Linux has always been known for its flexibility, performance, and strong security model. One of the most important parts of securing any Linux system is properly controlling network traffic, and for years, iptables has been one of the most widely used tools for that job.
Even though newer technologies like nftables are becoming more common, iptables is still heavily used in servers, VPS environments, labs, embedded systems, and legacy production deployments. If you work with Linux, understanding iptables is still an essential skill.
In this guide, we’ll look at what iptables is, how it works, and how to use it in real-world scenarios.
What Is iptables?
iptables is a userspace utility used to configure the Linux kernel’s packet filtering system through the netfilter framework.
In simple terms, it allows you to define which network traffic should be:
- allowed
- blocked
- rejected
- forwarded
- translated through NAT
It gives administrators direct control over how packets move in and out of a Linux system.
Why iptables Still Matters
A firewall is one of the first lines of defense for any server. Without proper filtering, services may be exposed unnecessarily, administrative ports may remain open to the public internet, and systems become easier targets.
With iptables, you can:
- allow only the services you actually need
- restrict access by IP address
- protect SSH and management interfaces
- filter inbound and outbound traffic
- build NAT and routing configurations
- log suspicious traffic for troubleshooting or monitoring
How iptables Works
iptables is built around three main concepts:
- tables
- chains
- rules
Tables
Tables are groups of chains used for different networking purposes.
The most common tables are:
- filter – standard packet filtering
- nat – network address translation
- mangle – packet modification
- raw – connection tracking control
- security – security-related packet handling in some environments
In most day-to-day firewall configurations, the filter table is the most important one.
Chains
Chains are collections of rules inside a table. In the filter table, the three main chains are:
- INPUT – traffic coming into the local machine
- OUTPUT – traffic leaving the local machine
- FORWARD – traffic passing through the machine to another destination
Rules
Rules define what should happen when traffic matches certain conditions.
Example:
- if a packet is TCP traffic on port 22, allow it
- if it belongs to an already established connection, allow it
- if it matches nothing else, drop it
Common targets include:
- ACCEPT
- DROP
- REJECT
- LOG
Basic iptables Syntax
A typical iptables command looks like this:
iptables [table] [action] chain [match conditions] [target]For example:
iptables -A INPUT -p tcp --dport 22 -j ACCEPTThis means:
- -A = append a rule
- to the INPUT chain
- for TCP traffic
- on destination port 22
- and ACCEPT it
Common Rule Operations
Some frequently used options include:
- -A – append a rule
- -I – insert a rule
- -D – delete a rule
- -L – list rules
- -F – flush rules
- -P – set default policy
- -N – create a new chain
iptables -L
iptables -L -n -v
iptables -F
iptables -P INPUT DROPUnderstanding Default Policies
Each chain has a default policy. This determines what happens when no rule matches a packet.
The most common policies are:
- ACCEPT
- DROP
A secure configuration often uses a default deny approach:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
This means inbound and forwarded traffic is blocked unless explicitly allowed.
Essential Real-World Rules
Allow Loopback Traffic
Local system processes depend on the loopback interface.
iptables -A INPUT -i lo -j ACCEPTAllow Established and Related Connections
This is one of the most important rules in almost every firewall setup:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
It allows return traffic for connections that are already in progress.
Allow SSH
To allow remote administration:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
To make it more secure, restrict SSH to a trusted source IP:
iptables -A INPUT -p tcp -s 203.0.113.10 --dport 22 -j ACCEPTAllow HTTP and HTTPS
For web servers:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPTExample: Basic Secure Server Firewall
Here is a simple example of a minimal server firewall:
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
This allows:
- local loopback traffic
- established connections
- SSH
- HTTP
- HTTPS
Everything else is denied.
DROP vs REJECT
These two actions are often confused.
DROP
DROP silently discards the packet.
iptables -A INPUT -p tcp --dport 23 -j DROP
The sender gets no reply.
REJECT
REJECT actively refuses the connection and sends a response back.
iptables -A INPUT -p tcp --dport 23 -j REJECT
In security-focused environments, DROP is often preferred. In controlled environments, REJECT can make troubleshooting easier.
Listing and Deleting Rules
To list current rules:
iptables -L
iptables -L -n -vTo show line numbers:
iptables -L --line-numbersTo delete a specific rule by number:
iptables -D INPUT 3Or by matching the full rule:
iptables -D INPUT -p tcp --dport 22 -j ACCEPTSaving Rules
One common beginner mistake is assuming iptables rules persist after reboot. In many systems, they do not unless explicitly saved.
iptables-save
iptables-restoreExample:
iptables-save > /etc/iptables/rules.v4
On some distributions, tools such as iptables-persistent are used to automatically restore rules at boot.
NAT and Masquerading
iptables can also perform Network Address Translation.
A common use case is masquerading outbound traffic from internal clients:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This is commonly used on routers, VPN gateways, and lab systems.
If forwarding is required, enable it:
echo 1 > /proc/sys/net/ipv4/ip_forwardLogging Traffic
Logging can be useful before dropping packets:
iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A INPUT -j DROP
Be careful with logging too much traffic, since it can flood system logs and create unnecessary load.
Best Practices
- Use a default-deny approach whenever possible
- Always allow established and related connections
- Be careful not to lock yourself out of SSH
- Remember that rule order matters
- Keep rules as simple and readable as possible
- Document your firewall logic
- Test persistence before rebooting a production server
Common Beginner Mistakes
Most iptables problems come from a few recurring issues:
- forgetting loopback rules
- forgetting established connection rules
- applying DROP too early
- not saving rules
- mixing up INPUT and FORWARD
- locking yourself out during remote configuration
iptables vs nftables
Modern Linux distributions are increasingly moving toward nftables, which offers a more consistent and modern rule framework.
Still, iptables remains important because:
- many legacy systems still use it
- many scripts and automation tools still depend on it
- it helps build a strong foundation in Linux networking and firewall logic
In other words, even if nftables is the future, iptables is still worth learning.
Final Thoughts
iptables remains one of the classic tools of Linux administration and network security. It gives you detailed control over packet filtering, service exposure, traffic flow, and access control.
Whether you're protecting a web server, restricting SSH access, setting up lab routing, or learning Linux firewall fundamentals, iptables is still a valuable tool to understand.
And even if your environment is gradually moving to nftables, the logic you learn from iptables will continue to be useful for years.
Want to explore the topic further? Download the complete NFTables Cheat Sheet here:
https://dargslan.com/cheat-sheet/nftables-complete-guide-2026
Top comments (0)