โ‰ก Menu

Linux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals

iptables firewall is used to manage packet filtering and NAT rules. IPTables comes with all Linux distributions. Understanding how to setup and configure iptables will help you manage your Linux firewall effectively.

iptables tool is used to manage the Linux firewall rules. At a first look, iptables might look complex (or even confusing). But, once you understand the basics of how iptables work and how it is structured, reading and writing iptables firewall rules will be easy.

This article is part of an ongoing iptables tutorial series. This is the 1st article in that series.

This article explains how iptables is structured, and explains the fundamentals about iptables tables, chains and rules.

On a high-level iptables might contain multiple tables. Tables might contain multiple chains. Chains can be built-in or user-defined. Chains might contain multiple rules. Rules are defined for the packets.

So, the structure is: iptables -> Tables -> Chains -> Rules. This is defined in the following diagram.


Fig: IPTables Table, Chain, and Rule Structure

Just to re-iterate, tables are bunch of chains, and chains are bunch of firewall rules.

I. IPTABLES TABLES and CHAINS

IPTables has the following 4 built-in tables.

1. Filter Table

Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table. Iptables’s filter table has the following built-in chains.

  • INPUT chain – Incoming to firewall. For packets coming to the local server.
  • OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
  • FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.

2. NAT table

Iptable’s NAT table has the following built-in chains.

  • PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).
  • POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).
  • OUTPUT chain – NAT for locally generated packets on the firewall.

3. Mangle table

Iptables’s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. Mangle table has the following built-in chains.

  • PREROUTING chain
  • OUTPUT chain
  • FORWARD chain
  • INPUT chain
  • POSTROUTING chain

4. Raw table

Iptable’s Raw table is for configuration excemptions. Raw table has the following built-in chains.

  • PREROUTING chain
  • OUTPUT chain

The following diagram shows the three important tables in iptables.

Fig: IPTables built-in tables

II. IPTABLES RULES

Following are the key points to remember for the iptables rules.

  • Rules contain a criteria and a target.
  • If the criteria is matched, it goes to the rules specified in the target (or) executes the special values mentioned in the target.
  • If the criteria is not matached, it moves on to the next rule.

Target Values

Following are the possible special values that you can specify in the target.

  • ACCEPT – Firewall will accept the packet.
  • DROP – Firewall will drop the packet.
  • QUEUE – Firewall will pass the packet to the userspace.
  • RETURN – Firewall will stop executing the next set of rules in the current chain for this packet. The control will be returned to the calling chain.

If you do iptables –list (or) service iptables status, you’ll see all the available firewall rules on your system. The following iptable example shows that there are no firewall rules defined on this system. As you see, it displays the default input table, with the default input chain, forward chain, and output chain.

# iptables -t filter --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Do the following to view the mangle table.

# iptables -t mangle --list

Do the following to view the nat table.

# iptables -t nat --list

Do the following to view the raw table.

# iptables -t raw --list

Note: If you don’t specify the -t option, it will display the default filter table. So, both of the following commands are the same.

# iptables -t filter --list
(or)
# iptables --list

The following iptable example shows that there are some rules defined in the input, forward, and output chain of the filter table.

# iptables --list
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
10   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

The rules in the iptables –list command output contains the following fields:

  • num – Rule number within the particular chain
  • target – Special target variable that we discussed above
  • prot – Protocols. tcp, udp, icmp, etc.,
  • opt – Special options for that specific rule.
  • source – Source ip-address of the packet
  • destination – Destination ip-address for the packet
Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! โ€“ 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • Pushpraj January 24, 2011, 12:56 am

    very good….keep writing……

    Thanks
    Pushpraj

  • pupu January 24, 2011, 3:22 am

    Just note that DNAT and SNAT also stands for Dynamic and Static NAT, so don’t be confused when you read another text. Anyway, nice article, thanks!

  • Rendy January 24, 2011, 3:22 am

    Thank You Ramesh…very clear!

  • vaisakh January 24, 2011, 3:59 am

    Excellent .. I was searching for a good article about the fundamentals of IPtable.. Thanks. Also waiting for next part

  • Ben January 24, 2011, 9:42 am

    Nice article, look forward to rest of the series. Any idea when others will be out?

  • p campbell January 24, 2011, 10:07 am

    Some of your articles are excellent for beginners but this is not a tutorial it is misnamed.

  • Waly DIOUF January 24, 2011, 11:06 am

    This website is sooooo what I just need at work. Good work Ramesh, you’re a genuis.
    Thanks a lot

  • shakerlxxv January 24, 2011, 12:49 pm

    Great topic. Looking forward to the rest of the series.

  • R January 24, 2011, 1:36 pm

    Ramesh,
    You might want to include tutorial on fwbuilder, its a nice gui interface and used to manage firewall on 100’s of hosts.
    -R

  • shaheem January 25, 2011, 1:21 am

    great stuff. also waiting for the follow up!

  • artie January 25, 2011, 2:12 pm

    great read and informative. look forward to the follow up.

  • shezars January 28, 2011, 2:28 am

    very helpfullllllll,,,
    wait, for your next part.

  • Will Knight January 31, 2011, 10:07 am

    Good tutorial, I find iptables complex to understand but you have made it so easy, Thanks.

  • abc February 4, 2011, 1:51 am

    Very Nice tutorial. Thanks

  • saran February 10, 2011, 10:00 am

    great starter to the series
    plz continue with the tutorial

  • abdul jamal February 18, 2011, 9:37 am

    Nice job.I read it and got the concept where is confused.. i have some question and answers ,,u will help me out to be correct.

    Q1: Rule the matches ssh traffic(tcp,22) arriving through interface eth0.
    ans. iptables -A INPUT -i eth0 -p tcp –dport 22
    OR
    iptables -A INPUT -i eth0 -p tcp –sport 22
    Q2: Rule that matches traffic to a DNS server (udp,53) from any address in the range 10.0.0.0-10.0.0.255
    Ans: iptable -A INPUT -m iprange –src-range 10.0.0.0-10.0.0.255 -d 10.19.6.142 (dns server) -p udp –dport 53

    Q3:Rule that matches traffic from any address in the range 10.0.0.1 to 10.0.0.6,inclusive.
    Ans. iptable -A INPUT -m iprange –src-range 10.0.0.1-10.0.0.6

    Q4: Three rules that accept traffic from address 10.0.0.1 through 10.0.0.6, but drops traffic from 10.0.0.0 and 10.0.0.7 , without using any extension matches.
    Ans: iptable -A INPUT -s 10.0.0.0 -j DROP
    iptable -A INPUT -s 10.0.0.7 -j DROP
    iptable -A INPUT -m iprange –src-range 10.0.0.1-10.0.0.6 -j ACCEPT

    thanks for the correct and replying

  • Ishara Fernando July 8, 2011, 12:38 am

    Now only I understand the firewall concepts and the Iptable rules…
    Each and every technique of explaining the theories are brilliant Mr.Ramesh… Keep it up.. We all Are with YOU…

  • OKELLO August 16, 2011, 2:39 am

    l think am beginning to understand the iptables, thanks man

  • freemao October 31, 2011, 5:47 am

    how to define the rules’ prior then?

  • Rob November 15, 2011, 3:09 pm

    Ramesh,

    Very good article. Thanks. Has anyone considered the pros/cons to utilizing and maintaining their own open source firewall vs. paying for the service (ie. Verizon, AT&T, other)? How much time is associated to maintaining/supporting an open source solution? I’m trying to justify the idea of going away from a service based concept (appliance, maintenance/support are provided) vs. pulling in my own skilled resources to build/maintain an open source solution as discussed above.

    Thanks,

    Rob

  • Stan January 3, 2012, 4:36 am

    you said: “Iptablesโ€™s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. ”

    Alters QOS bits in TCP header? I thought mangle altering TOS bits in IP header! TCP operate on higher level than IP, and mangle works with IP packets.

  • ramadan March 24, 2012, 7:45 am

    it’s very nice thanks for your posting .keep writing about iptables

  • sarah April 9, 2012, 2:44 pm

    it was really good,thank u so much,plz keep writing…

  • Rahul April 17, 2012, 10:32 pm

    Thanks, nice and clear

  • Rakesh Sindhu June 7, 2012, 3:40 am

    Really good and very clear ….

  • Amol June 19, 2012, 1:21 am

    Nice post.Very helpful for beginners.

  • mucivane July 23, 2012, 7:44 am

    looking for a rule that allows traffic comming from an external user through the internet to access FTP (192.168.0.252), SSH& web (192.168.0.253) servers and some workstation on the same network. The router of that network is 192.168.254

  • LJ July 31, 2012, 12:51 am

    Extraordinary introduction, Ramesh

    You’ve the knowledge and astonishing skills to communicate it, an unusual combination

    Congratulations!
    LJ

  • Aman August 9, 2012, 12:30 am

    Super..

  • Bilo September 5, 2012, 12:03 am

    Thanks for the article. Now I really understand how this stuff work. Awesome

  • Conrad November 5, 2012, 12:20 am

    Thank you very much for your excellent tutorial. Looking forward to the next one.
    Regards to you !

  • qh April 23, 2013, 12:43 am

    thanks for your so popular article.

  • madfrog April 23, 2013, 3:00 am

    Thanks a lot. It really has been benificial in clearing out some concepts. By coincidence i came over to the 2nd article first and landed up over here otherwise would have been difficult.
    Is there any directory structure where one can have overview of the topics. That would be helpful as well. (The reason being that your explanations are really from grass root level)
    Regards

  • fastthinker April 26, 2013, 12:21 am

    great article

  • kanyapond May 5, 2013, 9:54 pm

    Thank you for your article, It’s very good. ๐Ÿ™‚

  • Houcheng Lin May 6, 2013, 7:42 pm

    Great and thank you ๐Ÿ˜€

  • sisayt June 26, 2013, 2:36 am

    Thank you very much brother

  • kaliswaran August 18, 2013, 10:57 am

    Reall!!! nice and useful article for system admin’s

  • yang September 16, 2013, 6:58 pm

    Great ant thank you

  • laks October 4, 2013, 4:08 am

    good iptables structured and all administrator can easily understand this.

  • jeffin October 14, 2013, 4:09 am

    Very NIce Article… ๐Ÿ™‚

  • Ganesh November 27, 2013, 3:42 am

    please add link for next page of current topic

  • Jame R December 7, 2013, 1:01 am

    Absolute BEAUTIFUL article. Very clear. For shame ALL the other posts out there including MAN pages.

    A tear to my eye the series never continued….

  • Sandeep December 18, 2013, 1:08 am

    Hi Ramesh Natarajan,
    Thank you very much for your post. Earlier the concept of ‘iptables’ was like a nightmare and too complicated and overwhelming to understand. Thank you very much for making the concept so simple. The clear and precise explanation should be appreciated.

  • Anonymous December 19, 2013, 3:17 pm

    Extremely well explained, as concepts were organized properly and follow a logical progression. Most other articles I read never actually explained the definition of a “chain”!….. This article did a marvelous job.

  • Maryann February 5, 2014, 3:44 am

    Thanks Ramesh for simplyfying an abstract topic and explain it in such simple terms. Surely you have a knack to break down complex stuff into simple sentences. Thanks
    Maryann

  • Riddhi February 10, 2014, 8:56 pm

    How to direct incoming traffic from a trusted network to a chain?

    -A FORWARD -i eth1 -o trusted-outside -j ACCEPT

  • Anu February 12, 2014, 7:24 am

    Many thanks Ramesh…

  • guoger April 3, 2014, 7:56 am

    Very clean and elegant words! Wheres the next blog?

  • Pawan April 14, 2014, 4:01 pm

    Nice article. and please update mangle rules.

  • Zak May 2, 2014, 9:51 am

    This article is great and mentions that it is part of a series. Did any other parts get published?

  • ansona June 21, 2014, 12:33 am

    excellent article for beginners like us !! taking this as the reference for preparing in lab exam.. thank you so much this great work.

    from,
    MTech Cyber Security (SNGCE)

  • Chandu September 14, 2014, 1:48 am

    thanks bro.
    !!!!!!Great article!!!!!

  • Joaquin September 22, 2014, 3:27 pm

    Great explanation! Thanks!

  • Manas October 5, 2014, 6:44 am

    Hi Ramesh,
    Nice doc.
    “Once the rule is not not matching then the packet is passed to the next rule.” – does it mean that it is passed to the next rule in the Sl. no ? Does these rules have any precedence kind of concept or the Sl.No of that rule signifies its precedence?

  • Manas October 5, 2014, 1:34 pm

    Continuation to my earlier question, once i configure three rules under INPUT chain of Filter Table, I do not see any sequence. If no sequence is maintained, then how the rule precedence works?

    [root@mobst480m-lnx1 ~]# iptables –list
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DROP all — mobst480p-lnx1.englab.juniper.net anywhere
    DROP all — cfdvipers-lnx2.englab.juniper.net anywhere
    DROP all — mobst480o-lnx1.englab.juniper.net anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

  • Mark October 7, 2014, 10:55 am

    thanks ramesh. very helpful article ๐Ÿ™‚

  • quas January 1, 2015, 5:29 am

    One thing though: it’s “one criterion”, not one “criteria”. Criteria is the plural (like “phenomena”)

  • Palvelin January 30, 2015, 2:56 am

    Nice info on iptables. One thing worth mentioning is that iptables need be saved for them to stay intact after reboot.

  • anon March 22, 2015, 1:25 am

    why do we have same chains in diffrent tables of “iptables firewall”?

  • Locane April 4, 2015, 10:43 pm

    “So, if you donโ€™t define you own table, youโ€™ll be using filter…”

    “You” should be “your”.

    Just FYI.

  • Jawad May 21, 2015, 7:57 am

    Really Good. I learned a lot.

  • Pavlin Georgiev May 25, 2015, 6:26 am

    You are the best Linux geek who is able to explain simply such a complicated topic as Linux.

  • Todd June 5, 2015, 10:41 pm

    Nice article for beginners. But IMHO the final section with “iptables –list” output could use additional explanation.

  • Julie August 16, 2015, 8:48 am

    What’s a Chain?

  • flippedbit0010 August 26, 2015, 8:41 pm

    Coming from a network engineering background dealing with Cisco, Juniper, and Checkpoint firewalls, this is a perfect jumping off point for Linux host based FW. Sigh, why didn’t I find this before I spent money on a book that is now literally a paper weight.

  • shailesh January 5, 2016, 12:58 pm

    I am using this box as Router and as per your suggestion in trial message I had configured the FORWARD chain of three user mac address, configuration mentioned below.
    two User getting the IP Address from DHCP Server but not able to browser, so please can you help me how they can browse…..

    DHCPACK on 192.168.23.171 to 90:72:40:58:a9:95 (is-iPhone)
    DHCPACK on 192.168.23.178 to FC:75:16:67:3F:BE (android-f50ef57524010a1e)
    DHCPACK on 192.168.23.100 to 00:25:64:A4:3F:01 (android-7306f0c1f5e73255)

    # Generated by iptables-save v1.4.7
    *filter
    :INPUT ACCEPT [37:6239]
    :FORWARD DROP [789:129680]
    :OUTPUT ACCEPT [89:13144]
    -A INPUT -i eth1 -m mac –mac-source 34:E67:00:B1:E6 -j ACCEPT
    -A INPUT -s IP ADDRESS -p tcp -m tcp –dport 8888 -j ACCEPT
    -A INPUT -s IP ADDRESS -p tcp -m tcp –dport 8888 -j ACCEPT
    -A INPUT -s IP ADDRESS -p tcp -m tcp –dport 9888 -j ACCEPT
    -A INPUT -s IP ADDRESS -p tcp -m tcp –dport 9888 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 22 -j DROP
    -A INPUT -p icmp -m icmp –icmp-type 8 -j DROP
    -A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
    -A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
    -A FORWARD -i eth1 -j ACCEPT
    -A FORWARD -m mac –mac-source FC:75:16:67:3F:BE -j ACCEPT
    -A FORWARD -m mac –mac-source 00:25:64:A4:3F:01 -j ACCEPT
    -A FORWARD -m mac –mac-source 90:72:40:58:A9:95 -j ACCEPT
    -A OUTPUT -p icmp -m icmp –icmp-type 0 -j DROP
    COMMIT
    # Completed on Tue Jan 5 18:47:41 2016
    # Generated by iptables-save v1.4.7 on Tue Jan 5 18:47:41 2016
    *nat
    :PREROUTING ACCEPT [406:28986]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [1:108]
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Tue Jan 5 18:47:41 2016
    # Generated by iptables-save v1.4.7 on Tue Jan 5 18:47:41 2016
    *mangle
    :PREROUTING ACCEPT [1596:188447]
    :INPUT ACCEPT [130:13127]
    :FORWARD ACCEPT [1466:175320]
    :OUTPUT ACCEPT [90:13236]
    :POSTROUTING ACCEPT [767:58876]
    COMMIT
    # Completed

  • Taher February 4, 2016, 4:11 am

    Really great ๐Ÿ™‚
    Thanks, Ramesh.

  • Anonymous February 24, 2016, 1:11 pm

    thank you very much
    A very useful article

  • mANI April 11, 2016, 12:41 am

    I am novice to this linux firewall.
    I have now learn to configure the iptables & ip6tables

  • Zeba May 25, 2016, 4:22 am

    Very well explained!

  • leo June 22, 2016, 11:59 pm

    good!

  • Garima Jain June 28, 2016, 10:44 pm

    I have to redirect only the specific traffic to another port and drop the rest of it. How do I achieve this? The packet will be accepted first or pre-routing is done first?

  • mohammad amzad December 7, 2016, 3:32 am

    nice article for the freshers to understand abt iptables….
    thank you….

  • Leo April 7, 2017, 12:29 am

    can anyone explain me line by line what these mean?:

    this was created by an expert to allow ssh connection via an alternative internet line using a router which is behind that line on a separate LAN but having the LAN IP of the target line 10.0.0.37 (router’s WAN IP is 192.168.x.x -because it is inside a LAN of the other network)

    /sbin/sysctl net.ipv4.conf.eth0.rp_filter=2
    /sbin/sysctl net.ipv4.conf.br0.rp_filter=2
    /usr/sbin/iptables -t mangle -A OUTPUT -p tcp --sport 8022 -j MARK --set-mark 1
    iptables -t mangle -N ssh
    /usr/bin/echo "200 ssh" >> /etc/iproute2/rt_tables
    /usr/sbin/ip rule add fwmark 1 table ssh
    /usr/sbin/ip route add default dev br0 via 10.0.0.37 table ssh
    
  • Embrace March 26, 2019, 9:50 am

    This is very helpful, Thank you.