Mastering iptables: Understand Tables, Chains, and Rules for Linux Firewalls

iptables firewall is used for packet filtering and NAT rules and is included with all Linux distributions. Learning how to set up and configure iptables helps you manage a Linux firewall effectively.

The iptables tool may look complex at first, but once you understand its structure, reading and writing firewall rules becomes straightforward.

This article is the first part of an ongoing iptables tutorial series and explains the basic concepts of tables, chains, and rules.

At a high level, iptables consists of tables, each containing chains, and each chain containing rules that define how packets are handled.

The structure can be expressed as: iptables → Tables → Chains → Rules.

I. IPTABLES Tables and Chains

iptables provides four built‑in tables.

1. Filter Table

The filter table is the default table. It contains three built‑in chains:

INPUT – handles incoming packets destined for the local server.

OUTPUT – handles packets generated locally and leaving the server.

FORWARD – handles packets routed through the server.

2. NAT Table

The NAT table contains three built‑in chains:

PREROUTING – alters packets before routing (used for DNAT).

POSTROUTING – alters packets after routing (used for SNAT).

OUTPUT – NAT for locally generated packets.

3. Mangle Table

The mangle table is used for specialized packet modifications and includes the following built‑in chains:

PREROUTING

OUTPUT

FORWARD

INPUT

POSTROUTING

4. Raw Table

The raw table is used for configuring exceptions and includes two built‑in chains:

PREROUTING

OUTPUT

II. IPTABLES Rules

Key points to remember about iptables rules:

A rule consists of a match and a target.

If the match succeeds, processing jumps to the specified target; otherwise, the next rule is evaluated.

Target Values

Common special target values include:

ACCEPT – the packet is allowed.

DROP – the packet is discarded.

QUEUE – the packet is passed to userspace.

RETURN – stop processing the current chain and return to the calling chain.

Use # iptables -t filter --list to view the default filter table. The output shows the INPUT, FORWARD, and OUTPUT chains with their default policies. # iptables -t filter --list To view other tables:

# iptables -t mangle --list

# iptables -t nat --list

# iptables -t raw --list

Note: omitting the -t option displays the filter table, so # iptables -t filter --list and # iptables --list are equivalent.

Example of rules defined in the filter table:

# iptables --list
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain RH-Firewall-1 (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0   icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251   udp dpt:5353
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0   udp dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0   tcp dpt:631
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0   state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0   state NEW tcp dpt:22
10   REJECT     all  --  0.0.0.0/0            0.0.0.0/0   reject-with icmp-host-prohibited

The iptables --list output includes the following fields:

num – rule number within the chain.

target – the action taken when the rule matches.

prot – protocol (tcp, udp, icmp, etc.).

opt – special options for the rule.

source – source IP address of the packet.

destination – destination IP address of the packet.