Linux iptables Firewall Configuration Guide

Introduction

iptables is a classic command-line utility used by Linux administrators to configure IPv4 packet filtering rules and Network Address Translation (NAT). While it may be considered legacy compared to modern firewall solutions like firewalld, it remains widely used and essential knowledge for system administrators.

It's important to note that iptables only handles IPv4 traffic. To filter IPv6 connections, you would need to use ip6tables as a separate tool.

This guide covers iptables v1.4.21 and demonstrates how to configure the Filter table for packet filtering and the NAT table for address translation.

Basic Service Commands

Starting the Service

# Legacy init system
service iptables start

# Modern systemd-based distributions
systemctl start iptables

Stopping the Service

# Legacy init system
service iptables stop

# Modern systemd-based distributions
systemctl stop iptables

Restarting the Service

# Legacy init system
service iptables restart

# Modern systemd-based distributions
systemctl restart iptables

Reloading Configuration

systemctl reload iptables

Accessing Help

iptables -h

Rule Management

Saving Rules

After modifying firewall rules, always save them to ensure persistence across reboots:

# Using service command
service iptables save

# Alternative save commands
iptables-save

# Save with packet counters
iptables-save -c

# Save specific table only (filter in this example)
iptables-save -t filter

Listing Current Rules

View all existing rules:

iptables --list

The Filter table contains three default chains: INPUT (incoming traffic), OUTPUT (outgoing traffic), and FORWARD (routed traffic).

Viewing Specific Chains

# View INPUT chain in filter table (equivalent to: iptables -L INPUT)
iptables -t filter -L INPUT

# View OUTPUT chain in filter table
iptables -t filter -L OUTPUT

# View all NAT table chains with numeric IP addresses
iptables -t nat -L -n

Syntax Reference:
iptables [-t table] [-L] [-nv]

  • -t table: Specify table (nat or filter). Defaults to filter if omitted.
  • -L: List rules for a chain or entire table.
  • -n: Display IP addresses numerically.
  • -v: Show verbose information including packet counts and interface details.

Clearing Rules

# Flush all rules in the default table
iptables -F

# Delete user-defined chains
iptables -X

# Zero packet and byte counters for all chains
iptables -Z

# Delete specific rule from INPUT chain (rule number 1)
iptables -D INPUT 1

Verifying Firewall Status

iptables -L

Common Configuration Examples

Opening Network Ports

Allow HTTP traffic on port 80:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

# Persist the changes
service iptables save

Allow SSH traffic on port 22:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

# Persist the changes
service iptables save

Blocking IP Addresses

Block traffic from a specific IP address:

iptables -I INPUT -s 192.168.1.199 -j DROP

Block an entire subnet:

iptables -I INPUT -s 192.168.1.0/24 -j DROP

Interface-Based Rules

Block incoming traffic from a specific host on a particular interface. This example blocks host 172.20.10.3 from accessing via eth0:

iptables -A INPUT -s 172.20.10.3 -i eth0 -j REJECT

Replacing Existing Rules

Replace a specific rule by line number (replacing line 2 in this example):

iptables -R INPUT 2 -s 192.168.1.188 -j REJECT

Allowing Specific IP Access

Grant a particular IP address access to a specific service port:

iptables -I INPUT -s 192.168.1.199 -p tcp --dport 3389 -j ACCEPT

Complete Syntax Reference

iptables [-AI chain] [-io interface] [-p tcp,udp] [-s source_ip] [--sport port_range] [-d destination_ip] [--dport port_range] -j [ACCEPT,DROP,REJECT]
  • -A, --append: Append rule to chain (INPUT or OUTPUT)
  • -I: Insert rule at specified position
  • -i: Input interface (e.g., -i eth0)
  • -o, --out-interface: Output interface
  • --sport, --source-port: Source port specification
  • --dport, --destination-port: Destination port specification
  • -s: Source IP address
  • -d: Destination IP address
  • -j ACCEPT: Accept the packet
  • -j REJECT: Reject and send error response
  • -j DROP: Silently discard the packet
  • -R: Replace existing rule

NAT Configuration

Port Mapping

Redirect incoming traffic on local port 8080 to port 8081:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 -j DNAT --to-destination 127.0.0.1:8081
iptables -t nat -A POSTROUTING -p tcp -m tcp --dport 8080 -j SNAT --to-source 127.0.0.1

Removing NAT Rules

# Remove first rule from POSTROUTING chain
iptables -t nat -D POSTROUTING 1

Rule Backup and Restore

Export current rules to a file for backup or migration:

# Export rules to custom location
iptables-save > /home/demo/iptables_backup.txt

# Alternative export from default location
iptables-save > /etc/sysconfig/iptables

Restore rules on another system or after reinstallation:

# Transfer the backup file via scp (or other method)
# scp /home/demo/iptables_backup.txt user@remote_host:/home/demo2/

# Restore the configuration
iptables-restore < /home/demo2/iptables_backup.txt

# Apply changes
systemctl restart iptables

Tags: iptables linux-firewall netfilter packet-filtering NAT

Posted on Sat, 20 Jun 2026 17:28:35 +0000 by Moesian

Hot Tags

©2026 Freaks City