In Linux system security maintenance, the firewall is an important tool for protecting servers from unauthorized access. iptables, as a Linux kernel firewall tool, provides powerful and flexible network traffic control mechanisms. This article will delve into the core concepts, configuration methods, and common implementation scenarios of iptables, helping system administrators build a more secure server environment.

What is iptables?

iptables is a firewall tool in the Linux kernel, directly interacting with the netfilter module, responsible for filtering, modifying, and forwarding network data packets. As a complete firewall framework, iptables provides fine-grained network traffic control capabilities, allowing complex network access policies to be formulated based on multiple conditions (such as source IP address, destination port, protocol type, etc.).

Core Components of iptables

The structure of iptables is based on the concepts of “tables” and “chains”:

1. Tables：Organize rules with specific functionalities

   • filter：Default table, used for packet filtering
   • nat：Used for network address translation
   • mangle：Used for special packet modifications
   • raw：Used for configuring exempted connection tracking
   • security：Used for enforcing access control network rules

2. Chains：Each table contains multiple chains, defining when rules are applied

   • INPUT：Processes incoming packets
   • OUTPUT：Processes outgoing packets
   • FORWARD：Processes forwarded packets
   • PREROUTING：Pre-routing processing
   • POSTROUTING：Post-routing processing

Basic Operations of iptables

Viewing Current Rules

1
2
3
4
5

# View all rules in the filter table
sudo iptables -L -v

# View all rules in the nat table
sudo iptables -t nat -L -v

Adding Rules

1
2
3
4
5
6
7
8

# Allow SSH connections (22 port)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local loopback interface
sudo iptables -A INPUT -i lo -j ACCEPT

Deleting Rules

1
2
3
4
5

# Delete the first rule
sudo iptables -D INPUT 1

# Delete a specific rule
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT

Setting Default Policies

1
2
3
4
5

# Set default INPUT policy to reject
sudo iptables -P INPUT DROP

# Set default OUTPUT policy to accept
sudo iptables -P OUTPUT ACCEPT

Common Implementation Scenarios and Configuration Examples

Basic Server Protection Configuration

A basic server protection configuration example that allows common services and defaults to rejecting other connections:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

# Clear existing rules
sudo iptables -F
sudo iptables -X

# Set default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# Allow local loopback
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH (22 port)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP/HTTPS (80/443 ports)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow ICMP (ping)
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Port Forwarding Configuration

Forward external 80 port requests to internal 8080 port:

1

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Limiting Connection Rate

Simple configuration to prevent DoS attacks:

1

sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

Blocking Specific IP Addresses

1
2

# Block a specific IP
sudo iptables -A INPUT -s 192.168.1.0/24 -j DROP

Rule Persistence

iptables rules are lost after system restart, so persistence configuration is needed:

Debian/Ubuntu System

1
2
3
4
5

# Install iptables-persistent
sudo apt-get install iptables-persistent

# Save current rules
sudo netfilter-persistent save

CentOS/RHEL System

1
2

# Save current rules
sudo iptables-save > /etc/sysconfig/iptables

Common Issues and Troubleshooting

1. Rule Ordering：iptables matches rules in order, stopping at the first match. Therefore, rule ordering is critical.
2. Locking Risk：Adding DROP rules requires caution, as incorrect configuration can lead to inability to remotely connect to the server. It is recommended to test new rules with physical access when possible.
3. Performance Considerations：Too many rules can affect network performance, so it is recommended to regularly clean up unnecessary rules.
4. Logging and Monitoring：Use the LOG target to record rejected connections for troubleshooting:

1

    sudo iptables -A INPUT -j LOG --log-prefix "iptables denied: " --log-level 7

Advanced Features

Network Address Translation (NAT)

Configure simple NAT to share an Internet connection:

1
2
3
4
5

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Allow forwarding
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Traffic Control and QoS

Use iptables’s mangle table to mark traffic, combined with tc (Traffic Control) for QoS:

1

sudo iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 1

Conclusion

iptables is a powerful firewall tool in the Linux kernel, mastering its use is crucial for server security. By properly configuring iptables rules, you can effectively control network traffic, protect servers from unauthorized access, and implement advanced features such as network address translation.

For more complex scenarios, consider using higher-level tools like ufw (Uncomplicated Firewall) or firewalld, which still use iptables but provide a more user-friendly interface.

Regardless of the tool used, understanding the core concepts and working principles of iptables is essential for building a secure Linux network environment.