Table of Contents
- Introduction to Firewalls
- What is IPTables?
- History and Evolution: ipfwadm → ipchains → iptables
- Architecture of IPTables
- Tables and Chains Explained
- IPTables Targets (ACCEPT, DROP, etc.)
- Common Rules with Examples
- NAT, MASQUERADE, and Port Forwarding
- Advanced Options from Man Pages
- Saving and Persisting IPTables Rules
- Troubleshooting and Logging
- Conclusion
1. Introduction to Firewalls
Firewalls are security systems that monitor and control network traffic based on predetermined rules. They act as a barrier between trusted internal networks and untrusted external ones (like the internet).
There are two major types:
- Hardware Firewalls (e.g., Cisco ASA)
- Software Firewalls (e.g., IPTables on Linux)
2. What is IPTables?
IPTables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as netfilter.
- Default on most Linux distros
- Works with IPv4 (use ip6tables for IPv6)
- Can accept, drop, reject, modify or forward packets based on defined rules
Think of IPTables as a checklist that each packet must pass through.
3. History and Evolution
| Tool | Kernel Version | Status |
|---|---|---|
| ipfwadm | 2.0.x | Obsolete |
| ipchains | 2.2.x | Obsolete |
| iptables | 2.4.x and above | Active |
- iptables replaced older tools with stateful inspection, modular design, and better NAT support.
4. Architecture of IPTables
IPTables operates on packet traversal through predefined chains within tables.
Tables:
- filter: Default table for packet filtering
- nat: Used for Network Address Translation
- mangle: Alter packet headers
- raw: Exemption from connection tracking
- security: SELinux-based policies
Chains in each table:
- INPUT: For incoming packets
- OUTPUT: For outgoing packets
- FORWARD: For packets routed through the host
- Others like PREROUTING and POSTROUTING (in NAT, MANGLE)
5. Tables and Chains Explained
🔹 filter (default)
Used for basic packet filtering.
Chains:
- INPUT: Packets for the local system
- OUTPUT: Generated by the system
- FORWARD: Passed through to another interface
🔹 nat
Handles NAT operations.
Chains:
- PREROUTING: Change destination before routing
- POSTROUTING: Change source after routing
- OUTPUT: For locally-generated connections
🔹 mangle
Modify packet headers (e.g., TTL, TOS)
🔹 raw
Bypass connection tracking
6. IPTables Targets
| Target | Description |
|---|---|
| ACCEPT | Allow packet |
| DROP | Silently discard packet |
| REJECT | Discard and send ICMP error |
| LOG | Log the packet |
| DNAT | Change destination IP/port |
| SNAT | Change source IP/port |
| MASQUERADE | Similar to SNAT, but for dynamic IPs |
7. Common Rules with Examples
# Allow SSH from a specific IP
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.10 -j ACCEPT
# Block all incoming HTTP traffic
iptables -A INPUT -p tcp --dport 80 -j DROP
# Allow all loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Drop all incoming traffic by default
iptables -P INPUT DROP
# Accept established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
8. NAT, MASQUERADE, and Port Forwarding
Masquerading (for dynamic IPs):
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setup masquerading for eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Port Forwarding:
# Redirect port 80 to 8080 on internal IP
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080
9. Advanced Options from Man Pages
Important switches from man iptables:
- -A → Append rule to chain
- -I → Insert rule at top
- -D → Delete a rule
- -L → List rules
- -F → Flush all rules
- -v → Verbose output
- -n → Numeric output (no DNS lookup)
- -p → Protocol (e.g., tcp, udp, icmp)
- –dport / –sport → Destination/source port
- -s / -d → Source/destination IP
- -j → Jump to target
- -m state / -m conntrack → Match connection states
Example:
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
This matches only new SSH connections.
10. Saving and Persisting IPTables Rules
Temporary rules vanish on reboot.
To persist them:
On Debian/Ubuntu:
sudo iptables-save > /etc/iptables/rules.v4
Install persistent package:
sudo apt install iptables-persistent
On RHEL/CentOS:
service iptables save
Or:
iptables-save > /etc/sysconfig/iptables
11. Troubleshooting and Logging
Enable logging before dropping:
iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A INPUT -j DROP
Log file: /var/log/syslog or /var/log/messages (depends on distro)
View all rules:
iptables -L -v -n --line-numbers
Delete rule:
iptables -D INPUT 3 # Deletes 3rd rule in INPUT
12. Conclusion
IPTables is a powerful and flexible firewall system for Linux. Understanding its tables, chains, and rules structure gives you granular control over how traffic flows into, out of, and through your system.
Whether you’re configuring a personal server or an enterprise-grade gateway, IPTables gives you the tools to:
- Secure ports
- Block malicious actors
- Enable safe NAT traversal
- Customize packet filtering
By mastering IPTables, you’re directly working at the kernel level of network security — a critical skill for every Linux and network administrator.