IPFYI
๐Ÿ–ฅ๏ธ Server Administration 6 min read

iptables Basics

Configure Linux firewall rules with iptables: chains, tables, rules, and common configurations.

What Is iptables?

iptables is the traditional Linux firewall tool. It filters network packets by matching them against rules organized into chains within tables.

Chains

Packets flow through three main chains:

  • INPUT โ€” Packets destined for the local machine
  • OUTPUT โ€” Packets originating from the local machine
  • FORWARD โ€” Packets being routed through the machine

Rule Syntax

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#        โ”‚       โ”‚      โ”‚           โ”‚
#        โ”‚       โ”‚      โ”‚           โ””โ”€ Action (ACCEPT, DROP, REJECT)
#        โ”‚       โ”‚      โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ Port (destination port 22)
#        โ”‚       โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ Protocol (tcp, udp, icmp)
#        โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ Chain (INPUT)

Essential Rules

Allow Established Connections

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Allow Loopback

iptables -A INPUT -i lo -j ACCEPT

Allow SSH

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow HTTP/HTTPS

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allow ICMP (Ping)

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Default Deny

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

A Complete Basic Firewall

#!/bin/bash
# Flush existing rules
iptables -F
iptables -X

# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow SSH (consider restricting source IP)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Log dropped packets (optional)
iptables -A INPUT -j LOG --log-prefix "DROPPED: "

Rate Limiting

Protect against brute-force attacks:

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
  -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
  -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

This allows a maximum of 3 new SSH connections per minute per IP.

Persistence

iptables rules are lost on reboot. To persist:

# Save rules
sudo iptables-save > /etc/iptables/rules.v4

# Install persistence package (Debian/Ubuntu)
sudo apt install iptables-persistent

Modern Alternative: nftables

nftables is the successor to iptables on modern Linux kernels. It offers better performance and a cleaner syntax, but iptables remains widely used and understood.

See Also

Caching Glossary CDN Glossary CORS Glossary HTTP Status Codes Glossary Load Balancer Glossary REST API Glossary Reverse Proxy Glossary WebSocket Glossary SSL vs TLS Compare SFTP vs FTPS Compare SSH vs Telnet Compare Traceroute vs Ping Compare