Understanding iptables: Chains, Tables, Rules, and Common Commands

Introduction

iptables is a Linux kernel‑based packet‑filtering tool built on the netfilter framework. It operates between the network and transport layers, allowing users to filter, modify, or drop packets as they traverse the system.

Five Chains in Network Packet Filtering

The Linux packet‑filtering process defines five built‑in chains: PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING. Depending on the traffic flow, a packet may pass through one or more of these chains:

Incoming packets to the local host: network device → PREROUTING → INPUT → local process Forwarded packets:

network device → PREROUTING → routing → FORWARD → POSTROUTING → network device

Outgoing packets from the local host: local process → OUTPUT → POSTROUTING → network device iptables rules are attached to these chains; when a packet traverses a chain, the corresponding rules are evaluated.

iptables Five Tables

Rules are grouped into tables according to their purpose. The five standard tables are:

filter : default table for packet filtering (ACCEPT, DROP, REJECT).

nat : network address translation, modifies source or destination addresses.

mangle : packet mangling, used to alter IP header fields.

raw : disables connection tracking for selected packets.

security : applies SELinux security policies.

A single rule can belong to multiple tables; for example, the filter table is applied to the INPUT, FORWARD, and OUTPUT chains.

iptables Rule Configuration

A typical rule consists of a match part and a target (action) part. Example:

iptables -I INPUT -s 192.168.1.111,192.168.1.118 -j DROP

Matches can specify protocol, source/destination address, ports, network interface, packet state, etc. Targets include:

ACCEPT – allow the packet.

DROP – silently discard the packet.

REJECT – discard and send an error reply.

SNAT / MASQUERADE – source address translation.

DNAT – destination address translation.

REDIRECT – port redirection on the local host.

LOG – log the packet to /var/log/messages and continue processing.

Adding, Deleting, Modifying, and Querying Rules

Query

iptables -t filter -L</code><code>iptables -t nat -L

Add

iptables -I INPUT -s 192.168.1.146 -j ACCEPT</code><code>iptables -A FORWARD -j REJECT</code><code>iptables -I INPUT 5 -s 192.168.1.146 -j REJECT</code><code>iptables -P FORWARD ACCEPT

Delete

iptables -t filter -D INPUT 1</code><code>iptables -F

Modify

iptables -t filter -R INPUT 3 -s 192.168.1.146 -j ACCEPT

It is generally recommended to delete and re‑add a rule rather than use -R.

Matching Directives in iptables

IP address

iptables -I INPUT -s 192.168.1.111,192.168.1.118 -j DROP</code><code>iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT</code><code>iptables -I INPUT ! -s 192.168.1.0/24 -j ACCEPT

IP range

iptables -t filter -I INPUT -m iprange --src-range 192.168.1.127-192.168.1.146 -j DROP

Port

iptables -t filter -I INPUT -p tcp --dport 22:25 -j REJECT</code><code>iptables -t filter -I INPUT -p tcp -m multiport --dports 22,80 -j REJECT

String

iptables -t filter -I INPUT -p tcp --sport 80 -m string --algo bm --string "OOXX" -j REJECT

Protocol

iptables -I INPUT -p tcp -s 192.168.1.146 -j ACCEPT

Network interface iptables -I INPUT -p icmp -i eth4 -j DROP Time

iptables -t filter -I OUTPUT -p tcp --dport 80 -m time --timestart 09:00:00 --timestop 19:00:00 -j REJECT

Common iptables Use Cases

Block a specific port

iptables -I INPUT -d 192.168.1.146 -p tcp --sport 22 -j REJECT

Block traffic from an IP iptables -I INPUT -s 123.45.6.7 -j REJECT Random packet loss

iptables -I INPUT -d 221.194.131.46 -m statistic --mode random --probability 0.5 -j DROP

Rate limiting

iptables -t filter -I INPUT -p icmp -m limit --limit-burst 3 --limit 10/minute -j ACCEPT

These examples illustrate how iptables can be used to implement firewall policies, traffic shaping, and security controls on Linux systems.