Introduction
For many years, iptables has been the primary firewall management tool on Linux systems. It allows administrators to control network traffic entering, leaving, and passing through a Linux machine. While newer systems increasingly use nftables, iptables remains widely used and understanding it provides valuable insight into Linux networking and security.
This article explores how iptables works internally, its architecture, packet flow, common commands, and best practices.
What Is iptables?
iptables is a user-space utility that interacts with the Linux kernel’s Netfilter framework.
Netfilter is built into the Linux kernel and provides hooks that allow packets to be inspected, modified, accepted, rejected, or dropped.
The relationship looks like this:
Applications
|
v
iptables
|
v
Netfilter
|
v
Linux Kernel
|
v
Network Interface
iptables itself does not filter packets. Instead, it configures rules within Netfilter, which performs the actual filtering inside the kernel.
Why Firewalls Matter
A firewall controls which traffic is allowed to enter or leave a system.
Examples:
- Allow SSH connections
- Block unauthorized access
- Restrict web traffic
- Prevent network scanning
- Control outbound connections
Without a firewall, every service listening on a machine may be accessible to anyone who can reach the system.
Understanding Packet Flow
To understand iptables, you must understand how packets travel through the Linux networking stack.
A packet can be:
- Incoming
- Outgoing
- Forwarded
Example:
Internet
|
v
[ Network Card ]
|
v
Linux Kernel
|
+---- Local Application
|
+---- Router Forwarding
Netfilter examines packets at various points during this journey.
Tables and Chains
iptables organizes rules into:
- Tables
- Chains
- Rules
Think of it like:
Table
└── Chain
└── Rule
The Five Built-In Chains
INPUT
Handles packets destined for the local machine.
Example:
Internet
|
v
INPUT
|
v
Local Process
Example traffic:
- SSH connections
- Web requests
- Ping requests
OUTPUT
Handles packets generated by the local machine.
Example:
Local Process
|
v
OUTPUT
|
v
Internet
Example traffic:
- Web browsing
- DNS requests
- Package updates
FORWARD
Handles packets passing through the machine.
Example:
Host A
|
v
FORWARD
|
v
Host B
Used on:
- Routers
- Firewalls
- VPN gateways
PREROUTING
Processes packets before routing decisions occur.
Used for:
- Destination NAT
- Packet modification
POSTROUTING
Processes packets after routing decisions.
Used for:
- Source NAT
- Masquerading
The Main Tables
Filter Table
Default table.
Used for:
- Allowing traffic
- Blocking traffic
- Access control
Contains:
- INPUT
- OUTPUT
- FORWARD
Example:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
NAT Table
Used for Network Address Translation.
Contains:
- PREROUTING
- POSTROUTING
- OUTPUT
Example:
iptables -t nat -A POSTROUTING \
-o eth0 -j MASQUERADE
Mangle Table
Used for specialized packet alterations.
Examples:
- Change TTL
- Modify QoS fields
- Mark packets
Raw Table
Used before connection tracking.
Commonly used for:
- Excluding traffic from tracking
- Performance optimization
Security Table
Used with Linux security frameworks such as SELinux.
Less commonly used in everyday administration.
Rule Structure
A rule consists of:
Condition --> Action
Example:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Meaning:
- Append rule
- INPUT chain
- TCP packets
- Destination port 80
- Accept packet
Targets
A target determines what happens when a packet matches.
ACCEPT
Allow packet.
-j ACCEPT
DROP
Silently discard packet.
-j DROP
The sender receives no response.
REJECT
Actively reject packet.
-j REJECT
The sender receives an error response.
LOG
Log packet information.
-j LOG
Often combined with DROP.
Example:
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Viewing Rules
Display rules:
iptables -L
Display detailed rules:
iptables -L -v -n
Options:
- -v = verbose
- -n = numeric addresses
- -L = list rules
Rule Order Matters
iptables evaluates rules from top to bottom.
Example:
Rule 1: Allow SSH
Rule 2: Drop everything
SSH works.
Reverse them:
Rule 1: Drop everything
Rule 2: Allow SSH
SSH never reaches Rule 2.
The first matching rule wins.
Stateful Packet Inspection
One of iptables’ most powerful features is connection tracking.
The kernel tracks connection states:
- NEW
- ESTABLISHED
- RELATED
- INVALID
Example:
iptables -A INPUT \
-m conntrack \
--ctstate ESTABLISHED,RELATED \
-j ACCEPT
This allows replies to outbound connections.
Without it, browsing the web would be difficult because return packets would be blocked.
Common Firewall Example
Allow:
- SSH
- HTTP
- HTTPS
Block everything else.
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT \
-m conntrack \
--ctstate ESTABLISHED,RELATED \
-j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT \
-p tcp --dport 22 \
-j ACCEPT
iptables -A INPUT \
-p tcp --dport 80 \
-j ACCEPT
iptables -A INPUT \
-p tcp --dport 443 \
-j ACCEPT
This is a common server configuration.
Network Address Translation (NAT)
NAT allows multiple devices to share a public IP.
Example home network:
192.168.1.10
192.168.1.11
192.168.1.12
|
v
Router
|
v
Public Internet
iptables can perform NAT using:
iptables -t nat \
-A POSTROUTING \
-o eth0 \
-j MASQUERADE
The router rewrites source addresses before packets leave.
Port Forwarding
Forward incoming traffic to another machine.
Example:
Public IP:80
|
v
192.168.1.100:80
Rule:
iptables -t nat \
-A PREROUTING \
-p tcp \
--dport 80 \
-j DNAT \
--to-destination 192.168.1.100
Logging Suspicious Traffic
Example:
iptables -A INPUT \
-p tcp \
--dport 23 \
-j LOG
Log entries appear in:
/var/log/syslog
or
/var/log/messages
depending on the distribution.
Saving Rules
Rules disappear after reboot unless saved.
Debian/Ubuntu:
sudo apt install iptables-persistent
Save:
sudo netfilter-persistent save
Restore:
sudo netfilter-persistent reload
Performance Considerations
iptables evaluates rules sequentially.
Large rule sets can impact performance.
Best practices:
- Put common matches first
- Remove unnecessary rules
- Use connection tracking wisely
- Use ipsets for large IP lists
Common Mistakes
Locking Yourself Out
Before applying remote firewall rules:
iptables -A INPUT \
-p tcp \
--dport 22 \
-j ACCEPT
Always allow SSH first.
Forgetting Loopback
Local services rely on:
iptables -A INPUT -i lo -j ACCEPT
Without it, many applications fail.
Forgetting Established Connections
Without:
-m conntrack \
--ctstate ESTABLISHED,RELATED
Return traffic may be blocked.
iptables vs nftables
Modern Linux distributions increasingly favor nftables.
Advantages of nftables:
- Simpler syntax
- Better performance
- Unified framework
- Easier management
However, understanding iptables remains important because:
- Millions of servers still use it
- Many tutorials reference it
- Cloud images often ship with legacy configurations
- It teaches Netfilter fundamentals
Conclusion
iptables is one of the most important networking tools in Linux history. Built on the Netfilter framework, it provides powerful packet filtering, network address translation, connection tracking, logging, and traffic control capabilities.
Although nftables is gradually replacing it, iptables remains an essential technology for Linux administrators, security engineers, and anyone seeking a deeper understanding of how Linux processes network traffic. Learning iptables not only teaches firewall management but also reveals how the Linux kernel handles packets from the moment they arrive at a network interface until they reach an application or leave the system.