To configure IPTables on a Linux server, define default policies, allow essential traffic (SSH, HTTP/HTTPS), permit established connections, then drop everything else. Save and persist rules with iptables-save or iptables-persistent (Debian/Ubuntu) or iptables-services (RHEL/Alma/Rocky). Test from a second session to avoid lockouts and log drops for troubleshooting.
Configure IPTables on Linux server is a core skill for secure hosting in 2026. This guide walks you step by step—covering how IPTables works, safe setup, common rules, NAT/port forwarding, persistence across reboots, and troubleshooting. Whether you’re running a VPS, dedicated server, or cloud instance, you’ll learn a production-ready firewall workflow.
What Is IPTables and How Does It Work?
IPTables is the Linux userspace firewall tool that interfaces with Netfilter in the kernel. It evaluates packets through tables (filter, nat, mangle) and chains (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING) using rules that match criteria and take actions (ACCEPT, DROP, REJECT). In 2026, many distros use nftables underneath, but iptables-nft compatibility remains widely available.
Quick Overview: Best-Practice Rule Flow
- Set default policies to DROP.
- Allow loopback and established/related traffic.
- Allow SSH (with rate limits) and required service ports (e.g., 80/443).
- Optionally allow ICMP (ping) with limits.
- Log drops at a sane rate for visibility.
- Persist rules and test thoroughly.
Prerequisites and Safety Checklist
- Root or sudo access on your Linux server.
- Two sessions open (e.g., SSH + console) to prevent lockout.
- IP of your management machine (to whitelist if needed).
- Package availability:
- Debian/Ubuntu: iptables, iptables-persistent or netfilter-persistent
- RHEL/Alma/Rocky: iptables, iptables-services (optional), firewalld (if you prefer a higher-level tool)
- Know whether you’re using iptables-legacy or iptables-nft:
- Debian/Ubuntu: update-alternatives –config iptables
- RHEL 8/9: iptables is a wrapper to nftables by default; commands still work unless you remove compatibility.
Step-by-Step IPTables Configuration (2026)
1) Inspect Current Rules and Back Them Up
sudo iptables -L -n -v
sudo iptables-save > ~/iptables.backup.$(date +%F-%H%M).v4
# For IPv6 if in use:
sudo ip6tables -L -n -v
sudo ip6tables-save > ~/ip6tables.backup.$(date +%F-%H%M).v6Always keep a backup. If things break, you can restore quickly using iptables-restore.
2) Flush Old Rules (Optional, With Caution)
# Clear rules and user-defined chains
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
# Reset default policies to ACCEPT temporarily while building rules
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPTKeep defaults OPEN while you add allow rules. You’ll set them to DROP after whitelisting critical access.
3) Allow Loopback and Established/Related Traffic
# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
# Allow established/related
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPTThis preserves existing connections and prevents breakage during the change window.
4) Allow SSH with Basic Protection
# Optional: restrict SSH to your IP
# sudo iptables -A INPUT -p tcp -s YOUR.IP.ADDR.HERE --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Or allow SSH from anywhere with rate-limit
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m limit --limit 10/min --limit-burst 20 -j ACCEPTUsing a rate limit helps slow brute-force attempts. Pair with key-based auth and fail2ban for stronger protection.
5) Allow Web and App Ports
# HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
# Add more services as needed, e.g., MySQL (local only), SMTP, etc.
# sudo iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -m conntrack --ctstate NEW -j ACCEPTExpose only what you need. For databases, allow localhost or known application subnets only.
6) Optional: Allow ICMP (Ping) Safely
# Allow limited ping to aid monitoring
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/second -j ACCEPTPing helps with diagnostics. If your policy forbids it, skip this step.
7) Log and Drop the Rest
# Log (rate-limited) then drop
sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPT DROP: " --log-level 7
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
# Typically OUTPUT stays ACCEPT for servers initiating outbound traffic
sudo iptables -P OUTPUT ACCEPTSet logging first, then DROP policies. Check /var/log/syslog or /var/log/messages depending on your distro.
Common IPTables Rules and Examples
Whitelist a Trusted IP or Subnet
# Allow all from a trusted office IP
sudo iptables -A INPUT -s 203.0.113.10 -j ACCEPT
# Allow a subnet (CIDR)
sudo iptables -A INPUT -s 203.0.113.0/24 -j ACCEPTBlock a Malicious IP
sudo iptables -A INPUT -s 198.51.100.22 -j DROPRate-Limit New Connections to a Port
# Example: throttle HTTP floods of new TCP connections
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 50/second --limit-burst 200 -j ACCEPTDrop Invalid Packets
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROPNAT and Port Forwarding (DNAT/SNAT)
If your server acts as a gateway or reverse proxy, you may need NAT rules. Enable IP forwarding first:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
# Persist by editing /etc/sysctl.conf and setting:
# net.ipv4.ip_forward = 1
sudo sysctl -pPort Forward 80 to Backend 10.0.0.10:8080
# DNAT inbound requests hitting eth0
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
-j DNAT --to-destination 10.0.0.10:8080
# Allow forwarding to backend
sudo iptables -A FORWARD -p tcp -d 10.0.0.10 --dport 8080 \
-m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
# SNAT/MASQUERADE so replies return via this gateway (dynamic public IP)
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEOn servers with static public IPs, prefer SNAT with –to-source YOUR.PUBLIC.IP for performance and clarity.
Persisting IPTables Rules Across Reboots
Debian/Ubuntu
sudo apt update
sudo apt install -y iptables-persistent
sudo netfilter-persistent save
# Alternatively:
# sudo sh -c 'iptables-save > /etc/iptables/rules.v4'
# sudo sh -c 'ip6tables-save > /etc/iptables/rules.v6'RHEL/AlmaLinux/Rocky (8/9)
These use nftables under the hood. If you insist on iptables persistence, install iptables-services (not always recommended if firewalld is managing nftables):
sudo dnf install -y iptables-services
sudo systemctl enable --now iptables
sudo sh -c 'iptables-save > /etc/sysconfig/iptables'
sudo systemctl restart iptablesAlternatively, manage firewall rules with firewalld or native nftables for long-term compatibility, especially on newer releases.
Testing and Troubleshooting
- List rules in command form: iptables -S
- Check counters: iptables -L -n -v
- Verify listening services: ss -tulpn
- Scan from another host (carefully): nmap -Pn -p 22,80,443 your.server.ip
- Watch logs: journalctl -f or tail -f /var/log/syslog
- Restore backup if needed:
sudo iptables-restore < ~/iptables.backup.DATE.v4
IPTables vs UFW vs firewalld vs nftables (2026)
- IPTables: granular, classic tooling; steep learning curve; still supported via iptables-nft on modern kernels.
- UFW: user-friendly frontend (Ubuntu); great for simple host firewalls.
- firewalld: dynamic daemon with zones; default on RHEL/Fedora; easier multi-interface policies.
- nftables: modern replacement; unified IPv4/IPv6; simpler syntax and better performance.
For new deployments on bleeding-edge distros, nftables or firewalld is future-proof. If your playbooks and teams are standardized on IPTables, the compatibility layer remains reliable in 2026.
Best Practices for Production Servers
- Always add allow rules for SSH and management before setting DROP policies.
- Use change windows and keep a console session open (or out-of-band access via your hosting panel).
- Apply least privilege: expose only required ports and subnets.
- Combine with fail2ban and strong authentication (SSH keys, MFA on control panels).
- Document your rule set; use comments with -m comment –comment “purpose”.
- Version-control your rules and automate with Ansible or shell scripts.
- Review logs for unusual drops; tune rate limits to your traffic profile.
When to Consider Managed Firewall Help
If you’d rather not babysit firewall syntax, YouStable’s managed VPS and dedicated servers can ship with hardened firewall profiles, DDoS protection, and 24×7 support. We help you choose the right approach—IPTables, firewalld, or nftables—and keep it compliant with your stack and SLAs.
Full Example: Minimal, Secure Web Server Rules (IPv4)
# Flush and set permissive defaults while building
iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback and established/related
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# SSH with rate-limit
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m limit --limit 10/min --limit-burst 20 -j ACCEPT
# Web traffic
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
# Optional: limited ping
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/second -j ACCEPT
# Drop invalid and log drops
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPT DROP: " --log-level 7
# Lock it down
iptables -P INPUT DROP
# Save (Debian/Ubuntu)
# netfilter-persistent save
# Or
# iptables-save > /etc/iptables/rules.v4FAQs: How to Configure IPTables on Linux Server
Is IPTables still used in 2026, or should I switch to nftables?
Yes, IPTables is still used—often via the iptables-nft compatibility layer. For new builds, nftables or firewalld offers cleaner syntax and long-term support. If your tooling relies on IPTables, you can keep using it reliably in 2026.
How do I make IPTables rules persistent after reboot?
On Debian/Ubuntu, install iptables-persistent and run netfilter-persistent save. On RHEL/Alma/Rocky, install iptables-services, save rules to /etc/sysconfig/iptables, and enable the iptables service. Verify on reboot with iptables -L -n -v.
What’s the safest way to avoid locking myself out?
Keep two sessions open, add SSH allow rules first, apply changes incrementally, and only then set default DROP policies. If available, maintain console or out-of-band access to revert quickly using your hosting control panel.
Should I use UFW or firewalld instead of IPTables?
For simplicity, UFW (Ubuntu) and firewalld (RHEL) are easier and integrate well with nftables. IPTables is great for granular control or legacy playbooks. Choose the tool that matches your team’s skills and OS defaults.
How can I rate-limit or block DDoS with IPTables?
Use -m limit for new connection rate limits, drop invalid packets, and log suspicious traffic. For volumetric DDoS, host-level IPTables isn’t enough; use upstream protection, CDN/WAF, and hosting providers like YouStable that offer DDoS mitigation.
With these steps and examples, you now know how to configure IPTables on a Linux server safely and effectively. If you need hardened configurations, staging/testing help, or 24×7 monitoring, YouStable’s managed hosting can handle the firewall while you focus on your apps.
