp-type 8/0 -j REJECTReference the custom chain from a default chain. <code>iptables -t filter -I INPUT -j IN_WEB</code>
Deleting a Custom Chain
First flush the chain, remove references, then delete it.
iptables -F IN_WEB
iptables -t filter -D INPUT -j IN_WEB # remove reference
iptables -X IN_WEBSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.