iptables Firewall
iptables is the traditional Linux firewall using the netfilter framework.
Architecture
┌─────────────┐
│ PREROUTING│
└──────┬──────┘
│
┌──────▼──────┐
┌───────│ ROUTING │───────┐
│ └─────────────┘ │
│ │
┌──────▼──────┐ ┌───────▼──────┐
│ INPUT │ │ FORWARD │
└──────┬──────┘ └───────┬──────┘
│ │
┌──────▼──────┐ ┌───────▼──────┐
│ Local │ │ POSTROUTING │
│ Process │ └───────────────┘
└──────┬──────┘
│
┌──────▼──────┐
│ OUTPUT │
└──────┬──────┘
│
┌──────▼──────┐
│ POSTROUTING │
└─────────────┘Tables and Chains
Tables
- filter - Default table for packet filtering
- nat - Network address translation
- mangle - Packet modification
- raw - Bypass connection tracking
Default Chains
- INPUT - Incoming to localhost
- OUTPUT - Outgoing from localhost
- FORWARD - Routed through system
- PREROUTING - Before routing decision
- POSTROUTING - After routing decision
Basic Commands
# List all rules
sudo iptables -L -n -v
# List with line numbers
sudo iptables -L --line-numbers
# List specific table
sudo iptables -t nat -L -n -v
# Flush all rules
sudo iptables -F
# Delete specific rule
sudo iptables -D INPUT 3Rule Syntax
iptables -A CHAIN -p PROTOCOL -s SOURCE -d DEST --dport PORT -j TARGETCommon Targets
- ACCEPT - Allow packet
- DROP - Silently discard
- REJECT - Discard with error message
- LOG - Log packet
Common Rules
Allow Established Connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTAllow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPTAllow HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPTAllow from Specific IP
sudo iptables -A INPUT -s 192.168.1.100 -j ACCEPTBlock IP Address
sudo iptables -A INPUT -s 10.0.0.50 -j DROPRate Limiting
sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPTDefault Drop Policy
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPTComplete Example
#!/bin/bash
# Flush existing rules
iptables -F
iptables -X
# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (rate limited)
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "IPTables-Drop: "Save and Restore
# Save rules
sudo iptables-save > /etc/iptables.rules
# Restore rules
sudo iptables-restore < /etc/iptables.rules
# Persistent (Debian/Ubuntu)
sudo apt install iptables-persistent
sudo netfilter-persistent saveBest Practices
- Allow established first - For performance
- Default deny - Explicit allow rules
- Rate limit - SSH and login services
- Log before drop - For troubleshooting
- Test before applying - Avoid lockout
- iptables
- firewall
- linux
- netfilter
- packet filtering
- security