Information Security 17 min read

Understanding iptables: Structure, Tables, Chains, Rules, and Practical Configuration

This article provides a comprehensive guide to iptables, explaining its hierarchical structure of tables, chains, and rules, detailing the built‑in tables (filter, nat, mangle, raw) and their chains, describing rule syntax and target actions, and offering practical command examples for listing, flushing, saving, setting default policies, and configuring SSH, HTTP, NAT, and IP‑based restrictions.

Laravel Tech Community

Jun 20, 2022

iptables Structure

iptables is organized from top to bottom as Tables, Chains, and Rules.

Tables and Chains

iptables provides four built‑in tables: filter, nat, mangle, and raw. Each table contains its own built‑in chains.

1. Filter Table

INPUT – processes incoming packets.

OUTPUT – processes outgoing packets.

FORWARD – forwards packets to other network interfaces.

2. NAT Table

PREROUTING – handles packets arriving at the host before routing (used for DNAT).

POSTROUTING – handles packets leaving the host after routing (used for SNAT).

OUTPUT – handles locally generated packets.

3. Mangle Table

The mangle table is used to alter packet fields such as the QoS bits in the TCP header. It has five built‑in chains: PREROUTING, OUTPUT, FORWARD, INPUT, POSTROUTING.

4. Raw Table

The raw table processes packets before connection tracking. It has two built‑in chains: PREROUTING and OUTPUT.

Rules and Targets

A rule consists of a match condition and a target. If the condition matches, the specified target (e.g., ACCEPT, DROP, QUEUE, RETURN) is applied.

Common Target Values

ACCEPT – allow the packet.

DROP – discard the packet.

QUEUE – hand the packet to userspace.

RETURN – stop processing the current chain and return to the calling chain.

Typical Commands

# iptables -t filter --list

# iptables -t mangle --list

# iptables -t nat --list

# iptables -t raw --list

The output includes fields such as num (rule number), target , prot , source , and destination .

Flushing All Rules

iptables --flush
# or
iptables -F

Clearing NAT Table Rules

iptables -t nat -F

Making Rules Persistent

# Save iptables rules
service iptables save
# Restart iptables service
service iptables stop
service iptables start

Appending New Rules

Use -A (Append) to add a rule to the end of a chain. The last rule is often a DROP to block everything else.

Syntax Example

iptables -A chain firewall-rule

Key parameters include -p (protocol), -s (source address), -d (destination address), -j (target), -i (input interface), and -o (output interface).

Extended Parameters

--sport / --dport – source or destination port (TCP/UDP).

-m state --state – match packet state (NEW, ESTABLISHED, etc.).

--tcp-flags – match specific TCP flags.

--icmp-type – match ICMP types.

Practical Example: Allow Only SSH

# 1. Flush all rules
iptables -F
# 2. Accept SSH inbound traffic
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# 3. Drop everything else
iptables -A INPUT -j DROP

Changing Default Policies

Instead of adding explicit DROP rules, you can change the default policy of a chain.

# Set default policy to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Be careful when changing the OUTPUT policy on a remote SSH session, as it can terminate the connection.

Application‑Specific Rules

SSH

# Allow inbound SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow outbound SSH responses
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

HTTP

# Allow inbound HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow outbound HTTP responses
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

Complete Configuration Example

# Delete existing rules
iptables -F
# Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# SSH rules (incoming and outgoing)
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# HTTP rules
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

NAT Port Forwarding Example

Map local MySQL port 3306 to external port 63306.

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.conf.eth0.route_localnet=1
sysctl -w net.ipv4.conf.default.route_localnet=1
# DNAT rule
iptables -t nat -A PREROUTING -p tcp --dport 63306 -j DNAT --to-destination 127.0.0.1:3306
# SNAT rule
iptables -t nat -A POSTROUTING -p tcp --dport 63306 -j SNAT --to-source 127.0.0.1

To restrict the forwarding to a single source IP (e.g., 192.168.40.154), replace the rules with:

iptables -t nat -R PREROUTING 4 -s 192.168.40.154 -p tcp --dport 63306 -j DNAT --to-destination 127.0.0.1:3306
iptables -t nat -R POSTROUTING 4 -s 192.168.40.154 -p tcp --dport 63306 -j SNAT --to-source 127.0.0.1

Managing NAT Rules

# List NAT rules with line numbers
iptables -L -t nat --line-number
# Delete a NAT rule
iptables -t nat -D POSTROUTING 1
# Add a new rule
iptables -A INPUT ...
# Insert a rule at a specific position
iptables -I INPUT 1 --dport 80 -j ACCEPT
# Define a new user chain
iptables -N allowed

firewall Linux NAT network security iptables packet filtering

Written by

Laravel Tech Community

Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.