To configure IPTables on a Linux server, define default policies, allow essential traffic (SSH, HTTP\/HTTPS), permit established connections, then drop everything else. Save and persist rules with iptables-save or iptables-persistent (Debian\/Ubuntu) or iptables-services (RHEL\/Alma\/Rocky). Test from a second session to avoid lockouts and log drops for troubleshooting.<\/p>\n\n\n\n
Configure IPTables on Linux server is a core skill for secure hosting in 2026. This guide walks you step by step\u2014covering how IPTables works, safe setup, common rules, NAT\/port forwarding, persistence across reboots, and troubleshooting. Whether you\u2019re running a VPS, dedicated server, or cloud instance, you\u2019ll learn a production-ready firewall workflow.<\/p>\n\n\n\n
IPTables is the Linux userspace firewall tool that interfaces with Netfilter in the kernel. It evaluates packets through tables (filter, nat, mangle) and chains (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING) using rules that match criteria and take actions (ACCEPT, DROP, REJECT). In 2026, many distros use nftables underneath, but iptables-nft compatibility remains widely available.<\/p>\n\n\n\n
sudo iptables -L -n -v\nsudo iptables-save > ~\/iptables.backup.$(date +%F-%H%M).v4\n# For IPv6 if in use:\nsudo ip6tables -L -n -v\nsudo ip6tables-save > ~\/ip6tables.backup.$(date +%F-%H%M).v6<\/code><\/pre>\n\n\n\nAlways keep a backup. If things break, you can restore quickly using iptables-restore.<\/p>\n\n\n\n
2) Flush Old Rules (Optional, With Caution)<\/strong><\/h3>\n\n\n\n# Clear rules and user-defined chains\nsudo iptables -F\nsudo iptables -X\nsudo iptables -t nat -F\nsudo iptables -t nat -X\nsudo iptables -t mangle -F\nsudo iptables -t mangle -X\n\n# Reset default policies to ACCEPT temporarily while building rules\nsudo iptables -P INPUT ACCEPT\nsudo iptables -P FORWARD ACCEPT\nsudo iptables -P OUTPUT ACCEPT<\/code><\/pre>\n\n\n\nKeep defaults OPEN while you add allow rules. You\u2019ll set them to DROP after whitelisting critical access.<\/p>\n\n\n\n
3) Allow Loopback and Established\/Related Traffic<\/strong><\/h3>\n\n\n\n# Allow loopback\nsudo iptables -A INPUT -i lo -j ACCEPT\nsudo iptables -A OUTPUT -o lo -j ACCEPT\n\n# Allow established\/related\nsudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\nsudo iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT<\/code><\/pre>\n\n\n\nThis preserves existing connections and prevents breakage during the change window.<\/p>\n\n\n\n
4) Allow SSH with Basic Protection<\/strong><\/h3>\n\n\n\n# Optional: restrict SSH to your IP\n# sudo iptables -A INPUT -p tcp -s YOUR.IP.ADDR.HERE --dport 22 -m conntrack --ctstate NEW -j ACCEPT\n\n# Or allow SSH from anywhere with rate-limit\nsudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m limit --limit 10\/min --limit-burst 20 -j ACCEPT<\/code><\/pre>\n\n\n\nUsing a rate limit helps slow brute-force attempts. Pair with key-based auth and fail2ban for stronger protection.<\/p>\n\n\n\n
5) Allow Web and App Ports<\/strong><\/h3>\n\n\n\n# HTTP\/HTTPS\nsudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT\n\n# Add more services as needed, e.g., MySQL (local only), SMTP, etc.\n# sudo iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -m conntrack --ctstate NEW -j ACCEPT<\/code><\/pre>\n\n\n\nExpose only what you need. For databases, allow localhost or known application subnets only.<\/p>\n\n\n\n
6) Optional: Allow ICMP (Ping) Safely<\/strong><\/h3>\n\n\n\n# Allow limited ping to aid monitoring\nsudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5\/second -j ACCEPT<\/code><\/pre>\n\n\n\nPing helps with diagnostics. If your policy forbids it, skip this step.<\/p>\n\n\n\n
7) Log and Drop the Rest<\/strong><\/h3>\n\n\n\n# Log (rate-limited) then drop\nsudo iptables -A INPUT -m limit --limit 5\/min -j LOG --log-prefix \"IPT DROP: \" --log-level 7\nsudo iptables -P INPUT DROP\nsudo iptables -P FORWARD DROP\n# Typically OUTPUT stays ACCEPT for servers initiating outbound traffic\nsudo iptables -P OUTPUT ACCEPT<\/code><\/pre>\n\n\n\nSet logging first, then DROP policies. Check \/var\/log\/syslog or \/var\/log\/messages depending on your distro.<\/p>\n\n\n\n
Common IPTables Rules and Examples<\/strong><\/h2>\n\n\n\nWhitelist a Trusted IP or Subnet<\/strong><\/h3>\n\n\n\n# Allow all from a trusted office IP\nsudo iptables -A INPUT -s 203.0.113.10 -j ACCEPT\n\n# Allow a subnet (CIDR)\nsudo iptables -A INPUT -s 203.0.113.0\/24 -j ACCEPT<\/code><\/pre>\n\n\n\nBlock a Malicious IP<\/strong><\/h3>\n\n\n\nsudo iptables -A INPUT -s 198.51.100.22 -j DROP<\/code><\/pre>\n\n\n\nRate-Limit New Connections to a Port<\/strong><\/h3>\n\n\n\n# Example: throttle HTTP floods of new TCP connections\nsudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 50\/second --limit-burst 200 -j ACCEPT<\/code><\/pre>\n\n\n\nDrop Invalid Packets<\/strong><\/h3>\n\n\n\nsudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP<\/code><\/pre>\n\n\n\nNAT and Port Forwarding (DNAT\/SNAT)<\/strong><\/h2>\n\n\n\nIf your server acts as a gateway or reverse proxy, you may need NAT rules. Enable IP forwarding first:<\/p>\n\n\n\n
echo 1 | sudo tee \/proc\/sys\/net\/ipv4\/ip_forward\n# Persist by editing \/etc\/sysctl.conf and setting:\n# net.ipv4.ip_forward = 1\nsudo sysctl -p<\/code><\/pre>\n\n\n\nPort Forward 80 to Backend 10.0.0.10:8080<\/strong><\/h2>\n\n\n\n# DNAT inbound requests hitting eth0\nsudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \\\n -j DNAT --to-destination 10.0.0.10:8080\n\n# Allow forwarding to backend\nsudo iptables -A FORWARD -p tcp -d 10.0.0.10 --dport 8080 \\\n -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT\n\n# SNAT\/MASQUERADE so replies return via this gateway (dynamic public IP)\nsudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<\/code><\/pre>\n\n\n\nOn servers with static public IPs, prefer SNAT with –to-source YOUR.PUBLIC.IP for performance and clarity.<\/p>\n\n\n\n
Persisting IPTables Rules Across Reboots<\/strong><\/h2>\n\n\n\nDebian\/Ubuntu<\/strong><\/h3>\n\n\n\nsudo apt update\nsudo apt install -y iptables-persistent\nsudo netfilter-persistent save\n# Alternatively:\n# sudo sh -c 'iptables-save > \/etc\/iptables\/rules.v4'\n# sudo sh -c 'ip6tables-save > \/etc\/iptables\/rules.v6'<\/code><\/pre>\n\n\n\nRHEL\/AlmaLinux\/Rocky (8\/9)<\/strong><\/h3>\n\n\n\nThese use nftables under the hood. If you insist on iptables persistence, install iptables-services (not always recommended if firewalld is managing nftables):<\/p>\n\n\n\n
sudo dnf install -y iptables-services\nsudo systemctl enable --now iptables\nsudo sh -c 'iptables-save > \/etc\/sysconfig\/iptables'\nsudo systemctl restart iptables<\/code><\/pre>\n\n\n\nAlternatively, manage firewall rules with firewalld or native nftables for long-term compatibility, especially on newer releases.<\/p>\n\n\n\n
Testing and Troubleshooting<\/strong><\/h2>\n\n\n\n\n- List rules in command form: iptables -S<\/li>\n\n\n\n
- Check counters: iptables -L -n -v<\/li>\n\n\n\n
- Verify listening services: ss -tulpn<\/li>\n\n\n\n
- Scan from another host (carefully): nmap -Pn -p 22,80,443 your.server.ip<\/li>\n\n\n\n
- Watch logs: journalctl -f or tail -f \/var\/log\/syslog<\/li>\n\n\n\n
- Restore backup if needed:
sudo iptables-restore < ~\/iptables.backup.DATE.v4<\/code><\/pre><\/li>\n<\/ul>\n\n\n\nIPTables vs UFW vs firewalld vs nftables (2026)<\/strong><\/h2>\n\n\n\n\n- IPTables: granular, classic tooling; steep learning curve; still supported via iptables-nft on modern kernels.<\/li>\n\n\n\n
- UFW: user-friendly frontend (Ubuntu); great for simple host firewalls.<\/li>\n\n\n\n
- firewalld: dynamic daemon with zones; default on RHEL\/Fedora; easier multi-interface policies.<\/li>\n\n\n\n
- nftables: modern replacement; unified IPv4\/IPv6; simpler syntax and better performance.<\/li>\n<\/ul>\n\n\n\n
For new deployments on bleeding-edge distros, nftables or firewalld is future-proof. If your playbooks and teams are standardized on IPTables, the compatibility layer remains reliable in 2026.<\/p>\n\n\n\n
Best Practices for Production Servers<\/strong><\/h2>\n\n\n\n\n- Always add allow rules for SSH and management before setting DROP policies.<\/li>\n\n\n\n
- Use change windows and keep a console session open (or out-of-band access via your hosting panel).<\/li>\n\n\n\n
- Apply least privilege: expose only required ports and subnets.<\/li>\n\n\n\n
- Combine with fail2ban and strong authentication (SSH keys, MFA on control panels).<\/li>\n\n\n\n
- Document your rule set; use comments with -m comment –comment “purpose”.<\/li>\n\n\n\n
- Version-control your rules and automate with Ansible or shell scripts.<\/li>\n\n\n\n
- Review logs for unusual drops; tune rate limits to your traffic profile.<\/li>\n<\/ul>\n\n\n\n
When to Consider Managed Firewall Help<\/strong><\/h2>\n\n\n\nIf you\u2019d rather not babysit firewall syntax, YouStable\u2019s managed VPS and dedicated servers<\/a> can ship with hardened firewall profiles, DDoS protection, and 24\u00d77 support. We help you choose the right approach\u2014IPTables, firewalld, or nftables\u2014and keep it compliant with your stack and SLAs.<\/p>\n\n\n\nFull Example: Minimal, Secure Web Server Rules (IPv4)<\/strong><\/h2>\n\n\n\n# Flush and set permissive defaults while building\niptables -F\niptables -X\niptables -t nat -F\niptables -t mangle -F\niptables -P INPUT ACCEPT\niptables -P FORWARD DROP\niptables -P OUTPUT ACCEPT\n\n# Allow loopback and established\/related\niptables -A INPUT -i lo -j ACCEPT\niptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# SSH with rate-limit\niptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m limit --limit 10\/min --limit-burst 20 -j ACCEPT\n\n# Web traffic\niptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT\niptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT\n\n# Optional: limited ping\niptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5\/second -j ACCEPT\n\n# Drop invalid and log drops\niptables -A INPUT -m conntrack --ctstate INVALID -j DROP\niptables -A INPUT -m limit --limit 5\/min -j LOG --log-prefix \"IPT DROP: \" --log-level 7\n\n# Lock it down\niptables -P INPUT DROP\n\n# Save (Debian\/Ubuntu)\n# netfilter-persistent save\n# Or\n# iptables-save > \/etc\/iptables\/rules.v4<\/code><\/pre>\n\n\n\nFAQs: How to Configure IPTables on Linux Server<\/strong><\/h2>\n\n\n\t\t\n\t\t\t\tIs IPTables still used in 2026, or should I switch to nftables?<\/h3>\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\n\nYes, IPTables is still used\u2014often via the iptables-nft compatibility layer. For new builds, nftables or firewalld offers cleaner syntax and long-term support. If your tooling relies on IPTables, you can keep using it reliably in 2026.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\n\t\t\t\tHow do I make IPTables rules persistent after reboot?<\/h3>\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\n\nOn Debian\/Ubuntu, install iptables-persistent and run netfilter-persistent save. On RHEL\/Alma\/Rocky, install iptables-services, save rules to \/etc\/sysconfig\/iptables, and enable the iptables service. Verify on reboot with iptables -L -n -v.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\n\t\t\t\tWhat\u2019s the safest way to avoid locking myself out?<\/h3>\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\n\nKeep two sessions open, add SSH allow rules first, apply changes incrementally, and only then set default DROP policies. If available, maintain console or out-of-band access to revert quickly using your hosting control panel.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\n\t\t\t\tShould I use UFW or firewalld instead of IPTables?<\/h3>\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\n\nFor simplicity, UFW (Ubuntu) and firewalld (RHEL) are easier and integrate well with nftables. IPTables is great for granular control or legacy playbooks. Choose the tool that matches your team\u2019s skills and OS defaults.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\n\t\t\t\tHow can I rate-limit or block DDoS with IPTables?<\/h3>\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\n\nUse -m limit for new connection rate limits, drop invalid packets, and log suspicious traffic. For volumetric DDoS, host-level IPTables isn\u2019t enough; use upstream protection, CDN\/WAF, and hosting providers<\/a> like YouStable that offer DDoS mitigation.<\/p>\n\n\n\nWith these steps and examples, you now know how to configure IPTables on a Linux server safely and effectively. If you need hardened configurations, staging\/testing help, or 24\u00d77 monitoring, YouStable\u2019s managed hosting can handle the firewall while you focus on your apps.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\n