![\"What](\"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/image-22.png\")
<\/figure>\n\n\n\nWhile modern distributions are moving toward nftables (and wrappers like firewalld\/UFW), iptables is still widely deployed, especially on legacy systems and minimal servers. Understanding iptables remains essential for sysadmins, DevOps engineers, and anyone managing Linux firewalls.<\/p>\n\n\n\n
\n\n\n\n
How iptables Works: Tables, Chains, and Rule Flow<\/h2>\n\n\n\n
iptables uses \u201ctables\u201d that contain \u201cchains\u201d of ordered rules. Each packet traverses certain chains depending on direction and purpose. The first matching rule wins, and the chain\u2019s default policy is applied if no rule matches.<\/p>\n\n\n\n
Core tables<\/h3>\n\n\n\n\n- filter (default):<\/strong> Handles packet filtering. Chains: INPUT (to local host), FORWARD (through the host), OUTPUT (from local host).<\/li>\n\n\n\n
- nat<\/strong>: Handles address translation (DNAT\/SNAT\/MASQUERADE). Chains: PREROUTING (before routing), POSTROUTING (after routing), OUTPUT (locally generated).<\/li>\n\n\n\n
- mangle<\/strong>: Advanced packet alteration (QoS\/TTL\/marks).<\/li>\n\n\n\n
- raw<\/strong>: Exempt packets from connection tracking (conntrack).<\/li>\n<\/ul>\n\n\n\n
Default policies and rule order<\/h3>\n\n\n\n\n- Policy<\/strong>: The action taken when no rule matches (e.g., ACCEPT or DROP). Best practice: set restrictive defaults and explicitly allow required traffic.<\/li>\n\n\n\n
- Order matters<\/strong>: Rules are evaluated top down. Place specific allows\/blocks before broad rules.<\/li>\n\n\n\n
- Stateful firewalling<\/strong>: Use
-m conntrack --ctstate<\/code> to allow ESTABLISHED,RELATED responses.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nAccess and Manage iptables Safely<\/h2>\n\n\n\n
Always ensure you keep SSH access<\/strong><\/a> during firewall changes, especially on remote servers. Open another console (or use a screen\/tmux session), and test connectivity after each change. Consider a \u201cfailsafe\u201d by scheduling an automatic rollback if you get locked out.<\/p>\n\n\n\nCheck installed iptables variant<\/h3>\n\n\n\n
Newer distros ship iptables as a wrapper over nftables (iptables-nft). Legacy systems use iptables legacy. Both accept similar CLI syntax but manage different backends.<\/p>\n\n\n\n
sudo iptables --version\nsudo update-alternatives --config iptables # Debian\/Ubuntu: switch legacy\/nft if available<\/code><\/pre>\n\n\n\n
\n\n\n\nEssential iptables Commands (Beginner Friendly)<\/strong><\/h2>\n\n\n\nView current rules and policies<\/h3>\n\n\n\n# List current filter table rules (-v for counters, -n for numeric, --line-numbers for indices)\nsudo iptables -S\nsudo iptables -L -v -n --line-numbers\n\n# Show NAT table\nsudo iptables -t nat -L -v -n<\/code><\/pre>\n\n\n\nSet secure default policies<\/h3>\n\n\n\n
Lock down inbound and forward traffic by default, then allow what you need. Keep outbound open unless you must restrict egress.<\/p>\n\n\n\n
# Default DROP for inbound and forward, ACCEPT outbound\nsudo iptables -P INPUT DROP\nsudo iptables -P FORWARD DROP\nsudo iptables -P OUTPUT ACCEPT\n\n# Allow loopback and established connections\nsudo iptables -A INPUT -i lo -j ACCEPT\nsudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT<\/code><\/pre>\n\n\n\nAllow SSH, HTTP, and HTTPS<\/h3>\n\n\n\n
SSH is your lifeline. Always confirm your SSH port before applying a restrictive policy.<\/p>\n\n\n\n
# Allow SSH on port 22 (change if using a custom port)\nsudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT\n\n# Allow web traffic\nsudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT<\/code><\/pre>\n\n\n\nAllow only a specific IP or subnet<\/h3>\n\n\n\n# Allow SSH only from a trusted address or CIDR\nsudo iptables -A INPUT -p tcp --dport 22 -s 203.0.113.10 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 22 -s 203.0.113.0\/24 -j ACCEPT<\/code><\/pre>\n\n\n\nDrop unwanted ports and ICMP floods<\/h3>\n\n\n\n# Explicitly drop common attack surfaces\nsudo iptables -A INPUT -p tcp --dport 23 -j DROP # Telnet\nsudo iptables -A INPUT -p tcp --dport 25 -j DROP # SMTP (if not a mail server)\n\n# Rate-limit ICMP echo (ping) to mitigate floods\nsudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5\/second --limit-burst 15 -j ACCEPT\nsudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<\/code><\/pre>\n\n\n\nDelete or flush rules carefully<\/h3>\n\n\n\n# Delete a rule by chain and line number (get line numbers via -L --line-numbers)\nsudo iptables -D INPUT 3\n\n# Flush rules in a chain or table (dangerous on remote servers)\nsudo iptables -F # Flush filter table\nsudo iptables -t nat -F<\/code><\/pre>\n\n\n\n
\n\n\n\nNAT and Port Forwarding (iptables for Routing)<\/h2>\n\n\n\n
Use the nat table for address\/port translation and basic router\/gateway use cases. Enable IP forwarding at the kernel level first.<\/p>\n\n\n\n
# Enable IPv4 forwarding (temporary)\nsudo sysctl -w net.ipv4.ip_forward=1\n# Permanent: set net.ipv4.ip_forward=1 in \/etc\/sysctl.conf and reload: sudo sysctl -p\n\n# NAT outbound traffic from LAN (eth1) to WAN (eth0)\nsudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\nsudo iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT\nsudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# Port forward WAN:8080 to internal 10.0.0.10:80\nsudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.10:80\nsudo iptables -A FORWARD -p tcp -d 10.0.0.10 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT<\/code><\/pre>\n\n\n\nLogging and Monitoring iptables<\/h2>\n\n\n\n
Log drops to trace attacks and misconfigurations. Ensure your system logger (rsyslog\/journald) captures kernel log messages.<\/p>\n\n\n\n
# Log then drop\nsudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 10 --name SSHBRUTE -j LOG --log-prefix \"IPT-SSH-BRUTE \"\nsudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 10 --name SSHBRUTE -j DROP\n\n# View logs (examples)\nsudo journalctl -k | grep IPT-\nsudo dmesg | grep IPT-<\/code><\/pre>\n\n\n\n
\n\n\n\nPersisting iptables Rules Across Reboots<\/h2>\n\n\n\n
iptables rules are in memory. Save them so they load on boot.<\/p>\n\n\n\n
Debian\/Ubuntu<\/h3>\n\n\n\n# Install helper\nsudo apt-get update && sudo apt-get install -y iptables-persistent\n\n# Save current rules\nsudo netfilter-persistent save\n# or\nsudo sh -c 'iptables-save > \/etc\/iptables\/rules.v4'<\/code><\/pre>\n\n\n\nRHEL\/CentOS\/AlmaLinux\/Rocky<\/h3>\n\n\n\n# Use iptables-services (disables firewalld)\nsudo yum install<\/a> -y iptables-services\nsudo systemctl enable iptables\nsudo service iptables save # Saves to \/etc\/sysconfig\/iptables<\/code><\/pre>\n\n\n\nAlternatively, migrate to firewalld (nftables backend) for easier persistent policies if you prefer a higher level interface.<\/p>\n\n\n\n
iptables vs nftables vs UFW\/firewalld<\/h2>\n\n\n\n\n- iptables<\/strong>: Mature, ubiquitous, powerful. Steeper learning curve. Syntax heavy. Excellent for low level control and legacy systems.<\/li>\n\n\n\n
- nftables<\/strong>: Modern replacement for Netfilter with a simpler, unified syntax and better performance\/atomic rule updates. Recommended for new deployments.<\/li>\n\n\n\n
- UFW<\/strong> (Ubuntu) and firewalld<\/strong> (RHEL\/Fedora): User friendly front ends that manage nftables\/iptables under the hood, ideal for quick setups and consistent persistence.<\/li>\n<\/ul>\n\n\n\n
If you manage multiple servers or need role based, reproducible firewall policies, front ends or config management (Ansible, Terraform) may be better than hand crafted iptables commands.<\/p>\n\n\n\n
Real World Use Cases in Hosting and Cloud<\/h2>\n\n\n\n\n- Harden a web server<\/strong>: Default DROP, allow 22\/80\/443, rate limit SSH, log drops, block suspicious IPs.<\/li>\n\n\n\n
- Reverse proxy tier<\/strong>: Allow 80\/443 from CDN or load balancer<\/a> ranges only; restrict backend ports to private subnets.<\/li>\n\n\n\n
- NAT gateway<\/strong>: MASQUERADE LAN traffic to public WAN; forward specific ports to internal services.<\/li>\n\n\n\n
- Multi<\/strong> tenant VPS<\/strong>: Egress filtering to prevent abuse; per-tenant IP allowlists and bandwidth shaping via mangle\/marks.<\/li>\n<\/ul>\n\n\n\n
On YouStable VPS or Dedicated Servers<\/a><\/strong>, our experts can preconfigure secure firewall baselines, monitor logs, and help you migrate from iptables to nftables without downtime. This reduces misconfiguration risk and aligns with best practice hardening for production workloads.<\/p>\n\n\n\n
\n\n\n\nCommon Mistakes and How to Avoid Them<\/h2>\n\n\n\n\n- Locking yourself out<\/strong>: Always allow SSH first and test from a second session before applying restrictive policies.<\/li>\n\n\n\n
- Forgetting ESTABLISHED,RELATED<\/strong>: Without this rule, return traffic might be dropped, breaking DNS, HTTP, and more.<\/li>\n\n\n\n
- No persistence<\/strong>: Reboots wipe rules. Save them using iptables persistent or iptables services.<\/li>\n\n\n\n
- Rule order issues<\/strong>: Broad drops above specific allows will block legitimate traffic.<\/li>\n\n\n\n
- Ignoring IPv6<\/strong>: Use
ip6tables<\/code> (or nftables) to handle IPv6; otherwise, v6 stays unfiltered.<\/li>\n\n\n\n- Mixing backends<\/strong>: Don\u2019t mix iptables legacy with iptables-nft\/nftables accidentally. Keep your firewall tooling consistent.<\/li>\n<\/ul>\n\n\n\n
A Minimal Secure Baseline: Step-by-Step<\/h2>\n\n\n\n
Use this as a starting point for a typical Linux server. Adapt ports as needed.<\/p>\n\n\n\n
# 1) Default policies\nsudo iptables -P INPUT DROP\nsudo iptables -P FORWARD DROP\nsudo iptables -P OUTPUT ACCEPT\n\n# 2) Hygiene rules\nsudo iptables -A INPUT -i lo -j ACCEPT\nsudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# 3) Service allows\nsudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT\n\n# 4) Optional: logs for debugging\nsudo iptables -A INPUT -j LOG --log-prefix \"IPT-DROP \" --log-level 6\n# 5) Drop everything else (policy already does)\n# 6) Save rules (Debian\/Ubuntu)\nsudo sh -c 'iptables-save > \/etc\/iptables\/rules.v4'<\/code><\/pre>\n\n\n\nSecurity Best Practices<\/h2>\n\n\n\n\n- Principle of least privilege<\/strong>: Open only what you must, where you must.<\/li>\n\n\n\n
- Document rules<\/strong>: Add comments with
-m comment --comment<\/code> so future you knows why a rule exists.<\/li>\n\n\n\n- Rate limit exposed services<\/strong>: Especially SSH and API endpoints.<\/li>\n\n\n\n
- Segment networks<\/strong>: Use interfaces, VLANs, and subnets to reduce blast radius.<\/li>\n\n\n\n
- Monitor and alert<\/strong>: Parse logs for anomalies. Consider fail2ban<\/a> with iptables for automated blocking.<\/li>\n\n\n\n
- Plan upgrades<\/strong>: Evaluate migrating to nftables for long term maintenance.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nFAQs<\/h2>\n\n\n\n\n\nWhat is iptables used for in Linux?<\/h3>\n\n\niptables configures the Linux kernel\u2019s Netfilter firewall to control network traffic. You can allow or block ports, limit connections, log suspicious activity, and perform NAT for routing and port forwarding. It\u2019s a key tool for hardening servers and enforcing security policies.<\/p>\n\n<\/div>\n<\/div>\n
\nHow do I check my current iptables rules?<\/h3>\n\n\nRun sudo iptables -S<\/code> for rule syntax or sudo iptables -L -v -n --line-numbers<\/code> for a tabular view with counters. For NAT rules, use sudo iptables -t nat -L -v -n<\/code>. These commands show active in-memory policies.<\/p>\n\n<\/div>\n<\/div>\n\nIs iptables deprecated? Should I use nftables instead?<\/h3>\n\n\niptables isn\u2019t immediately deprecated, but nftables is the modern replacement and default backend on many distros. For new deployments, nftables or front ends like firewalld\/UFW are recommended. Legacy servers can keep iptables, but plan a gradual migration.<\/p>\n\n<\/div>\n<\/div>\n
\nHow can I persist iptables rules after reboot?<\/h3>\n\n\nOn Debian\/Ubuntu, install iptables-persistent<\/code> and run sudo netfilter-persistent save<\/code>. On RHEL\/CentOS-like systems, install iptables-services<\/code>, enable the service, and run service iptables save<\/code>. Alternatively, switch to firewalld for automatic persistence.<\/p>\n\n<\/div>\n<\/div>\n\nHow do I allow SSH from only one IP?<\/strong><\/h3>\n\n\nAdd a rule such as sudo iptables -A INPUT -p tcp --dport 22 -s 203.0.113.10 -j ACCEPT<\/code> and ensure your default policy or subsequent rules drop other SSH attempts. Always test from a second session before locking it down.<\/p>\n\n<\/div>\n<\/div>\n\nHow do I block a specific port with iptables?<\/h3>\n\n\nUse sudo iptables -A INPUT -p tcp --dport 25 -j DROP<\/code> to silently drop inbound TCP port 25. Replace the port number<\/a> as required. If your default policy is DROP, you may not need an explicit drop rule unless you want logging.<\/p>\n\n<\/div>\n<\/div>\n
Default policies and rule order<\/h3>\n\n\n\n\n- Policy<\/strong>: The action taken when no rule matches (e.g., ACCEPT or DROP). Best practice: set restrictive defaults and explicitly allow required traffic.<\/li>\n\n\n\n
- Order matters<\/strong>: Rules are evaluated top down. Place specific allows\/blocks before broad rules.<\/li>\n\n\n\n
- Stateful firewalling<\/strong>: Use
-m conntrack --ctstate<\/code> to allow ESTABLISHED,RELATED responses.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nAccess and Manage iptables Safely<\/h2>\n\n\n\n
Always ensure you keep SSH access<\/strong><\/a> during firewall changes, especially on remote servers. Open another console (or use a screen\/tmux session), and test connectivity after each change. Consider a \u201cfailsafe\u201d by scheduling an automatic rollback if you get locked out.<\/p>\n\n\n\nCheck installed iptables variant<\/h3>\n\n\n\n
Newer distros ship iptables as a wrapper over nftables (iptables-nft). Legacy systems use iptables legacy. Both accept similar CLI syntax but manage different backends.<\/p>\n\n\n\n
sudo iptables --version\nsudo update-alternatives --config iptables # Debian\/Ubuntu: switch legacy\/nft if available<\/code><\/pre>\n\n\n\n
\n\n\n\nEssential iptables Commands (Beginner Friendly)<\/strong><\/h2>\n\n\n\nView current rules and policies<\/h3>\n\n\n\n# List current filter table rules (-v for counters, -n for numeric, --line-numbers for indices)\nsudo iptables -S\nsudo iptables -L -v -n --line-numbers\n\n# Show NAT table\nsudo iptables -t nat -L -v -n<\/code><\/pre>\n\n\n\nSet secure default policies<\/h3>\n\n\n\n
Lock down inbound and forward traffic by default, then allow what you need. Keep outbound open unless you must restrict egress.<\/p>\n\n\n\n
# Default DROP for inbound and forward, ACCEPT outbound\nsudo iptables -P INPUT DROP\nsudo iptables -P FORWARD DROP\nsudo iptables -P OUTPUT ACCEPT\n\n# Allow loopback and established connections\nsudo iptables -A INPUT -i lo -j ACCEPT\nsudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT<\/code><\/pre>\n\n\n\nAllow SSH, HTTP, and HTTPS<\/h3>\n\n\n\n
SSH is your lifeline. Always confirm your SSH port before applying a restrictive policy.<\/p>\n\n\n\n
# Allow SSH on port 22 (change if using a custom port)\nsudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT\n\n# Allow web traffic\nsudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT<\/code><\/pre>\n\n\n\nAllow only a specific IP or subnet<\/h3>\n\n\n\n# Allow SSH only from a trusted address or CIDR\nsudo iptables -A INPUT -p tcp --dport 22 -s 203.0.113.10 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 22 -s 203.0.113.0\/24 -j ACCEPT<\/code><\/pre>\n\n\n\nDrop unwanted ports and ICMP floods<\/h3>\n\n\n\n# Explicitly drop common attack surfaces\nsudo iptables -A INPUT -p tcp --dport 23 -j DROP # Telnet\nsudo iptables -A INPUT -p tcp --dport 25 -j DROP # SMTP (if not a mail server)\n\n# Rate-limit ICMP echo (ping) to mitigate floods\nsudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5\/second --limit-burst 15 -j ACCEPT\nsudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<\/code><\/pre>\n\n\n\nDelete or flush rules carefully<\/h3>\n\n\n\n# Delete a rule by chain and line number (get line numbers via -L --line-numbers)\nsudo iptables -D INPUT 3\n\n# Flush rules in a chain or table (dangerous on remote servers)\nsudo iptables -F # Flush filter table\nsudo iptables -t nat -F<\/code><\/pre>\n\n\n\n
\n\n\n\nNAT and Port Forwarding (iptables for Routing)<\/h2>\n\n\n\n
Use the nat table for address\/port translation and basic router\/gateway use cases. Enable IP forwarding at the kernel level first.<\/p>\n\n\n\n
# Enable IPv4 forwarding (temporary)\nsudo sysctl -w net.ipv4.ip_forward=1\n# Permanent: set net.ipv4.ip_forward=1 in \/etc\/sysctl.conf and reload: sudo sysctl -p\n\n# NAT outbound traffic from LAN (eth1) to WAN (eth0)\nsudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\nsudo iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT\nsudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# Port forward WAN:8080 to internal 10.0.0.10:80\nsudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.10:80\nsudo iptables -A FORWARD -p tcp -d 10.0.0.10 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT<\/code><\/pre>\n\n\n\nLogging and Monitoring iptables<\/h2>\n\n\n\n
Log drops to trace attacks and misconfigurations. Ensure your system logger (rsyslog\/journald) captures kernel log messages.<\/p>\n\n\n\n
# Log then drop\nsudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 10 --name SSHBRUTE -j LOG --log-prefix \"IPT-SSH-BRUTE \"\nsudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 10 --name SSHBRUTE -j DROP\n\n# View logs (examples)\nsudo journalctl -k | grep IPT-\nsudo dmesg | grep IPT-<\/code><\/pre>\n\n\n\n
\n\n\n\nPersisting iptables Rules Across Reboots<\/h2>\n\n\n\n
iptables rules are in memory. Save them so they load on boot.<\/p>\n\n\n\n
Debian\/Ubuntu<\/h3>\n\n\n\n# Install helper\nsudo apt-get update && sudo apt-get install -y iptables-persistent\n\n# Save current rules\nsudo netfilter-persistent save\n# or\nsudo sh -c 'iptables-save > \/etc\/iptables\/rules.v4'<\/code><\/pre>\n\n\n\nRHEL\/CentOS\/AlmaLinux\/Rocky<\/h3>\n\n\n\n# Use iptables-services (disables firewalld)\nsudo yum install<\/a> -y iptables-services\nsudo systemctl enable iptables\nsudo service iptables save # Saves to \/etc\/sysconfig\/iptables<\/code><\/pre>\n\n\n\nAlternatively, migrate to firewalld (nftables backend) for easier persistent policies if you prefer a higher level interface.<\/p>\n\n\n\n
iptables vs nftables vs UFW\/firewalld<\/h2>\n\n\n\n\n- iptables<\/strong>: Mature, ubiquitous, powerful. Steeper learning curve. Syntax heavy. Excellent for low level control and legacy systems.<\/li>\n\n\n\n
- nftables<\/strong>: Modern replacement for Netfilter with a simpler, unified syntax and better performance\/atomic rule updates. Recommended for new deployments.<\/li>\n\n\n\n
- UFW<\/strong> (Ubuntu) and firewalld<\/strong> (RHEL\/Fedora): User friendly front ends that manage nftables\/iptables under the hood, ideal for quick setups and consistent persistence.<\/li>\n<\/ul>\n\n\n\n
If you manage multiple servers or need role based, reproducible firewall policies, front ends or config management (Ansible, Terraform) may be better than hand crafted iptables commands.<\/p>\n\n\n\n
Real World Use Cases in Hosting and Cloud<\/h2>\n\n\n\n\n- Harden a web server<\/strong>: Default DROP, allow 22\/80\/443, rate limit SSH, log drops, block suspicious IPs.<\/li>\n\n\n\n
- Reverse proxy tier<\/strong>: Allow 80\/443 from CDN or load balancer<\/a> ranges only; restrict backend ports to private subnets.<\/li>\n\n\n\n
- NAT gateway<\/strong>: MASQUERADE LAN traffic to public WAN; forward specific ports to internal services.<\/li>\n\n\n\n
- Multi<\/strong> tenant VPS<\/strong>: Egress filtering to prevent abuse; per-tenant IP allowlists and bandwidth shaping via mangle\/marks.<\/li>\n<\/ul>\n\n\n\n
On YouStable VPS or Dedicated Servers<\/a><\/strong>, our experts can preconfigure secure firewall baselines, monitor logs, and help you migrate from iptables to nftables without downtime. This reduces misconfiguration risk and aligns with best practice hardening for production workloads.<\/p>\n\n\n\n
\n\n\n\nCommon Mistakes and How to Avoid Them<\/h2>\n\n\n\n\n- Locking yourself out<\/strong>: Always allow SSH first and test from a second session before applying restrictive policies.<\/li>\n\n\n\n
- Forgetting ESTABLISHED,RELATED<\/strong>: Without this rule, return traffic might be dropped, breaking DNS, HTTP, and more.<\/li>\n\n\n\n
- No persistence<\/strong>: Reboots wipe rules. Save them using iptables persistent or iptables services.<\/li>\n\n\n\n
- Rule order issues<\/strong>: Broad drops above specific allows will block legitimate traffic.<\/li>\n\n\n\n
- Ignoring IPv6<\/strong>: Use
ip6tables<\/code> (or nftables) to handle IPv6; otherwise, v6 stays unfiltered.<\/li>\n\n\n\n- Mixing backends<\/strong>: Don\u2019t mix iptables legacy with iptables-nft\/nftables accidentally. Keep your firewall tooling consistent.<\/li>\n<\/ul>\n\n\n\n
A Minimal Secure Baseline: Step-by-Step<\/h2>\n\n\n\n
Use this as a starting point for a typical Linux server. Adapt ports as needed.<\/p>\n\n\n\n
# 1) Default policies\nsudo iptables -P INPUT DROP\nsudo iptables -P FORWARD DROP\nsudo iptables -P OUTPUT ACCEPT\n\n# 2) Hygiene rules\nsudo iptables -A INPUT -i lo -j ACCEPT\nsudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# 3) Service allows\nsudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT\n\n# 4) Optional: logs for debugging\nsudo iptables -A INPUT -j LOG --log-prefix \"IPT-DROP \" --log-level 6\n# 5) Drop everything else (policy already does)\n# 6) Save rules (Debian\/Ubuntu)\nsudo sh -c 'iptables-save > \/etc\/iptables\/rules.v4'<\/code><\/pre>\n\n\n\nSecurity Best Practices<\/h2>\n\n\n\n\n- Principle of least privilege<\/strong>: Open only what you must, where you must.<\/li>\n\n\n\n
- Document rules<\/strong>: Add comments with
-m comment --comment<\/code> so future you knows why a rule exists.<\/li>\n\n\n\n- Rate limit exposed services<\/strong>: Especially SSH and API endpoints.<\/li>\n\n\n\n
- Segment networks<\/strong>: Use interfaces, VLANs, and subnets to reduce blast radius.<\/li>\n\n\n\n
- Monitor and alert<\/strong>: Parse logs for anomalies. Consider fail2ban<\/a> with iptables for automated blocking.<\/li>\n\n\n\n
- Plan upgrades<\/strong>: Evaluate migrating to nftables for long term maintenance.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nFAQs<\/h2>\n\n\n\n\n\nWhat is iptables used for in Linux?<\/h3>\n\n\niptables configures the Linux kernel\u2019s Netfilter firewall to control network traffic. You can allow or block ports, limit connections, log suspicious activity, and perform NAT for routing and port forwarding. It\u2019s a key tool for hardening servers and enforcing security policies.<\/p>\n\n<\/div>\n<\/div>\n
\nHow do I check my current iptables rules?<\/h3>\n\n\nRun sudo iptables -S<\/code> for rule syntax or sudo iptables -L -v -n --line-numbers<\/code> for a tabular view with counters. For NAT rules, use sudo iptables -t nat -L -v -n<\/code>. These commands show active in-memory policies.<\/p>\n\n<\/div>\n<\/div>\n\nIs iptables deprecated? Should I use nftables instead?<\/h3>\n\n\niptables isn\u2019t immediately deprecated, but nftables is the modern replacement and default backend on many distros. For new deployments, nftables or front ends like firewalld\/UFW are recommended. Legacy servers can keep iptables, but plan a gradual migration.<\/p>\n\n<\/div>\n<\/div>\n
\nHow can I persist iptables rules after reboot?<\/h3>\n\n\nOn Debian\/Ubuntu, install iptables-persistent<\/code> and run sudo netfilter-persistent save<\/code>. On RHEL\/CentOS-like systems, install iptables-services<\/code>, enable the service, and run service iptables save<\/code>. Alternatively, switch to firewalld for automatic persistence.<\/p>\n\n<\/div>\n<\/div>\n\nHow do I allow SSH from only one IP?<\/strong><\/h3>\n\n\nAdd a rule such as sudo iptables -A INPUT -p tcp --dport 22 -s 203.0.113.10 -j ACCEPT<\/code> and ensure your default policy or subsequent rules drop other SSH attempts. Always test from a second session before locking it down.<\/p>\n\n<\/div>\n<\/div>\n\nHow do I block a specific port with iptables?<\/h3>\n\n\nUse sudo iptables -A INPUT -p tcp --dport 25 -j DROP<\/code> to silently drop inbound TCP port 25. Replace the port number<\/a> as required. If your default policy is DROP, you may not need an explicit drop rule unless you want logging.<\/p>\n\n<\/div>\n<\/div>\n
-m conntrack --ctstate<\/code> to allow ESTABLISHED,RELATED responses.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nAccess and Manage iptables Safely<\/h2>\n\n\n\n
Always ensure you keep SSH access<\/strong><\/a> during firewall changes, especially on remote servers. Open another console (or use a screen\/tmux session), and test connectivity after each change. Consider a \u201cfailsafe\u201d by scheduling an automatic rollback if you get locked out.<\/p>\n\n\n\nCheck installed iptables variant<\/h3>\n\n\n\n
Newer distros ship iptables as a wrapper over nftables (iptables-nft). Legacy systems use iptables legacy. Both accept similar CLI syntax but manage different backends.<\/p>\n\n\n\n
sudo iptables --version\nsudo update-alternatives --config iptables # Debian\/Ubuntu: switch legacy\/nft if available<\/code><\/pre>\n\n\n\n
\n\n\n\nEssential iptables Commands (Beginner Friendly)<\/strong><\/h2>\n\n\n\nView current rules and policies<\/h3>\n\n\n\n# List current filter table rules (-v for counters, -n for numeric, --line-numbers for indices)\nsudo iptables -S\nsudo iptables -L -v -n --line-numbers\n\n# Show NAT table\nsudo iptables -t nat -L -v -n<\/code><\/pre>\n\n\n\nSet secure default policies<\/h3>\n\n\n\n
Lock down inbound and forward traffic by default, then allow what you need. Keep outbound open unless you must restrict egress.<\/p>\n\n\n\n
# Default DROP for inbound and forward, ACCEPT outbound\nsudo iptables -P INPUT DROP\nsudo iptables -P FORWARD DROP\nsudo iptables -P OUTPUT ACCEPT\n\n# Allow loopback and established connections\nsudo iptables -A INPUT -i lo -j ACCEPT\nsudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT<\/code><\/pre>\n\n\n\nAllow SSH, HTTP, and HTTPS<\/h3>\n\n\n\n
SSH is your lifeline. Always confirm your SSH port before applying a restrictive policy.<\/p>\n\n\n\n
# Allow SSH on port 22 (change if using a custom port)\nsudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT\n\n# Allow web traffic\nsudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT<\/code><\/pre>\n\n\n\nAllow only a specific IP or subnet<\/h3>\n\n\n\n# Allow SSH only from a trusted address or CIDR\nsudo iptables -A INPUT -p tcp --dport 22 -s 203.0.113.10 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 22 -s 203.0.113.0\/24 -j ACCEPT<\/code><\/pre>\n\n\n\nDrop unwanted ports and ICMP floods<\/h3>\n\n\n\n# Explicitly drop common attack surfaces\nsudo iptables -A INPUT -p tcp --dport 23 -j DROP # Telnet\nsudo iptables -A INPUT -p tcp --dport 25 -j DROP # SMTP (if not a mail server)\n\n# Rate-limit ICMP echo (ping) to mitigate floods\nsudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5\/second --limit-burst 15 -j ACCEPT\nsudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<\/code><\/pre>\n\n\n\nDelete or flush rules carefully<\/h3>\n\n\n\n# Delete a rule by chain and line number (get line numbers via -L --line-numbers)\nsudo iptables -D INPUT 3\n\n# Flush rules in a chain or table (dangerous on remote servers)\nsudo iptables -F # Flush filter table\nsudo iptables -t nat -F<\/code><\/pre>\n\n\n\n
\n\n\n\nNAT and Port Forwarding (iptables for Routing)<\/h2>\n\n\n\n
Use the nat table for address\/port translation and basic router\/gateway use cases. Enable IP forwarding at the kernel level first.<\/p>\n\n\n\n
# Enable IPv4 forwarding (temporary)\nsudo sysctl -w net.ipv4.ip_forward=1\n# Permanent: set net.ipv4.ip_forward=1 in \/etc\/sysctl.conf and reload: sudo sysctl -p\n\n# NAT outbound traffic from LAN (eth1) to WAN (eth0)\nsudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\nsudo iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT\nsudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# Port forward WAN:8080 to internal 10.0.0.10:80\nsudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.10:80\nsudo iptables -A FORWARD -p tcp -d 10.0.0.10 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT<\/code><\/pre>\n\n\n\nLogging and Monitoring iptables<\/h2>\n\n\n\n
Log drops to trace attacks and misconfigurations. Ensure your system logger (rsyslog\/journald) captures kernel log messages.<\/p>\n\n\n\n
# Log then drop\nsudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 10 --name SSHBRUTE -j LOG --log-prefix \"IPT-SSH-BRUTE \"\nsudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 10 --name SSHBRUTE -j DROP\n\n# View logs (examples)\nsudo journalctl -k | grep IPT-\nsudo dmesg | grep IPT-<\/code><\/pre>\n\n\n\n
\n\n\n\nPersisting iptables Rules Across Reboots<\/h2>\n\n\n\n
iptables rules are in memory. Save them so they load on boot.<\/p>\n\n\n\n
Debian\/Ubuntu<\/h3>\n\n\n\n# Install helper\nsudo apt-get update && sudo apt-get install -y iptables-persistent\n\n# Save current rules\nsudo netfilter-persistent save\n# or\nsudo sh -c 'iptables-save > \/etc\/iptables\/rules.v4'<\/code><\/pre>\n\n\n\nRHEL\/CentOS\/AlmaLinux\/Rocky<\/h3>\n\n\n\n# Use iptables-services (disables firewalld)\nsudo yum install<\/a> -y iptables-services\nsudo systemctl enable iptables\nsudo service iptables save # Saves to \/etc\/sysconfig\/iptables<\/code><\/pre>\n\n\n\nAlternatively, migrate to firewalld (nftables backend) for easier persistent policies if you prefer a higher level interface.<\/p>\n\n\n\n
iptables vs nftables vs UFW\/firewalld<\/h2>\n\n\n\n\n- iptables<\/strong>: Mature, ubiquitous, powerful. Steeper learning curve. Syntax heavy. Excellent for low level control and legacy systems.<\/li>\n\n\n\n
- nftables<\/strong>: Modern replacement for Netfilter with a simpler, unified syntax and better performance\/atomic rule updates. Recommended for new deployments.<\/li>\n\n\n\n
- UFW<\/strong> (Ubuntu) and firewalld<\/strong> (RHEL\/Fedora): User friendly front ends that manage nftables\/iptables under the hood, ideal for quick setups and consistent persistence.<\/li>\n<\/ul>\n\n\n\n
If you manage multiple servers or need role based, reproducible firewall policies, front ends or config management (Ansible, Terraform) may be better than hand crafted iptables commands.<\/p>\n\n\n\n
Real World Use Cases in Hosting and Cloud<\/h2>\n\n\n\n\n- Harden a web server<\/strong>: Default DROP, allow 22\/80\/443, rate limit SSH, log drops, block suspicious IPs.<\/li>\n\n\n\n
- Reverse proxy tier<\/strong>: Allow 80\/443 from CDN or load balancer<\/a> ranges only; restrict backend ports to private subnets.<\/li>\n\n\n\n
- NAT gateway<\/strong>: MASQUERADE LAN traffic to public WAN; forward specific ports to internal services.<\/li>\n\n\n\n
- Multi<\/strong> tenant VPS<\/strong>: Egress filtering to prevent abuse; per-tenant IP allowlists and bandwidth shaping via mangle\/marks.<\/li>\n<\/ul>\n\n\n\n
On YouStable VPS or Dedicated Servers<\/a><\/strong>, our experts can preconfigure secure firewall baselines, monitor logs, and help you migrate from iptables to nftables without downtime. This reduces misconfiguration risk and aligns with best practice hardening for production workloads.<\/p>\n\n\n\n
\n\n\n\nCommon Mistakes and How to Avoid Them<\/h2>\n\n\n\n\n- Locking yourself out<\/strong>: Always allow SSH first and test from a second session before applying restrictive policies.<\/li>\n\n\n\n
- Forgetting ESTABLISHED,RELATED<\/strong>: Without this rule, return traffic might be dropped, breaking DNS, HTTP, and more.<\/li>\n\n\n\n
- No persistence<\/strong>: Reboots wipe rules. Save them using iptables persistent or iptables services.<\/li>\n\n\n\n
- Rule order issues<\/strong>: Broad drops above specific allows will block legitimate traffic.<\/li>\n\n\n\n
- Ignoring IPv6<\/strong>: Use
ip6tables<\/code> (or nftables) to handle IPv6; otherwise, v6 stays unfiltered.<\/li>\n\n\n\n- Mixing backends<\/strong>: Don\u2019t mix iptables legacy with iptables-nft\/nftables accidentally. Keep your firewall tooling consistent.<\/li>\n<\/ul>\n\n\n\n
A Minimal Secure Baseline: Step-by-Step<\/h2>\n\n\n\n
Use this as a starting point for a typical Linux server. Adapt ports as needed.<\/p>\n\n\n\n
# 1) Default policies\nsudo iptables -P INPUT DROP\nsudo iptables -P FORWARD DROP\nsudo iptables -P OUTPUT ACCEPT\n\n# 2) Hygiene rules\nsudo iptables -A INPUT -i lo -j ACCEPT\nsudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# 3) Service allows\nsudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT\n\n# 4) Optional: logs for debugging\nsudo iptables -A INPUT -j LOG --log-prefix \"IPT-DROP \" --log-level 6\n# 5) Drop everything else (policy already does)\n# 6) Save rules (Debian\/Ubuntu)\nsudo sh -c 'iptables-save > \/etc\/iptables\/rules.v4'<\/code><\/pre>\n\n\n\nSecurity Best Practices<\/h2>\n\n\n\n\n- Principle of least privilege<\/strong>: Open only what you must, where you must.<\/li>\n\n\n\n
- Document rules<\/strong>: Add comments with
-m comment --comment<\/code> so future you knows why a rule exists.<\/li>\n\n\n\n- Rate limit exposed services<\/strong>: Especially SSH and API endpoints.<\/li>\n\n\n\n
- Segment networks<\/strong>: Use interfaces, VLANs, and subnets to reduce blast radius.<\/li>\n\n\n\n
- Monitor and alert<\/strong>: Parse logs for anomalies. Consider fail2ban<\/a> with iptables for automated blocking.<\/li>\n\n\n\n
- Plan upgrades<\/strong>: Evaluate migrating to nftables for long term maintenance.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nFAQs<\/h2>\n\n\n\n\n\nWhat is iptables used for in Linux?<\/h3>\n\n\niptables configures the Linux kernel\u2019s Netfilter firewall to control network traffic. You can allow or block ports, limit connections, log suspicious activity, and perform NAT for routing and port forwarding. It\u2019s a key tool for hardening servers and enforcing security policies.<\/p>\n\n<\/div>\n<\/div>\n
\nHow do I check my current iptables rules?<\/h3>\n\n\nRun sudo iptables -S<\/code> for rule syntax or sudo iptables -L -v -n --line-numbers<\/code> for a tabular view with counters. For NAT rules, use sudo iptables -t nat -L -v -n<\/code>. These commands show active in-memory policies.<\/p>\n\n<\/div>\n<\/div>\n\nIs iptables deprecated? Should I use nftables instead?<\/h3>\n\n\niptables isn\u2019t immediately deprecated, but nftables is the modern replacement and default backend on many distros. For new deployments, nftables or front ends like firewalld\/UFW are recommended. Legacy servers can keep iptables, but plan a gradual migration.<\/p>\n\n<\/div>\n<\/div>\n
\nHow can I persist iptables rules after reboot?<\/h3>\n\n\nOn Debian\/Ubuntu, install iptables-persistent<\/code> and run sudo netfilter-persistent save<\/code>. On RHEL\/CentOS-like systems, install iptables-services<\/code>, enable the service, and run service iptables save<\/code>. Alternatively, switch to firewalld for automatic persistence.<\/p>\n\n<\/div>\n<\/div>\n\nHow do I allow SSH from only one IP?<\/strong><\/h3>\n\n\nAdd a rule such as sudo iptables -A INPUT -p tcp --dport 22 -s 203.0.113.10 -j ACCEPT<\/code> and ensure your default policy or subsequent rules drop other SSH attempts. Always test from a second session before locking it down.<\/p>\n\n<\/div>\n<\/div>\n\nHow do I block a specific port with iptables?<\/h3>\n\n\nUse sudo iptables -A INPUT -p tcp --dport 25 -j DROP<\/code> to silently drop inbound TCP port 25. Replace the port number<\/a> as required. If your default policy is DROP, you may not need an explicit drop rule unless you want logging.<\/p>\n\n<\/div>\n<\/div>\n