iptables explained conceptually

Topic: Networking basics

iptables is the legacy Linux packet filter: tables (filter, nat), chains (INPUT, OUTPUT, FORWARD), and rules (match criteria and target accept/drop/reject). Learn the model so you can read rules and understand how UFW or other tools map to it. Prefer nftables or UFW for new config. Use this when debugging or migrating from iptables.

Intent: How-to

Quick answer

  • Tables contain chains; chains contain rules. filter table: INPUT (to host), OUTPUT (from host), FORWARD (through host). Each rule has match criteria (e.g. -p tcp --dport 22) and a target (ACCEPT, DROP, REJECT).
  • Rules are evaluated in order; first match wins. Policy (default target) applies when no rule matches; e.g. INPUT policy DROP means deny all inbound unless a rule accepts. Stateful: -m conntrack --ctstate ESTABLISHED,RELATED to allow return traffic.
  • For host firewall you mostly care about INPUT and OUTPUT; FORWARD and NAT tables matter for routers. Prefer UFW or nftables for new setups; use iptables -L -n -v to read existing rules.

Prerequisites

Steps

  1. Understand tables and chains

    filter table: INPUT (inbound to this host), OUTPUT (outbound from this host), FORWARD (through this host, for routing). nat table: for NAT (PREROUTING, POSTROUTING, OUTPUT). Rules live in chains; packets hit one or more chains depending on direction and table.

  2. Understand a rule

    Rule: optional match (-p tcp, -s IP, -d IP, --dport PORT, -i IF) and target (-j ACCEPT, DROP, REJECT). Example: -A INPUT -p tcp --dport 22 -j ACCEPT. Rules are appended (-A) or inserted (-I); order matters.

  3. Understand stateful matching

    Conntrack: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT allows return traffic for connections the host initiated; put this before a default DROP so outbound and replies work.

  4. Read and avoid lockout

    iptables -L -n -v (list filter table); iptables -L INPUT -n -v. Before adding a default DROP, ensure allow rules for SSH and any required ports are present and earlier in the chain; test in a second session.

Summary

iptables organizes rules in tables and chains (e.g. filter INPUT/OUTPUT/FORWARD). Rules match on protocol, port, address, and optionally connection state, and target ACCEPT, DROP, or REJECT. Use this to read existing rules or when working with systems that still use iptables; prefer UFW or nftables for new configuration.

Prerequisites

Steps

Step 1: Understand tables and chains

  • filter: INPUT (traffic to the host), OUTPUT (from the host), FORWARD (through the host).
  • nat: PREROUTING, POSTROUTING, OUTPUT for address translation.

For a host firewall, filter INPUT and OUTPUT are the main ones.

Step 2: Understand a rule

A rule has match criteria (e.g. -p tcp --dport 22) and a target (-j ACCEPT or -j DROP). Rules are evaluated in order; the first match determines the fate of the packet.

Step 3: Understand stateful matching

-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT allows return traffic for existing connections. Place such a rule before a default DROP so outbound and its replies work.

Step 4: Read and avoid lockout

sudo iptables -L -n -v
sudo iptables -L INPUT -n -v

Before setting a default DROP policy, ensure allow rules for SSH and required services are present and come first. Test from a second session.

Verification

  • You can read iptables -L output and identify INPUT/OUTPUT and allow/drop; you know that rule order and default policy matter.

Troubleshooting

Locked out — Use console or OOB; flush or add an allow rule for SSH; then fix the rule set. Always allow admin access before enabling strict defaults.

Rule not matching — Check protocol, port, and interface; ensure the rule is in the right chain and before a broader drop.

Next steps

Continue to