Mastering iptables: A Complete Guide to Linux Firewall Tables, Chains, and Rules
This article provides a comprehensive overview of iptables, explaining its table and chain architecture, detailing the built‑in tables (filter, nat, mangle, raw), describing common chains and targets, and offering practical command‑line examples for listing, flushing, persisting, and customizing firewall rules on Linux systems.
iptables Structure
iptables is organized from top to bottom into tables, chains, and rules.
1. Tables and Chains
iptables includes four built‑in tables: filter, nat, mangle, and raw.
1. Filter Table
The filter table is the default table and contains three built‑in chains:
INPUT – handles incoming traffic.
OUTPUT – handles outgoing traffic.
FORWARD – forwards traffic to other interfaces on the host.
2. NAT Table
The NAT table has three built‑in chains:
PREROUTING – processes packets as soon as they arrive, before routing; used for DNAT.
POSTROUTING – processes packets just before they leave the host; used for SNAT.
OUTPUT – processes locally generated packets.
3. Mangle Table
The mangle table is used to alter packet headers, such as QoS bits, and provides five built‑in chains:
PREROUTING
OUTPUT
FORWARD
INPUT
POSTROUTING
4. Raw Table
The raw table handles exceptional packets and has two built‑in chains:
PREROUTING
OUTPUT
2. iptables Rules
A rule consists of a condition and a target. If the condition matches, the target action is applied; otherwise, processing continues to the next rule.
Target Values
ACCEPT – allow the packet.
DROP – discard the packet.
QUEUE – hand the packet to userspace.
RETURN – stop processing the current chain and return to the calling chain.
Viewing Rules
# iptables -t filter --list# iptables -t mangle --list# iptables -t nat --list# iptables -t raw --listExample output for the filter table shows the INPUT, FORWARD, and OUTPUT chains with their rules.
# iptables --list
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedThe fields displayed are rule number, target, protocol, options, source, and destination.
3. Flushing All iptables Rules
Before configuring iptables, you usually check existing rules with iptables --list or iptables-save. To delete all current rules:
iptables --flush
# or
iptables -FTo clear the NAT table:
iptables -t nat -F4. Making Rules Persistent
Changes made with iptables are not permanent and may be lost after a reboot. To save and reload rules:
# Save iptables rules
service iptables save
# Restart iptables service
service iptables stop
service iptables startView the current rules file:
cat /etc/sysconfig/iptables5. Adding iptables Rules
Use iptables -A to append a new rule to the end of a chain. Typically the last rule drops all remaining traffic.
Syntax
iptables -A chain firewall-rule-A chain– specify the chain to append to. firewall-rule – the rule parameters.
Basic Rule Parameters
Common options include: -p protocol (tcp, udp, icmp, or all). -s source address. -d destination address. -j target (ACCEPT, DROP, QUEUE, RETURN, or another chain). -i input interface. -o output interface.
Extended Parameters
Additional options allow matching ports, TCP flags, ICMP types, etc. Examples: --sport source port (for TCP/UDP). --dport destination port. -m state --state NEW,ESTABLISHED match connection state. --tcp-flags specify TCP flag combinations. --icmp-type specify ICMP type.
Example: Allow Only SSH
# Flush all rules
iptables -F
# Accept incoming SSH on eth0
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# Drop everything else
iptables -A INPUT -j DROPChanging Default Policies
Instead of adding explicit DROP rules, you can change the default policy of a chain:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROPWarning: Changing the OUTPUT policy to DROP on a remote SSH session will terminate the connection because the server can no longer send packets.
Configuring Application‑Specific Rules
When the default policy is DROP, you must explicitly allow required traffic. For SSH and HTTP, use state matching:
# Allow incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPTFull Configuration Example
# Delete existing rules
iptables -F
# Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# SSH rules (remote and local)
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# HTTP rules
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPTPort Forwarding Example (MySQL)
Enable packet forwarding and map external port 63306 to local MySQL port 3306:
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.conf.eth0.route_localnet=1
sysctl -w net.ipv4.conf.default.route_localnet=1# NAT rules
iptables -t nat -A PREROUTING -p tcp --dport 63306 -j DNAT --to-destination 127.0.0.1:3306
iptables -t nat -A POSTROUTING -p tcp --dport 63306 -j SNAT --to-source 127.0.0.1Restrict access to a single source IP (e.g., 192.168.40.154):
iptables -t nat -R PREROUTING 4 -s 192.168.40.154 -p tcp --dport 63306 -j DNAT --to-destination 127.0.0.1:3306
iptables -t nat -R POSTROUTING 4 -s 192.168.40.154 -p tcp --dport 63306 -j SNAT --to-source 127.0.0.1View NAT rules with line numbers: iptables -L -t nat --line-number Delete a NAT rule: iptables -t nat -D POSTROUTING 1 Common iptables command shortcuts: -A – append rule. -D – delete rule. -R – replace rule. -I – insert rule at a specific position. -L – list rules. -N – create a new user‑defined chain.
© Article reproduced from 高效运维 (all rights reserved).
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.