Mastering iptables: A Complete Guide to Linux Firewall Configuration

About iptables

Linux's firewall system operates at the network layer, filtering TCP/IP packets. iptables is a command‑line utility that uses policy chains to allow or block traffic. It works with the netfilter subsystem in the kernel, where tables store rule sets, and chains group related rules.

iptables Working Principle

Packets traverse five built‑in chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING). Each chain contains ordered rules; the first matching rule determines the packet's fate, otherwise the chain's default policy applies.

Incoming packets hit PREROUTING to decide routing.

Packets destined for the local host proceed to INPUT, while locally generated packets go through OUTPUT then POSTROUTING.

Forwarded packets pass FORWARD before reaching POSTROUTING.

iptables Filtering Process

The firewall evaluates rules sequentially. When a rule matches, its action (ACCEPT, DROP, REJECT, etc.) is taken and no further rules are checked. If no rule matches, the default policy of the chain is applied.

Tables, Chains, and Rules

Four primary tables exist:

filter : default table for packet filtering.

nat : network address translation (port and address mapping).

mangle : packet alteration (TTL, QoS, etc.).

raw : bypasses connection tracking.

Each table contains chains; the built‑in chains are INPUT, OUTPUT, FORWARD, PREROUTING, and POSTROUTING. Custom user chains can also be created.

iptables Command Syntax

General form:

iptables [-t table] -[A|I|D|R|F|Z|L|P] chain [match...] -j target

Common options: -P <chain> <policy> – set default policy. -L <chain> – list rules. -A <chain> – append rule. -I <chain> [num] – insert rule. -D <chain> [num|rule-spec] – delete rule. -F <chain> – flush all rules.

Matching Criteria

Rules consist of match conditions such as protocol, source/destination IP, ports, interfaces, and state. Negation is expressed with !. Examples: -p tcp – match TCP protocol. -s 192.168.1.0/24 – source network. -dport 22 – destination port 22. -m state --state ESTABLISHED,RELATED – match connection state.

Actions (Targets)

Typical targets include: ACCEPT – allow packet. DROP – silently discard. REJECT – discard and send an error reply. LOG – log packet details. SNAT / DNAT / MASQUERADE – address translation. REDIRECT – port redirection.

Practical Examples

View detailed rules: iptables -nvL Block all SSH access: iptables -A INPUT -p tcp --dport 22 -j DROP Allow a specific subnet to SSH:

iptables -I INPUT -s 173.168.16.0/24 -p tcp --dport 22 -j ACCEPT

Accept established connections:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow Samba UDP ports 137 and 138:

iptables -A INPUT -p udp --dport 137 -j ACCEPT

iptables -A INPUT -p udp --dport 138 -j ACCEPT

Reject ICMP echo requests (ping): iptables -A INPUT -p icmp --icmp-type 8 -j REJECT Set default INPUT policy to DROP: iptables -P INPUT DROP Redirect local port 220 to external port 22:

iptables -t nat -A PREROUTING -p tcp --dport 220 -j REDIRECT --to-ports 22

Delete the second rule in INPUT chain: iptables -D INPUT 2 Rate‑limit traffic from a specific IP:

iptables -A INPUT -s 173.168.16.8 -p tcp -m limit --limit 12/minute --limit-burst 10 -j ACCEPT

Use NAT for internet sharing (MASQUERADE):

iptables -t nat -A POSTROUTING -o eth0 -s 173.168.16.0/24 -j MASQUERADE

Expose an internal web server via DNAT:

iptables -t nat -A PREROUTING -d 60.205.177.173 -p tcp --dport 800 -j DNAT --to-destination 173.168.16.2:80