Understanding iptables: A Comprehensive Introduction to Linux Packet Filtering

iptables firewall

Introduction

Iptables (netfilter) is a free packet‑filtering firewall integrated as a kernel module in Linux 2.4 and 2.6, providing fine‑grained control over inbound, outbound, and forwarded traffic.

Structure

iptables defines four tables: filter , nat , mangle , and raw . The filter table is the default and handles traffic to and from the local host.

filter table built‑in chains:

INPUT – filters packets whose destination is the local host.

FORWARD – filters packets that pass through the host without being destined for it.

OUTPUT – filters packets whose source is the local host.

Service commands (root)

Start the service service iptables start Stop the service service iptables stop Check status service iptables status Show run‑level start settings

chkconfig iptables --list
iptables        0:off 1:off 2:off 3:off 4:off 5:off 6:off

Enable start‑up at boot sudo chkconfig iptables on Disable start‑up at boot

sudo chkconfig iptables off

iptables commands

Show help

iptables --help
iptables -h
man iptables

List current rules (numeric output) iptables -L -n List rules with line numbers iptables -L -n --line-numbers List rules in the nat table iptables -L -n -t nat Flush all rules iptables -F Restart iptables (rules persist if not saved) service iptables restart Save the current configuration service iptables save Block SSH (port 22) on INPUT iptables -A INPUT -p tcp --dport 22 -j DROP Delete the SSH block rule iptables -D INPUT -p tcp --dport 22 -j DROP Common option meanings:

-A, --append: add a rule to the end of a chain

-D, --delete: remove a rule (by number) from a chain

-I, --insert: insert a rule at a specific position (default position 1)

-p, --proto: specify protocol (e.g., tcp, udp, icmp, all)

-j, --jump: target action – typically ACCEPT , DROP , or REJECT

-i: network interface name (e.g., eth0)

-s: source IP address

Keywords such as INPUT and DROP must be uppercase.

Block the 192.168.33.0/24 network on interface eth0 and allow SSH from 192.168.33.61

iptables -A INPUT -p tcp -i eth0 -s 192.168.33.0 -j DROP
iptables -A INPUT -p tcp --dport 22 -i eth0 -s 192.168.33.61 -j ACCEPT

Allow only traffic from 192.168.10.10; drop everything else iptables -A INPUT ! -s 192.168.10.10 -j DROP Block ICMP echo requests from 192.168.50.100

iptables -I INPUT -p icmp --icmp-type 8 -s 192.168.50.100 -j DROP

Extended matching

Implicit extensions are built‑in syntax such as -p tcp, --sport PORT, and --dport PORT.

Explicit extensions require the -m option to load a match module. Example: -p tcp --dport 22 is equivalent to -p tcp -m tcp --dport 22. The state extension tracks connection state via conntrack with values:

NEW – new connection request

ESTABLISHED – already established connection

INVALID – malformed packet

RELATED – related to an existing connection

Match a range of ports (22–80) and drop iptables -I INPUT -p tcp --dport 22:80 -j DROP Match multiple ports (22, 80, 3306) and accept

iptables -I INPUT -p tcp -m multiport --dport 22,80,3306 -j ACCEPT

Prevent outbound traffic with source port 80

iptables -I OUTPUT -p tcp --sport 80 -j DROP