Unlocking Linux Packet Filtering: How Netfilter and iptables Work Together

What is Netfilter

Netfilter is the Linux kernel subsystem that filters or modifies packets as they traverse the network stack. It registers hook functions at five hook points— PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, and POST_ROUTING —allowing modules such as iptables to intervene at specific stages. PRE_ROUTING: before routing decision, after the packet enters the IP layer. LOCAL_IN: after routing, for packets destined for the local host, before they reach the upper‑layer protocols. FORWARD: after routing, for packets that will be forwarded to another host. LOCAL_OUT: before routing, for packets generated locally. POST_ROUTING: after routing, just before the packet leaves the host.

iptables Overview

iptables

is a user‑space utility that configures Netfilter tables. Four built‑in tables exist, each attached to specific hook points:

filter (default): provides INPUT, OUTPUT, and FORWARD chains for basic packet filtering.

nat : provides PREROUTING, POSTROUTING, and OUTPUT chains for network address translation.

mangle : provides five chains ( PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING) for altering packet headers, QoS, TTL, etc.

raw : provides PREROUTING and OUTPUT chains for connection‑tracking exemptions.

Command Syntax

The general form is:

iptables -t <table> -A <chain> [match‑options] -j <target>

Common options include: -t <table>: select the table. -A <chain>: append a rule. -D <chain>: delete a rule. -I <chain>: insert a rule at the top. -R <chain>: replace a rule. -L: list rules. -F: flush (clear) a chain. -Z: zero counters. -N: create a user‑defined chain. -P: set default policy. -p: protocol (e.g., tcp, udp). -s: source IP. -d: destination IP. -i / -o: input/output interface. --dport / --sport: destination/source ports. -j <target>: action to take when a rule matches.

Match Conditions

Basic matches cover source and destination IP addresses. Extended matches add protocol, source/destination ports, interfaces, and more.

Actions (Targets)

ACCEPT

: allow the packet. DROP: silently discard the packet. REJECT: discard and optionally send an error reply. SNAT / MASQUERADE: source NAT (useful for outbound traffic). DNAT / REDIRECT: destination NAT or port redirection. LOG: write a log entry to /var/log/messages and continue processing.

Example Rules

iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT  # allow loopback traffic

iptables -A INPUT -p tcp --dport 80 -j ACCEPT  # allow HTTP traffic

iptables -A FORWARD -j REJECT  # block all forwarded packets

iptables -I INPUT -s 124.45.0.0/16 -j DROP  # block an entire IP range

iptables -L -n -v  # list current rules with counters

Conclusion

The article introduced Netfilter’s role in the Linux networking stack, showed how iptables maps tables and chains to Netfilter hook points, and gave a concise guide to building basic firewall rules. For advanced features such as connection tracking, rate limiting, or custom extensions, readers should consult the official iptables and Netfilter documentation.