Introduction
The Linux kernel includes a powerful packet filtering framework called netfilter, commonly controlled through the iptables command. This firewall system has protected Linux servers since the early 2000s and remains relevant today despite newer alternatives like nftables. Understanding iptables provides a foundation for network security that transfers to any Linux firewall implementation.
iptables organizes network filtering into tables containing chains of rules. Each rule specifies conditions that packets must match and actions to take when they do. The system processes packets sequentially through these chains, allowing precise control over network traffic at the packet level. Whether you need to block malicious IP addresses, allow specific services, or implement complex network policies, iptables provides the mechanisms to accomplish your goals.
This guide walks you through iptables fundamentals to advanced configuration. You will learn how the rule system works, create practical firewall policies for common server types, configure logging for traffic analysis, and implement production-ready configurations. By the end, you will confidently manage Linux firewall rules that protect your infrastructure from network threats.
Understanding iptables Architecture
Before writing rules, learn the architecture. This knowledge helps you organize policies effectively and troubleshoot issues.
iptables divides functionality into tables, each serving a specific purpose. The filter table handles packet filtering decisions—the core firewall function. The nat table manages Network Address Translation for port forwarding and MASQUERADE. The mangle table modifies packet headers, while the raw table bypasses connection tracking for special cases. Most server configurations primarily use the filter and nat tables.
Each table contains predefined chains corresponding to different packet processing points. The INPUT chain processes incoming packets destined for the local system. The OUTPUT chain handles packets originating from the local system. The FORWARD chain processes packets routed through the system to other destinations. Additional chains like PREROUTING and POSTROUTING serve NAT operations.
Packets flow through chains in a predictable sequence. Incoming packets first hit PREROUTING for NAT adjustments, then routing decisions direct them to INPUT or FORWARD. Outgoing packets go through OUTPUT then POSTROUTING. Understanding this flow helps you place rules where they execute efficiently and match packets at the appropriate point.
Basic iptables Operations
Starting with fundamental commands builds the foundation for complex configurations.
Viewing Current Rules
# View all iptables rules
sudo iptables -L -v -n
# View rules with line numbers
sudo iptables -L -n --line-numbers
# View specific table
sudo iptables -t filter -L -v -n
sudo iptables -t nat -L -v -n
# View raw rules without DNS resolution
sudo iptables -L OUTPUT -nThe output shows each chain with its rules, matching criteria, and packet counters. These counters indicate how many packets matched each rule, helping identify active and inactive rules during troubleshooting.
Understanding Rule Structure
Each rule in the output contains several components. The target (ACCEPT, DROP, REJECT) specifies the action for matching packets. The source and destination indicate network addresses. The proto column shows the protocol (tcp, udp, icmp). The opt column displays optional flags, and the destination port appears for rules matching specific services.
Default Policy Configuration
Setting default chain policies establishes baseline behavior:
# Set default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
# Verify policies
sudo iptables -L -n --line-numbers | head -10The INPUT DROP policy drops all incoming packets unless a rule explicitly allows them. FORWARD DROP prevents the server from routing traffic between networks. OUTPUT ACCEPT permits all outgoing traffic by default, which you can restrict if needed.
Creating Practical Firewall Rules
Building useful firewall configurations requires combining multiple rule types.
Allowing SSH Access
SSH access is essential for server management. Place SSH rules early in your configuration:
# Allow SSH on default port 22
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow SSH with connection tracking
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow SSH from specific IP only
sudo iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROPAllowing Web Traffic
Web servers require allowing HTTP and HTTPS traffic:
# Allow HTTP
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow HTTPS
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTAllowing Related Traffic
Permit responses to connections the server initiated:
# Allow established and related connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow loopback traffic
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPTBlocking Specific IP Addresses
Block individual IPs or ranges that exhibit malicious behavior:
# Block single IP
sudo iptables -A INPUT -s 203.0.113.50 -j DROP
# Block IP range
sudo iptables -A INPUT -s 203.0.113.0/24 -j DROP
# Block specific port from IP
sudo iptables -A INPUT -p tcp -s 198.51.100.0/24 --dport 25 -j DROP
# Block outgoing to IP
sudo iptables -A OUTPUT -d 192.0.2.1 -j DROPRate Limiting Connections
Protect services from connection floods using rate limits:
# Allow 10 connections per minute from single IP
sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 10/minute --limit-burst 5 -j ACCEPT
# Drop excessive SSH attempts
sudo iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROPManaging iptables Rules
Effective rule management keeps configurations organized and maintainable.
Rule Ordering
iptables processes rules sequentially. Specific rules must precede general rules:
# Insert rule at specific position
sudo iptables -I INPUT 3 -p tcp --dport 443 -j ACCEPT
# Delete rule by number
sudo iptables -L INPUT --line-numbers
sudo iptables -D INPUT 5
# Delete rule by specification
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT
# Flush all rules
sudo iptables -F
# Flush specific chain
sudo iptables -F INPUTSaving and Restoring Rules
Persistence requires saving rules to files:
# Save current rules (Debian/Ubuntu)
sudo apt install iptables-persistent
sudo netfilter-persistent save
# Save rules (RHEL/CentOS)
sudo service iptables save
# Manual save
sudo iptables-save > /etc/iptables/rules.v4
# Restore rules
sudo iptables-restore < /etc/iptables/rules.v4
# Restore on boot (systemd)
sudo systemctl enable iptables-restoreCreating iptables Scripts
For complex configurations, use shell scripts:
#!/bin/bash
# /usr/local/bin/setup-firewall.sh
# Flush existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -m conntrack -F
iptables -m conntrack -X
# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
# Allow ping (rate limited)
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second --limit-burst 4 -j ACCEPT
# Log and drop everything else
iptables -A INPUT -j LOG --log-prefix "IPT_DROP: "
iptables -A INPUT -j DROP
echo "Firewall rules applied successfully"NAT and Port Forwarding
iptables handles Network Address Translation for various networking scenarios.
Masquerading for Internet Access
Enable servers to share internet connections:
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Make permanent
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
# Masquerade outgoing traffic
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADEPort Forwarding
Redirect incoming connections to internal services:
# Forward port 80 to internal server
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.100:80
# Forward range of ports
sudo iptables -t nat -A PREROUTING -p tcp --dport 8000:8010 -j DNAT --to-destination 10.0.0.100:8000-8010
# Redirect local port
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080Logging and Monitoring
Enable logging to analyze traffic patterns and detect issues.
Basic Traffic Logging
# Log incoming connections
sudo iptables -A INPUT -j LOG --log-prefix "INPUT: " --log-level 4
# Log dropped packets
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP
# Log with rate limiting
sudo iptables -A INPUT -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix "IPT_DROP: " --log-level 4Viewing Logs
# View iptables logs (Debian/Ubuntu)
sudo journalctl -k | grep IPT
# View logs with rsyslog
sudo tail -f /var/log/iptables.log
# Create dedicated log file
sudo vi /etc/rsyslog.d/iptables.conf
# Add to file:
:msg,contains,"IPT_DROP" /var/log/iptables.log
& stop
sudo systemctl restart rsyslogProduction Best Practices
Production firewalls require careful planning and ongoing maintenance.
Rule Organization
Structure rules logically for maintainability:
# 1. Flush existing rules
# 2. Set default policies
# 3. Allow loopback
# 4. Allow established connections
# 5. Allow specific services (most specific first)
# 6. Drop unwanted trafficSecurity Considerations
# Disable source routing
sudo iptables -A INPUT -m pkttype --type routed -j DROP
# Disable broadcast
sudo iptables -A INPUT -d 255.255.255.255 -j DROP
sudo iptables -A INPUT -d 224.0.0.0/4 -j DROP
# Block null packets (reconnaissance)
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block XMAS packets (reconnaissance)
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROPTesting Before Deployment
# Test new rules in terminal session
# Don't close terminal until verified
sudo iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
# Verify you can still connect
ssh -p 22 user@server
# If locked out, use out-of-band access or console
# Remove test rule
sudo iptables -D INPUT -p tcp --dport 9999 -j ACCEPTTroubleshooting Connectivity
When firewall rules cause connectivity issues, systematic debugging helps identify problems.
Diagnostic Commands
# Check if iptables is blocking
sudo iptables -L -v -n | grep -i drop
# Check connection tracking
sudo conntrack -L
# View specific port status
sudo iptables -L INPUT -v -n | grep :22
# Monitor packets matching rule
sudo iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH: "
sudo tail -f /var/log/messages | grep SSH
# Temporarily flush rules to test
sudo iptables -F
# If connection works, rules were the issue
# Reapply rules carefullyCommon Issues
Port not accessible usually results from rules positioned after a DROP rule, incorrect protocol specification, or missing connection tracking rules. Network connectivity problems may stem from interface specification errors or routing issues unrelated to iptables.
Conclusion
iptables provides granular control over Linux network traffic through a logical rule system. Start with basic INPUT/FORWARD/OUTPUT chain management, add specific service rules, and implement logging for visibility. Save configurations persistently and test thoroughly before deployment.
For production environments, consider transitioning to nftables, which offers improved performance and more flexible syntax. However, iptables knowledge remains valuable as it underpins many system configurations and the nftables compatibility layer.
Related Guides:
