To create IPTables on a Linux server, install the iptables package, set default policies (typically DROP on INPUT/FORWARD), add rules to allow SSH and required services, permit loopback and established connections, then save rules for persistence across reboots. Always test from a second SSH session and back up rules with iptables-save before changes.
If you’re wondering how to create IPTables on Linux Server, this guide walks you through a reliable, production-safe configuration from zero to persistent rules. As a hosting engineer, I’ll show you exactly how iptables works, how to build a secure baseline, and how to save, test, and troubleshoot on Ubuntu/Debian and CentOS/RHEL systems.
What is IPTables and Why it Matters?
IPTables is a user-space firewall utility that controls packet filtering and NAT on Linux via the kernel’s Netfilter framework. It lets you allow, block, and redirect traffic using rules organized into tables and chains. On modern distributions, iptables often runs in “nft” compatibility mode, but the CLI and concepts remain the same.
How IPTables Works: Tables, Chains, and Rules
IPTables processes packets through chains. Each chain contains ordered rules. When a packet matches a rule, its target action runs (ACCEPT, DROP, REJECT, LOG, DNAT, SNAT, MASQUERADE). If no rule matches, the chain’s default policy applies.
- Common tables: filter (default), nat, mangle, raw
- Common chains: INPUT (to this server), OUTPUT (from this server), FORWARD (through this server)
- Default policy: What happens if no rules match (usually ACCEPT or DROP)
Before You Start: Prerequisites and Safety
- Have console or out-of-band access (VNC/IPMI/KVM) in case you lock yourself out.
- Open a second SSH session to test new rules before closing your current one.
- Know your distribution: Ubuntu/Debian vs. CentOS/RHEL. Some newer systems use nftables under the hood, but iptables commands still work.
Install and Verify IPTables
On most Linux servers, iptables is preinstalled. If not, install and verify:
# Ubuntu/Debian
sudo apt update
sudo apt install -y iptables iptables-persistent
# CentOS 7/RHEL 7
sudo yum install -y iptables iptables-services
# Verify
sudo iptables -V
sudo iptables -L -n -vIf you see “iptables (legacy)” or “iptables v1.x (nf_tables)”, you can still proceed. The CLI is compatible with both backends.
Create a Secure Baseline Firewall (Step-by-Step)
We’ll build a safe, minimal baseline for a typical Linux server. Order matters—add allow rules before setting restrictive policies.
1) Allow Loopback and Established Connections
# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
# Allow established/related traffic (stateful rule)
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT2) Allow SSH Before Restricting Anything
# Allow SSH (default port 22). Adjust if you use a custom port.
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Optional: rate-limit brute force (5 new connections/minute)
sudo iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH -j DROP3) Allow ICMP (Ping) and Service Ports You Need
# ICMP echo-request (ping). Useful for diagnostics; disable if policy requires.
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Web server traffic
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT4) Drop Invalid Packets
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP5) Set Default Policies to Drop
After allows are in place, make INPUT/FORWARD restrictive. OUTPUT is typically ACCEPT for standard servers.
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPTList rules to confirm order and counters:
sudo iptables -L -n -v --line-numbers
sudo iptables -SOpen Additional Services (Real-World Examples)
- Allow FTP (control only – consider SFTP instead):
sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT - Allow MySQL from a trusted host:
sudo iptables -A INPUT -p tcp --dport 3306 -s 203.0.113.10 -j ACCEPT - Allow SMTP:
sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT(or 587/465 for submission/SSL) - Block a malicious IP:
sudo iptables -A INPUT -s 198.51.100.5 -j DROP
NAT and Port Forwarding with IPTables
For gateway or Docker/Kubernetes nodes, you may need SNAT or DNAT rules. Enable kernel forwarding first:
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-ipforward.conf
sudo sysctl -p /etc/sysctl.d/99-ipforward.confSNAT/MASQUERADE (Outbound Internet from LAN)
# Assuming eth0 is WAN, eth1 is LAN
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTDNAT/Port Forward (Publish Internal Service)
# Forward WAN:8080 to 10.0.0.10:80
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.10:80
sudo iptables -A FORWARD -p tcp -d 10.0.0.10 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPTMake IPTables Rules Persistent Across Reboots
Debian/Ubuntu
# Install helper
sudo apt install -y iptables-persistent netfilter-persistent
# Save current rules
sudo netfilter-persistent save
# or
sudo sh -c 'iptables-save > /etc/iptables/rules.v4'
# Restore manually if needed
sudo iptables-restore < /etc/iptables/rules.v4CentOS/RHEL 7
# Install and enable service
sudo yum install -y iptables-services
sudo systemctl enable iptables
sudo systemctl start iptables
# Save current rules to /etc/sysconfig/iptables
sudo service iptables save
# or
sudo sh -c 'iptables-save > /etc/sysconfig/iptables'On RHEL/CentOS 8+ and many modern distros, firewalld/nftables is default. You can still use iptables (nft backend) or consider migrating to nftables for long-term consistency.
Testing, Logging, and Troubleshooting
- Keep two SSH sessions open; apply rules in one and test from the other.
- Ping and curl from external networks to verify exposure:
curl -I http://your.ip,nc -zv your.ip 22 80 443 - Log drops (place near the end and use rate limiting):
# Log and drop unmatched input (optional)
sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
sudo iptables -A INPUT -j DROP- View kernel logs:
sudo journalctl -k -forsudo tail -f /var/log/kern.log - Review counters:
sudo iptables -L -n -v - Flush if you made a mistake (caution – re-open SSH rules immediately):
# Flush all filter rules (does not change default policies)
sudo iptables -F
# List numbered rules and delete a specific one
sudo iptables -L INPUT --line-numbers
sudo iptables -D INPUT <number>UFW and Firewalld vs. IPTables
- UFW (Ubuntu): A simplified wrapper for iptables. Great for quick setups, fewer advanced options.
- Firewalld (RHEL/CentOS/Fedora): Zone-based management using nftables; integrates with system services.
- IPTables: Fine-grained, scriptable control; ideal when you need explicit rule ordering and NAT handling.
For most beginners, UFW or firewalld is easier. If you need surgical control or are tuning Docker/NAT, iptables remains a powerful choice.
Best Practices for a Hardened Linux Firewall
- Principle of least privilege: Open only what you must; restrict by source IP where possible.
- Stateful rules first: Allow ESTABLISHED,RELATED early to reduce CPU and false positives.
- Order matters: Place specific allows before broad drops. Comment rules when possible:
-m comment --comment "Allow SSH" - Version control: Store rule files in Git and deploy with Ansible or shell scripts.
- Monitor and alert: Ship logs to a SIEM or log management tool; watch for spikes in dropped traffic.
- Docker awareness: Docker manages its own iptables chains; avoid blanket flushes on hosts running containers.
- Backup always:
iptables-save > /root/iptables-backup-$(date +%F).rules
Example: Full Minimal Web Server Rule Set
# Flush existing
sudo iptables -F
sudo iptables -t nat -F
# Default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
# Loopback
sudo iptables -A INPUT -i lo -j ACCEPT
# Established/Related
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# SSH with rate-limit
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH -j DROP
# HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# ICMP ping
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Optional: log remaining
sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: "
# Final drop (policy already DROP; kept for explicitness)
sudo iptables -A INPUT -j DROP
# Save rules
# Debian/Ubuntu
# sudo netfilter-persistent save
# CentOS/RHEL
# sudo service iptables saveWhy This Matters for Hosting and Cloud Servers
In real hosting environments, a properly designed iptables policy reduces attack surface, throttles brute force attempts, and keeps noisy traffic from consuming resources. At YouStable, our managed servers ship with hardened firewall templates, continuous monitoring, and change control—ideal if you prefer expert-managed security without DIY risk.
Frequently Asked Questions
Is IPTables deprecated in favor of nftables?
nftables is the modern framework, and many distros route iptables commands through an nft backend (iptables-nft). IPTables is still widely supported. New deployments can use either; long-term, nftables offers cleaner syntax and features, but iptables remains viable and common.
How do I list and back up my current iptables rules?
List rules with counters using sudo iptables -L -n -v --line-numbers or raw syntax via sudo iptables -S. Back up everything to a file using sudo iptables-save > ~/iptables-$(date +%F).rules. Restore with sudo iptables-restore < file.rules.
How can I allow a port in iptables quickly?
Use a simple append rule, for example: sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT. Ensure you have ESTABLISHED,RELATED and loopback rules first, and set your default policies to DROP for a secure stance.
What’s the difference between iptables, UFW, and firewalld?
IPTables is the low-level, rule-by-rule interface. UFW (Ubuntu) and firewalld (RHEL/CentOS/Fedora) are higher-level managers that generate rules for you. UFW is simple; firewalld provides zone-based management; iptables offers the most explicit control.
How do I avoid locking myself out over SSH?
Always allow SSH first, keep a second SSH session open, and consider using a screen/tmux session. Apply rules incrementally, verify access after each change, and back up current rules with iptables-save so you can quickly restore if needed.
