Mastering iptables: Build Secure Linux Firewall Rules and NAT

What is a rule

A rule is a trigger set by an administrator that matches packets based on conditions such as source address, destination address, or protocol, and then performs an action like ACCEPT, REJECT, or DROP.

ACCEPT : Pass the packet and stop further rule processing.

REJECT : Block the packet and send a notification (ICMP port‑unreachable, ICMP echo‑reply, or TCP reset).

DROP : Silently discard the packet.

MASQUERADE : Rewrite the source IP to the firewall’s NIC IP (useful for dynamic IPs).

SNAT : Rewrite the source IP to a specific static IP or range.

DNAT : Rewrite the destination IP to a specific IP or range.

MARK : Tag the packet for later matching.

RETURN : End processing in the current chain and return to the previous chain.

Example rule to accept HTTP/HTTPS traffic on eth0:

iptables -t filter -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 -m multiport --dports 443,80 -j ACCEPT

This command allows TCP packets from the 192.168.1.0/24 subnet to reach local ports 80 and 443.

What is a table

Tables store groups of rules with specific purposes:

raw: decides whether a packet is subject to connection tracking.

mangle: modifies packet header fields.

nat: performs source/destination address and port translation (SNAT, DNAT, MASQUERADE, REDIRECT).

filter: filters inbound and outbound packets.

security: used by SELinux for MAC network rules (least common).

What is a chain

Chains are ordered lists of rules that are traversed at specific points in packet processing:

PREROUTING: before routing decision.

INPUT: for packets destined for the local host.

FORWARD: for packets being routed through the host.

OUTPUT: for locally generated packets.

POSTROUTING: after routing decision, before leaving the host.

Rules in a chain are evaluated top‑to‑bottom; once a rule matches, its action is taken and later rules are ignored (except for MARK and RETURN which continue processing).

Relationship between tables, chains, and rules

Tables determine which set of chains a packet traverses; within each chain, rules are ordered by insertion. When multiple tables define the same chain, the table priority (raw > mangle > nat > filter > security) decides which chain is evaluated first.

Packet flow through rules

Client‑side transmission : packet enters OUTPUT chain (raw → mangle → nat → filter → security), then routing selects an interface, then POSTROUTING chain (mangle → nat) before leaving the NIC.

Server‑side reception : packet enters PREROUTING chain (raw → mangle → nat), routing decides it is for the local host, then INPUT chain (mangle → nat → filter → security) before reaching the application.

Forwarding scenario : packet enters PREROUTING, is not destined for the local host, passes through FORWARD chain (mangle → filter → security), then POSTROUTING (mangle → nat) before exiting. Forwarding requires sysctl net.ipv4.ip_forward=1 or echo "1" > /proc/sys/net/ipv4/ip_forward, and permanent enablement via net.ipv4.ip_forward = 1 in /etc/sysctl.conf followed by sysctl -p.

NAT (Network Address Translation) overview

NAT allows devices in a private network to access the Internet using a single public IP.

SNAT (Source NAT)

Changes the source IP/port of outgoing packets, typically applied in the nat table’s POSTROUTING chain.

iptables -t nat -A POSTROUTING -d 192.168.1.11 -p tcp --dport 88 -j SNAT --to-source 122.9.3.47:88

This rewrites the source of packets destined for 192.168.1.11:88 to 122.9.3.47:88.

DNAT (Destination NAT)

Changes the destination IP/port of incoming packets, usually in the nat table’s PREROUTING chain.

iptables -t nat -A PREROUTING -d 202.12.10.100 -p tcp --dport 20022 -j DNAT --to-destination 192.168.10.11:22

This forwards traffic sent to 202.12.10.100:20022 to the internal host 192.168.10.11:22.

Linux kernel tracks NAT mappings in the CONNTRACK table, so subsequent packets in the same connection use the recorded translation without re‑executing NAT rules.