iptables – Take Control of Network Traffic
In the world of networking, having control over the traffic flowing in and out of your system is crucial for security and performance. iptables is a powerful tool in the Linux ecosystem that allows you to manage and filter network traffic at the packet level. It provides a flexible and efficient way to define rules for incoming and outgoing traffic, protecting your system from unauthorized access and malicious attacks.
Note: As of 2026, the Netfilter Project has placed iptables in legacy maintenance mode, directing new deployments to nftables. On modern distributions (Ubuntu 20.10+, Debian 10+, RHEL 8+, Fedora 32+), running iptables commands typically routes through the nftables backend via the iptables-nft compatibility layer. While iptables syntax remains widely used and functional, nftables is the recommended long-term firewall framework for new Linux systems.
This blog will delve into the details of iptables, including its basic concepts, common practices, best practices, and example usage.
Table of Contents#
- Understanding iptables Basics
- iptables Tables and Chains
- Common Practices
- Best Practices
- Example Usage
- Conclusion
- References
Understanding iptables Basics#
iptables is a user-space utility program that allows system administrators to configure the Linux kernel firewall. It works by examining each incoming or outgoing packet and deciding whether to accept, drop, or reject it based on a set of rules. These rules are organized into chains, which are part of different tables.
How iptables Works#
When a packet arrives at the network interface, iptables checks the packet against the rules in the relevant chain. If a rule matches the packet, the action specified in the rule is taken. If no rule matches, the default policy for the chain is applied.
Packet Filtering#
Packet filtering is the core function of iptables. It can filter packets based on various criteria, such as source and destination IP addresses, port numbers, protocol types (e.g., TCP, UDP, ICMP), and packet states (e.g., NEW, ESTABLISHED, RELATED).
iptables Tables and Chains#
iptables has five main tables: filter, nat, mangle, raw, and security. Each table has its own set of chains, and each chain contains a list of rules.
Filter Table#
The filter table is the most commonly used table for packet filtering. It has three default chains:
- INPUT: This chain is used to filter incoming packets destined for the local system.
- OUTPUT: This chain is used to filter outgoing packets originating from the local system.
- FORWARD: This chain is used to filter packets that are being forwarded through the system.
Nat Table#
The nat table is used for network address translation (NAT). It has four default chains:
- PREROUTING: This chain is used to modify packets before they are routed.
- INPUT: This chain is used to modify packets destined for the local system.
- POSTROUTING: This chain is used to modify packets after they have been routed.
- OUTPUT: This chain is used to modify outgoing packets originating from the local system.
Mangle Table#
The mangle table is used to modify the IP header of packets. It has five default chains:
- PREROUTING: This chain is used to modify packets before they are routed.
- INPUT: This chain is used to modify incoming packets destined for the local system.
- FORWARD: This chain is used to modify packets that are being forwarded through the system.
- OUTPUT: This chain is used to modify outgoing packets originating from the local system.
- POSTROUTING: This chain is used to modify packets after they have been routed.
Raw Table#
The raw table is used to bypass connection tracking for certain packets. It has two default chains:
- PREROUTING: This chain is used to bypass connection tracking for incoming packets.
- OUTPUT: This chain is used to bypass connection tracking for outgoing packets.
Security Table#
The security table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by SELinux's SECMARK and CONNSECMARK targets. It is called after the filter table, allowing Discretionary Access Control (DAC) rules to take effect before MAC rules. It has three default chains:
- INPUT: This chain is used for packets coming into the local system.
- OUTPUT: This chain is used for locally-generated packets before routing.
- FORWARD: This chain is used for packets being routed through the system.
Common Practices#
Blocking Unwanted Traffic#
One of the most common uses of iptables is to block unwanted traffic. For example, you can block all incoming traffic from a specific IP address or range of IP addresses.
# Block all incoming traffic from a specific IP address
iptables -A INPUT -s 192.168.1.100 -j DROP
# Block all incoming traffic from a range of IP addresses
iptables -A INPUT -s 192.168.1.0/24 -j DROPAllowing Specific Services#
You can also use iptables to allow specific services to communicate with your system. For example, you can allow incoming SSH connections on port 22.
# Allow incoming SSH connections on port 22
iptables -A INPUT -p tcp --dport 22 -j ACCEPTSetting Default Policies#
It is a good practice to set default policies for the INPUT, OUTPUT, and FORWARD chains. By default, all traffic is allowed, which can be a security risk. You should first allow essential traffic, then set the default policy to DROP to block all remaining traffic.
# Allow traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow incoming SSH connections on port 22
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow established and related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Set the default policy for the INPUT chain to DROP
iptables -P INPUT DROP
# Set the default policy for the OUTPUT chain to ACCEPT
iptables -P OUTPUT ACCEPT
# Set the default policy for the FORWARD chain to DROP
iptables -P FORWARD DROPBest Practices#
Regularly Review and Update Rules#
As your network environment changes, you may need to add, modify, or remove rules. It is important to regularly review and update your iptables rules to ensure that they are still relevant and effective.
Account for IPv6#
Modern Linux distributions enable IPv6 by default. If you configure only IPv4 rules with iptables, services may still be reachable over IPv6. Use ip6tables or nftables to secure IPv6 traffic as well:
# Check if IPv6 is active
ip a | grep inet6
# Apply similar rules to ip6tables
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -P INPUT DROPUse Logging#
Logging can be a valuable tool for troubleshooting and security analysis. You can use the LOG target in iptables to log packets that match certain rules.
# Log all incoming packets that are dropped
iptables -A INPUT -j LOG --log-prefix "Dropped Packet: "Backup Your Rules#
It is a good practice to backup your iptables rules regularly. You can save your rules to a file using the iptables-save command.
# Save iptables rules to a file
iptables-save > /etc/iptables.rulesPersist Rules Across Reboots#
iptables rules are not persistent by default and will be lost after a reboot. On Debian-based systems (Ubuntu, Debian), install the iptables-persistent package to automatically restore rules on boot:
# Install iptables-persistent (Debian/Ubuntu)
sudo apt install iptables-persistent
# Save current rules after making changes
sudo netfilter-persistent save
# Verify rules are loaded correctly
sudo iptables -L -n -vRules are typically stored in /etc/iptables/rules.v4 and /etc/iptables/rules.v6. After saving, reboot your server and verify that the rules are still active.
Restore Rules on Boot#
On modern Linux systems, use iptables-persistent and netfilter-persistent (described above) to restore rules on boot rather than the legacy /etc/rc.local method.
Example Usage#
Creating a Basic Firewall#
The following example shows how to create a basic firewall that allows incoming SSH connections and all outgoing traffic.
# Allow traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow incoming SSH connections on port 22
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow established and related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Set the default policy for the INPUT chain to DROP
iptables -P INPUT DROP
# Set the default policy for the OUTPUT chain to ACCEPT
iptables -P OUTPUT ACCEPTPort Forwarding#
The following example shows how to use iptables for port forwarding. Suppose you want to forward incoming traffic on port 80 to a server with the IP address 192.168.1.100 on port 8080.
# Enable IP forwarding (temporary - lost on reboot)
echo 1 > /proc/sys/net/ipv4/ip_forward
# Make IP forwarding persistent across reboots
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
# Set the default policy for the FORWARD chain to ACCEPT
iptables -P FORWARD ACCEPT
# Forward incoming traffic on port 80 to 192.168.1.100:8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080
iptables -t nat -A POSTROUTING -j MASQUERADEConclusion#
iptables is a powerful and flexible tool for managing and filtering network traffic in Linux. By understanding its basic concepts, tables, and chains, and following common and best practices, you can create a secure and efficient network environment. Remember to regularly review and update your rules, use logging for troubleshooting, and backup your rules to ensure that your system is protected.
While iptables remains functional and widely deployed, the Netfilter Project has directed new deployments to nftables, which is now the default firewall backend on modern distributions. If you are setting up a new system, consider learning nftables as your long-term firewall solution. For existing systems, iptables continues to work reliably through the iptables-nft compatibility layer.