HxHippy

iptables Fundamentals

Master iptables for Linux firewall management with chains, tables, and rules.

Last updated: 2025-01-15

iptables Firewall

iptables is the traditional Linux firewall using the netfilter framework.

Architecture

                    ┌─────────────┐
                    │   PREROUTING│
                    └──────┬──────┘
                           │
                    ┌──────▼──────┐
            ┌───────│   ROUTING   │───────┐
            │       └─────────────┘       │
            │                             │
     ┌──────▼──────┐              ┌───────▼──────┐
     │   INPUT     │              │   FORWARD    │
     └──────┬──────┘              └───────┬──────┘
            │                             │
     ┌──────▼──────┐              ┌───────▼──────┐
     │   Local     │              │ POSTROUTING  │
     │   Process   │              └───────────────┘
     └──────┬──────┘
            │
     ┌──────▼──────┐
     │   OUTPUT    │
     └──────┬──────┘
            │
     ┌──────▼──────┐
     │ POSTROUTING │
     └─────────────┘

Tables and Chains

Tables

  • filter - Default table for packet filtering
  • nat - Network address translation
  • mangle - Packet modification
  • raw - Bypass connection tracking

Default Chains

  • INPUT - Incoming to localhost
  • OUTPUT - Outgoing from localhost
  • FORWARD - Routed through system
  • PREROUTING - Before routing decision
  • POSTROUTING - After routing decision

Basic Commands

# List all rules
sudo iptables -L -n -v

# List with line numbers
sudo iptables -L --line-numbers

# List specific table
sudo iptables -t nat -L -n -v

# Flush all rules
sudo iptables -F

# Delete specific rule
sudo iptables -D INPUT 3

Rule Syntax

iptables -A CHAIN -p PROTOCOL -s SOURCE -d DEST --dport PORT -j TARGET

Common Targets

  • ACCEPT - Allow packet
  • DROP - Silently discard
  • REJECT - Discard with error message
  • LOG - Log packet

Common Rules

Allow Established Connections

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Allow SSH

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow HTTP/HTTPS

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allow from Specific IP

sudo iptables -A INPUT -s 192.168.1.100 -j ACCEPT

Block IP Address

sudo iptables -A INPUT -s 10.0.0.50 -j DROP

Rate Limiting

sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT

Default Drop Policy

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

Complete Example

#!/bin/bash
# Flush existing rules
iptables -F
iptables -X

# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow SSH (rate limited)
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT

# Allow HTTP/HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# Allow ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "IPTables-Drop: "

Save and Restore

# Save rules
sudo iptables-save > /etc/iptables.rules

# Restore rules
sudo iptables-restore < /etc/iptables.rules

# Persistent (Debian/Ubuntu)
sudo apt install iptables-persistent
sudo netfilter-persistent save

Best Practices

  1. Allow established first - For performance
  2. Default deny - Explicit allow rules
  3. Rate limit - SSH and login services
  4. Log before drop - For troubleshooting
  5. Test before applying - Avoid lockout
intermediate Firewalls Updated 2025-01-15
  • iptables
  • firewall
  • linux
  • netfilter
  • packet filtering
  • security