Mastering iptables: Tables, Chains, Rules and Practical Commands

iptables Architecture

iptables is organized from top to bottom into tables , chains and rules .

Tables and Chains

Four built‑in tables exist:

filter – default table with INPUT, OUTPUT and FORWARD chains

nat – contains PREROUTING, POSTROUTING and OUTPUT chains for address translation

mangle – five built‑in chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING) for packet QoS manipulation

raw – two built‑in chains (PREROUTING, OUTPUT) for handling exceptions

Rules and Targets

A rule consists of a match condition and a target that determines what to do with matching packets. Common targets are:

ACCEPT – allow the packet

DROP – discard the packet

QUEUE – hand the packet to userspace

RETURN – stop processing the current chain and return to the calling chain

Viewing Existing Rules

# iptables -t filter --list

# iptables -t mangle --list

# iptables -t nat --list

# iptables -t raw --list

Example output for the filter table shows the chain name, policy, rule number, target, protocol, source and destination.

Flushing All Rules

iptables --flush

iptables -F

To clear the NAT table only:

iptables -t nat -F

Making Rules Persistent

# Save iptables rules
service iptables save
# Restart the service
service iptables stop
service iptables start

After saving, you can view the saved file with:

cat /etc/sysconfig/iptables

Appending New Rules

Use -A (append) to add a rule to the end of a chain. The last rule is often a catch‑all DROP. Example – allow SSH on port 22:

# Flush existing rules
iptables -F
# Accept inbound SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# Drop everything else
iptables -A INPUT -j DROP

Changing Default Chain Policies

Default policies can be inspected with -L. Changing them to DROP blocks traffic unless explicitly allowed.

# Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Warning: If you change the OUTPUT policy to DROP while connected via SSH, the session will be terminated because the server can no longer send packets.

Application‑Specific Rules (SSH & HTTP)

When the default policy is DROP, you must allow both inbound and outbound traffic for each service using the -m state module.

# SSH inbound
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# SSH outbound response
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# HTTP inbound
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# HTTP outbound response
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

NAT Example: Port‑Forward MySQL

Expose a local MySQL server (3306) on external port 63306.

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.conf.eth0.route_localnet=1
sysctl -w net.ipv4.conf.default.route_localnet=1
# DNAT incoming connections
iptables -t nat -A PREROUTING -p tcp --dport 63306 -j DNAT --to-destination 127.0.0.1:3306
# SNAT outgoing packets
iptables -t nat -A POSTROUTING -p tcp --dport 63306 -j SNAT --to-source 127.0.0.1

To restrict the forwarding to a single source IP (e.g., 192.168.40.154):

iptables -t nat -R PREROUTING 4 -s 192.168.40.154 -p tcp --dport 63306 -j DNAT --to-destination 127.0.0.1:3306
iptables -t nat -R POSTROUTING 4 -s 192.168.40.154 -p tcp --dport 63306 -j SNAT --to-source 127.0.0.1

Rule Management Commands

-A

– Append a rule -D – Delete a rule (by number or specification) -R – Replace a rule at a given position -I – Insert a rule at a specific position -L – List rules in a chain -N – Create a new user‑defined chain

These commands allow fine‑grained control over the firewall configuration.