Introduction to iptables: Concepts, Commands, and Practical Use Cases

iptables is a powerful Linux firewall utility that operates at the network layer, allowing administrators to filter, forward, and redirect packets based on criteria such as source/destination IP, ports, and protocols.

Core concepts

1. Chain – a container for a set of rules. Linux defines five built‑in chains: INPUT, FORWARD, OUTPUT, PREROUTING, and POSTROUTING, each serving a specific traffic direction.

Chain

Function

INPUT

Matches packets destined for the local host.

FORWARD

Matches packets being routed through the host.

OUTPUT

Matches packets originating from the host.

PREROUTING

Matches incoming packets before routing decisions (used for DNAT).

POSTROUTING

Matches packets after routing decisions (used for SNAT).

2. Rule – defines an action (e.g., ACCEPT, DROP, REJECT) based on match conditions such as IP address, port, or protocol. Rules belong to a specific table and chain; if no table is specified, the default is filter .

3. Table – a collection of chains. iptables provides four predefined tables: filter (default, for packet filtering), nat (network address translation), mangle (special packet alterations), and raw (for connection tracking exemptions).

Basic command‑line usage

1. Show rules

$ iptables -L

2. Add a rule

iptables -A

Example – allow SSH (TCP port 22) on the INPUT chain:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

3. Delete a rule

iptables -D

Example – remove the previously added SSH rule:

iptables -D INPUT -p tcp --dport 22 -j ACCEPT

4. Modify a rule (replace rule number)

iptables -R

Example – change rule 1 in INPUT to allow HTTP (port 80):

iptables -R INPUT 1 -p tcp --dport 80 -j ACCEPT

These commands illustrate the most common operations; iptables also supports many advanced options not covered here.

Practical application case

A company uses several jump‑servers for privileged access. After previous compromises, the security team decides to harden the servers using iptables because it is lightweight and cost‑free.

Requirements: only allow a specific management IP to connect to the jump‑servers while still permitting outbound traffic and essential services (ICMP, DNS, NTP).

Implementation steps on CentOS 7 (using the filter table and the INPUT chain):

# Stop and disable firewalld
systemctl stop firewalld
systemctl disable firewalld

# Install and enable iptables‑services
yum install iptables-services
systemctl enable iptables
systemctl start iptables

# Flush existing INPUT rules
iptables -F INPUT

# Add allowed IP (replace with actual IP)
iptables -A INPUT -s 192.168.4.168 -j ACCEPT
# Allow established/related connections
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ICMP
iptables -A INPUT -p icmp -j ACCEPT
# Allow DNS responses
iptables -A INPUT -p udp --sport 53 -j ACCEPT
# Allow NTP responses
iptables -A INPUT -p udp --sport 123 -j ACCEPT

# Set default INPUT policy to DROP (must be last)
iptables -P INPUT DROP

# Verify the rule set
iptables -nL INPUT

# Save configuration to survive reboot
service iptables save

Note: The default DROP policy should be applied after all explicit ACCEPT rules; otherwise, the server may become unreachable.

This example demonstrates how iptables can provide a simple yet effective firewall solution for protecting critical infrastructure.