iptables
Configure Linux firewall rules
TLDR
View chains, rules, packet/byte counters and line numbers for the filter table
Set chain policy rule
Append rule to chain policy for IP
Append rule to chain policy for IP considering protocol and port
Add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host's public IP
Delete chain rule
SYNOPSIS
iptables [-t table] command [chain] [match-options] [-j target]
Common commands:
iptables -A chain rule-specification -j target (Append a rule)
iptables -L [chain] (List rules)
iptables -F [chain] (Flush rules)
iptables -P chain target (Set default policy)
PARAMETERS
-t table
Specifies the table to operate on (e.g., 'filter', 'nat', 'mangle', 'raw'). Default is 'filter'.
-A, --append chain
Appends one or more rules to the end of the specified chain.
-I, --insert chain [rulenum]
Inserts one or more rules at the specified position in the chain (default is 1, the beginning).
-D, --delete chain rule-specification / rulenum
Deletes one or more rules from the specified chain, either by specification or by rule number.
-L, --list [chain]
Lists all rules in the specified chain, or all chains if none is specified.
-F, --flush [chain]
Flushes (deletes all rules from) the specified chain, or all chains if none is specified.
-P, --policy chain target
Sets the default policy for a built-in chain (e.g., ACCEPT, DROP).
-j, --jump target
Specifies the action to take if the packet matches the rule (e.g., ACCEPT, DROP, REJECT, LOG, or a user-defined chain).
-p, --protocol [protocol]
Matches the specified protocol (e.g., 'tcp', 'udp', 'icmp', 'all').
-s, --source address[/mask]
Matches if the packet's source IP address is the one specified.
-d, --destination address[/mask]
Matches if the packet's destination IP address is the one specified.
-i, --in-interface name
Matches if the packet was received from the specified interface (e.g., 'eth0', 'lo').
-o, --out-interface name
Matches if the packet is going out through the specified interface.
-m, --match module
Loads an extension match module (e.g., 'state', 'tcp', 'udp', 'limit').
DESCRIPTION
iptables is a user-space utility program that allows a system administrator to configure the IP packet filter ruleset of the Linux kernel firewall, known as Netfilter. It operates by defining rules that dictate how network packets are handled, such as accepting, dropping, or rejecting them based on various criteria. These rules are organized into logical structures called chains, which are themselves grouped into tables. Common tables include 'filter' (for general packet filtering), 'nat' (for Network Address Translation), and 'mangle' (for altering packet headers). iptables is a powerful and essential tool for securing Linux systems, controlling network access, and implementing complex networking functions like port forwarding and masquerading. It supports both stateless and stateful packet filtering, making it highly versatile.
CAVEATS
TABLES AND CHAINS EXPLAINED
iptables organizes rules into tables, each serving a specific purpose. The most common are:
filter: The default table, used for general packet filtering (ACCEPT, DROP, REJECT).
nat: Used for Network Address Translation (e.g., masquerading, port forwarding).
mangle: Used for altering packet headers (e.g., TTL, TOS).
raw: For very early processing of packets, before connection tracking.
Within each table, rules are grouped into chains. Built-in chains correspond to specific points in the packet flow, such as INPUT (for packets destined for the local host), OUTPUT (for packets originating from the local host), and FORWARD (for packets routed through the local host). Users can also create their own custom chains for better organization.
COMMON TARGETS
When a packet matches a rule, a target determines the action to take. Common targets include:
ACCEPT: Allow the packet to pass.
DROP: Silently discard the packet (no response sent).
REJECT: Discard the packet and send an error message back to the sender (e.g., ICMP port unreachable).
LOG: Log information about the packet to the kernel log.
RETURN: Stop traversing the current chain and resume at the calling chain.
Custom Chains: Jump to a user-defined chain for further processing.
HISTORY
iptables is part of the Netfilter project, which fundamentally rewrote Linux's packet filtering capabilities. It was introduced in Linux kernel 2.4 (released in 2001), replacing its predecessors: ipfwadm (Linux 2.0, 1996) and ipchains (Linux 2.2, 1999).
The main improvements of iptables over ipchains included:
Full stateful firewall capabilities (connection tracking).
More flexible and extensible architecture through modules for various match criteria and targets.
Introduction of separate tables for different functionalities (filter, nat, mangle, raw).
For nearly two decades, iptables remained the standard Linux firewall utility. However, with the increasing complexity of network configurations and the need for a unified approach across different IP versions, nftables began to emerge as its successor, starting development around 2008 and becoming more prominent from kernel 3.13 (2014) onwards. Despite the rise of nftables, iptables remains widely deployed and actively maintained, often running as a compatibility layer on systems primarily using nftables.
SEE ALSO
iptables-save(8), iptables-restore(8), ip6tables(8), nft(8), ufw(8), firewalld(1)