BestHub
Sign in
Information Security 16 min read

Mastering iptables: A Complete Guide to Linux Firewall Rules and NAT

This comprehensive guide explains the fundamentals of iptables, covering its architecture, chain and table concepts, rule syntax, matching modules, actions, and practical examples for filtering, NAT, and port forwarding, enabling readers to configure Linux firewalls effectively in virtual or container environments.

Ops Development Stories
Ops Development Stories
Ops Development Stories
Mastering iptables: A Complete Guide to Linux Firewall Rules and NAT

About iptables

Linux's firewall system operates at the network layer, filtering and restricting TCP/IP packets. iptables is a command‑line utility that uses policy chains to allow or block traffic. It works together with the kernel component netfilter , which holds packet‑filtering tables, while iptables provides a userspace interface to add, edit, and delete rules.

How iptables works

When a packet arrives, it traverses a series of predefined chains. The five built‑in chains are PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING. Each chain contains ordered rules; the first matching rule determines the packet's fate. If no rule matches, the chain's default policy is applied.

A packet entering a network interface first hits PREROUTING to decide routing.

If the packet is destined for the local host, it proceeds to INPUT, then to the local process.

Locally generated packets travel through OUTPUT and then POSTROUTING.

Forwarded packets pass through FORWARD before reaching POSTROUTING.

iptables tables, chains, and rules

Rules are stored in tables, each serving a specific purpose. The four main tables are:

filter : default table for general packet filtering.

nat : handles network address translation (port and address mapping).

mangle : modifies packet attributes such as TTL or QoS.

raw : determines whether a packet is subject to connection tracking.

Chains are ordered lists of rules within a table. The built‑in chains mentioned earlier exist in the appropriate tables (e.g., POSTROUTING appears in nat and mangle ).

iptables command syntax

General format: iptables [-t table] [-A|-I|-D ...] [match] -j target Common options include: -P <chain> <policy> – set default policy for a chain. -L <chain> – list rules in a chain. -A <chain> – append a rule to the end of a chain. -I <chain> [num] – insert a rule at a specific position. -D <chain> [num|rule-spec] – delete a rule. -F <chain> – flush all rules in a chain. -Z <chain> – zero packet and byte counters. -N <chain> – create a new user‑defined chain. -E <old-chain> <new-chain> – rename a chain.

Matching modules and actions

Match extensions (used with -m) allow fine‑grained criteria, such as:

-m state --state NEW,ESTABLISHED,RELATED
-m multiport --dports 22,80
-m iprange --src-range 192.168.0.2-192.168.0.20
-m limit --limit 3/minute --limit-burst 10
-m string --algo bm --string "pattern"
-m time --timestart 08:00 --timestop 12:00
-m icmp --icmp-type echo-request

Typical actions include: ACCEPT – allow the packet. DROP – silently discard the packet. REJECT – reject and send an error reply. LOG – log packet details. SNAT – source NAT for outbound traffic. DNAT – destination NAT for inbound traffic. MASQUERADE – dynamic source NAT. REDIRECT – port redirection. MARK – tag packets for later processing.

Practical examples

iptables -nvL
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -I INPUT -s 173.168.16.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 0 -j REJECT
iptables -P INPUT DROP
iptables -t nat -A PREROUTING -p tcp -d 60.205.177.173 --dport 800 -j DNAT --to-destination 173.168.16.2:80
iptables -t nat -A POSTROUTING -o eth0 -s 173.168.16.0/24 -j MASQUERADE

Using NAT for LAN sharing

Enable IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
# or permanently in /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p

Add SNAT or MASQUERADE rule on the internet‑connected host:

iptables -t nat -A POSTROUTING -o eth0 -s 173.168.16.0/24 -j SNAT --to-source 60.205.177.173
# or, if the external IP is dynamic:
iptables -t nat -A POSTROUTING -o eth0 -s 173.168.16.0/24 -j MASQUERADE

Port forwarding to internal services

Expose an internal web server to the outside world:

iptables -t nat -A PREROUTING -d 60.205.177.173 -p tcp -i eth0 --dport 800 -j DNAT --to-destination 173.168.16.2:80

If needed, add a corresponding SNAT rule to ensure return traffic is correctly routed.

For errors or additional tips, readers are encouraged to leave comments below.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

NATiptablespacket filteringLinux firewall
Ops Development Stories
Written by

Ops Development Stories

Maintained by a like‑minded team, covering both operations and development. Topics span Linux ops, DevOps toolchain, Kubernetes containerization, monitoring, log collection, network security, and Python or Go development. Team members: Qiao Ke, wanger, Dong Ge, Su Xin, Hua Zai, Zheng Ge, Teacher Xia.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment