Understanding iptables: Tables, Chains, and NAT Operations

1. iptables host type: the filter table mainly performs server traffic control, protecting the host itself by controlling external access.

iptables drawbacks:

1) While the firewall can filter Internet packets, it cannot filter internal network packets, so internal attacks bypass it.

2) System vulnerabilities on the server allow attackers to circumvent firewall filtering.

3) The firewall cannot effectively block attacks, especially viruses hidden within data.

4) All packets pass through the firewall under normal conditions, which can create a network bottleneck; during attacks, the firewall may become overloaded and impede normal traffic.

iptables four tables:

(1) filter table – input, forward, output: filters bidirectional packets using a single table.

input: filters packets destined for the local machine.

forward: filters packets passing through the machine.

output: filters packets originating from the local machine.

Summary: processing packets according to rules (forward or drop) implements the host‑type firewall.

(2) nat table – prerouting, postrouting, output: used for address translation.

prerouting: modifies destination address before processing.

postrouting: modifies source address after processing.

output: mainly controls internal traffic.

Summary: tables for changing IP addresses and ports.

(3) mangle table – primarily used for packet marking and tracking.

(4) raw table – also used for packet tracking.

iptables five built‑in chains:

PREROUTING – pre‑routing.

POSTROUTING – post‑routing.

INPUT – inbound traffic.

OUTPUT – outbound traffic.

FORWARD – forwarded traffic.

Example commands:

iptables -I INPUT -p icmp -j DROP

iptables -I INPUT -s 192.168.26.182 -j DROP

iptables -I INPUT -s 192.168.26.182 -i eth0 -p tcp --tcp-flags SYN,RST,ACK SYN -j DROP

TCP flag explanation: SYN – synchronization packet for three‑way handshake; ACK – acknowledgment; RST – reset.

Multiple IP range acceptance:

iptables -A INPUT -p tcp -m iprange --src-range 192.168.26.100-192.168.26.182 -j ACCEPT

2. NAT – Network Address Translation

Internal network → router → external network (e.g., 192.168.1.10 ↔ 172.16.0.1).

The nat table is used on gateway routers for SNAT and DNAT, allowing communication between private and public networks.

(1) SNAT – source address translation:

iptables -FXZL

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j SNAT --to-source 192.168.200.10

(2) MASQUERADE – address masquerading for dynamic IPs (e.g., ADSL connections):

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE

(3) DNAT – destination address translation:

iptables -t nat -A PREROUTING -i ens33 -d 192.168.200.10 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.10

(4) PNAT – a more secure variant of DNAT:

iptables -t nat -A PREROUTING -i ens33 -d 192.168.200.10 -p tcp --dport 2345 -j DNAT --to-destination 192.168.100.10:22

If this article was helpful, please like, view, and share; this support is crucial for me to continue creating quality content. Thank you 🙏🏻