What is IPTables and Why it Matters<\/strong>?<\/h2>\n\n\n\n\nIptables is a userspace utility that configures the Linux kernel\u2019s netfilter firewall. It lets you create rule sets to ACCEPT, DROP, or REJECT packets based on criteria like protocol, port, source\/destination IP, and connection state. For most VPS and dedicated servers<\/a>, iptables is a lightweight, powerful way to harden your perimeter quickly.<\/p>\n<\/div>![\"What](\"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/What-Is-IPTables-and-Why-It-Matters.png\")
<\/figure><\/div>\n\n\n\nModern distributions increasingly use nftables under the hood. On many systems, the iptables command is a compatibility wrapper. That\u2019s fine\u2014your workflow remains similar. If you prefer higher-level tools, UFW (Ubuntu) or firewalld (RHEL family) sit on top of iptables\/nftables, but iptables gives you maximum control.<\/p>\n\n\n\n
Before You Start: Safety Checklist<\/strong><\/h2>\n\n\n\n\n- Have out-of-band console access (cloud\/VPS console or IPMI) in case you lock out SSH.<\/li>\n\n\n\n
- Ensure sudo or root privileges.<\/li>\n\n\n\n
- Know your SSH port (default 22) and any services you must keep reachable (80\/443, database, etc.).<\/li>\n\n\n\n
- Back up current rules:<\/strong>
iptables-save > \/root\/iptables.backup<\/code>.<\/li>\n\n\n\n- Plan a timed rollback during testing so you can recover automatically.<\/li>\n<\/ul>\n\n\n\n
IPTables Basics: Tables, Chains, Policies<\/strong><\/h2>\n\n\n\nIptables rules live in \u201ctables,\u201d and each table contains \u201cchains\u201d that packets traverse. The essentials:<\/p>\n\n\n\n
\n- Tables:<\/strong> filter<\/strong> (default packet filtering), nat<\/strong> (SNAT\/DNAT\/port forwarding), mangle<\/strong> (packet alteration), raw<\/strong> (connection tracking exemptions).<\/li>\n\n\n\n
- Chains:<\/strong> INPUT<\/strong> (to local server), OUTPUT<\/strong> (from local server), FORWARD<\/strong> (through server), plus PREROUTING\/POSTROUTING<\/strong> in nat\/mangle.<\/li>\n\n\n\n
- Targets: ACCEPT<\/strong>, DROP<\/strong>, REJECT<\/strong>, or jump to user-defined chains.<\/li>\n\n\n\n
- Stateful filtering:<\/strong> conntrack<\/strong> allows rules like \u201cpermit established connections.\u201d<\/li>\n<\/ul>\n\n\n\n
Quick-Start: Build a Secure Baseline<\/strong><\/h2>\n\n\n\nThis baseline allows loopback, established\/related traffic, SSH, HTTP\/HTTPS, optional ping, and drops everything else on INPUT. Adjust ports as needed.<\/p>\n\n\n\n
# 1) Backup current rules\niptables-save > \/root\/iptables.backup\n\n# 2) Set default policies (be careful: add allows before setting DROP if you're remote)\niptables -P INPUT DROP\niptables -P FORWARD DROP\niptables -P OUTPUT ACCEPT\n\n# 3) Allow loopback\niptables -A INPUT -i lo -j ACCEPT\n\n# 4) Allow established\/related\niptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# 5) Allow SSH (change 22 if custom)\niptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT\n\n# 6) Allow web traffic (HTTP\/HTTPS)\niptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT\n\n# 7) Optional: allow ping (ICMP echo-request)\niptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT\n\n# 8) Drop everything else (already handled by default policy)\n# No explicit rule necessary, but you can log before dropping (see later section)<\/code><\/pre>\n\n\n\nTest SSH in a second terminal before closing your current session. If something goes wrong, restore immediately:<\/p>\n\n\n\n
iptables-restore < \/root\/iptables.backup<\/code><\/pre>\n\n\n\nCommon IPTables Tasks (Practical Examples)<\/strong><\/h2>\n\n\n\nAllow or Deny Specific Ports<\/strong><\/h3>\n\n\n\n# Allow SMTP and submission\niptables -A INPUT -p tcp -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT\n\n# Block Telnet explicitly\niptables -A INPUT -p tcp --dport 23 -j DROP<\/code><\/pre>\n\n\n\nAllow by Source IP\/Subnet<\/strong><\/h3>\n\n\n\n# Only allow PostgreSQL from a private subnet\niptables -A INPUT -p tcp -s 10.0.0.0\/24 --dport 5432 -m conntrack --ctstate NEW -j ACCEPT<\/code><\/pre>\n\n\n\nBlock a Host or Network<\/strong><\/h3>\n\n\n\n# Drop all packets from a hostile IP\niptables -A INPUT -s 203.0.113.77 -j DROP\n\n# Drop a CIDR block\niptables -A INPUT -s 198.51.100.0\/24 -j DROP<\/code><\/pre>\n\n\n\nRate-Limit SSH to Throttle Brute Force<\/strong><\/h3>\n\n\n\nThis simple approach drops new SSH attempts if there are too many in a short window.<\/p>\n\n\n\n
# Allow a burst of 10 new SSH connections per minute, then slow down\niptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set\niptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP<\/code><\/pre>\n\n\n\nPort Forwarding (DNAT) and Source NAT (SNAT)<\/strong><\/h3>\n\n\n\nEnable IP forwarding in sysctl and forward traffic coming to a public port to an internal host\/port.<\/p>\n\n\n\n
# Enable IP forwarding (persist by editing \/etc\/sysctl.conf)\nsysctl -w net.ipv4.ip_forward=1\n\n# Forward public :2222 to internal 10.0.0.10:22\niptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to-destination 10.0.0.10:22\niptables -A FORWARD -p tcp -d 10.0.0.10 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT\niptables -t nat -A POSTROUTING -p tcp -d 10.0.0.10 --dport 22 -j MASQUERADE\n\n# Generic outbound SNAT for internal network via eth0\niptables -t nat -A POSTROUTING -s 10.0.0.0\/24 -o eth0 -j MASQUERADE<\/code><\/pre>\n\n\n\nControl ICMP (Ping)<\/strong><\/h3>\n\n\n\n# Allow ping to the server\niptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT\n\n# Or block ping explicitly\n# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<\/code><\/pre>\n\n\n\nPersisting IPTables Rules Across Reboots<\/strong><\/h2>\n\n\n\nBy default, iptables rules are stored in memory. Save them to load on boot.<\/p>\n\n\n\n
Debian\/Ubuntu<\/strong><\/h3>\n\n\n\napt-get update && apt-get install -y iptables-persistent\nnetfilter-persistent save\n# Files: \/etc\/iptables\/rules.v4 and \/etc\/iptables\/rules.v6<\/code><\/pre>\n\n\n\nRHEL\/CentOS\/Rocky\/AlmaLinux (iptables-services)<\/strong><\/h3>\n\n\n\nyum install<\/a> -y iptables-services\nsystemctl enable iptables\nsystemctl start iptables\nservice iptables save # Saves to \/etc\/sysconfig\/iptables<\/code><\/pre>\n\n\n\nIf your distro defaults to nftables, iptables may be an nft wrapper. That\u2019s okay, but be consistent. On Debian-based systems, you can check and switch with:<\/p>\n\n\n\n
update-alternatives --config iptables<\/code><\/pre>\n\n\n\nVerify, Log, and Troubleshoot<\/strong><\/h2>\n\n\n\nInspect Rules and Counters<\/strong><\/h3>\n\n\n\niptables -L -n -v --line-numbers\niptables -t nat -L -n -v --line-numbers<\/code><\/pre>\n\n\n\nAdd Logging Before Dropping<\/strong><\/h3>\n\n\n\nLog at a limited rate to avoid flooding syslog. Review logs in \/var\/log\/syslog<\/code> or \/var\/log\/messages<\/code> depending on your distro.<\/p>\n\n\n\n# Create a logging rule above the final drop\niptables -A INPUT -m limit --limit 5\/min -j LOG --log-prefix \"iptables denied: \" --log-level 7<\/code><\/pre>\n\n\n\nAvoid Lockouts: Timed Rollback Trick<\/strong><\/h3>\n\n\n\nWhile testing remotely, schedule a rollback so changes revert if you lose access.<\/p>\n\n\n\n
# Revert to backup after 2 minutes unless you cancel the job\n(sleep 120; iptables-restore < \/root\/iptables.backup) &\n\n# If everything works, kill the sleep process or overwrite the backup with new rules<\/code><\/pre>\n\n\n\nBest Practices for a Production Server<\/strong><\/h2>\n\n\n\n\n- Default-deny:<\/strong> DROP INPUT and FORWARD; allow only what you need.<\/li>\n\n\n\n
- Prefer stateful rules:<\/strong> always allow ESTABLISHED,RELATED first.<\/li>\n\n\n\n
- Separate concerns: <\/strong>use user-defined chains for clarity (e.g.,
SSH-IN<\/code>, WEB-IN<\/code>).<\/li>\n\n\n\n- Remember IPv6:<\/strong> mirror rules with
ip6tables<\/code> if you have AAAA records or IPv6 connectivity.<\/li>\n\n\n\n- Use rate-limiting on exposed services and complement with Fail2ban.<\/li>\n\n\n\n
- Document your firewall: <\/strong>keep rules in version control and include comments.<\/li>\n\n\n\n
- Change SSH port only alongside proper rules and security hardening; don\u2019t rely on obscurity.<\/li>\n<\/ul>\n\n\n\n
UFW and Firewalld vs IPTables vs Nftables<\/strong><\/h2>\n\n\n\nUFW (Ubuntu) and firewalld (RHEL) provide simpler syntax and profiles, great for quick setups and teams. Underneath, modern systems often use nftables. Iptables gives you explicit, fine-grained control and is perfect for power users, automation, and troubleshooting. Choose the tool your team can maintain consistently.<\/p>\n\n\n\n
Real-World Scenarios<\/strong><\/h2>\n\n\n\nLAMP\/LEMP Web Server<\/strong><\/h3>\n\n\n\n\n- Allow 22, 80, 443.<\/li>\n\n\n\n
- Restrict database ports (3306 MySQL\/MariaDB, 5432 PostgreSQL) to private subnets or specific IPs.<\/li>\n\n\n\n
- Enable HTTP\/2\/3 at the application\/proxy layer; firewall stays protocol-agnostic for TCP\/UDP.<\/li>\n<\/ul>\n\n\n\n
Mail Server<\/strong><\/h3>\n\n\n\n\n- Allow 25, 465, 587, 110, 995, 143, 993 as needed.<\/li>\n\n\n\n
- Rate-limit SMTP where appropriate to reduce inbound abuse.<\/li>\n\n\n\n
- Harden with Fail2ban and proper DNS (SPF, DKIM, DMARC).<\/li>\n<\/ul>\n\n\n\n
Docker Hosts<\/strong><\/h3>\n\n\n\nDocker manipulates iptables automatically (nat and filter). Avoid manual rules that conflict with Docker\u2019s chains. Place your custom rules before Docker\u2019s catch-all where appropriate, and test container networking thoroughly after changes.<\/p>\n\n\n\n
Flushing and Resetting Rules (Recovery)<\/strong><\/h3>\n\n\n\nIf you need to wipe rules, switch default policies to ACCEPT first to avoid cutting your own access, then flush.<\/p>\n\n\n\n
# Temporarily allow everything\niptables -P INPUT ACCEPT\niptables -P FORWARD ACCEPT\niptables -P OUTPUT ACCEPT\n\n# Flush rules and delete user chains\niptables -F\niptables -t nat -F\niptables -t mangle -F\niptables -X\n\n# Optionally restore from backup\niptables-restore < \/root\/iptables.backup<\/code><\/pre>\n\n\n\nYouStable Tip: Secure Defaults on Day One<\/strong><\/h2>\n\n\n\nIf you host your Linux VPS or dedicated server with YouStable, our support team can help you apply a production-ready iptables baseline, tailor rules to your stack, and set up persistence. That means you start with a least-privilege firewall and focus on scaling your apps safely.<\/p>\n\n\n\n
Key Takeaways<\/strong><\/h2>\n\n\n\n\n- Start with a default-deny stance and explicitly allow required services.<\/li>\n\n\n\n
- Use stateful rules, logging, and careful testing to avoid outages.<\/li>\n\n\n\n
- Persist your configuration and document it for future maintenance.<\/li>\n\n\n\n
- Choose the firewall tool (iptables, nftables, UFW, firewalld) your team can manage confidently.<\/li>\n\n\n\n
- On YouStable servers, you can launch with a hardened baseline and expert help when you need it.<\/li>\n<\/ul>\n\n\n\n
FAQs<\/strong><\/h2>\n\n\n\n\n\nIs iptables still used, or should I switch to nftables?<\/strong><\/h3>\n\n\nYes, iptables is still widely used. Many systems run iptables as a wrapper over nftables. If you\u2019re starting fresh and want a modern syntax, nftables is great. If you maintain legacy scripts or prefer iptables semantics, continue using it\u2014just stay consistent across your fleet.<\/p>\n\n<\/div>\n<\/div>\n
\nHow do I prevent locking myself out over SSH?<\/strong><\/h3>\n\n\nAlways allow SSH before setting DROP policies, keep a second SSH session open for testing, and schedule a timed rollback with a sleep\/restore command. Ideally, have console access via your provider\u2019s panel for emergency recovery.<\/p>\n\n<\/div>\n<\/div>\n
\nWhat\u2019s the difference between DROP and REJECT?<\/strong><\/h3>\n\n\nDROP silently discards packets; REJECT actively informs the sender (e.g., with ICMP unreachable). DROP is stealthier, but REJECT can speed up client failures for legitimate users. Use each where it makes operational sense.<\/p>\n\n<\/div>\n<\/div>\n
\nHow can I make iptables rules persistent on Ubuntu?<\/strong><\/h3>\n\n\nInstall iptables-persistent: apt-get install -y iptables-persistent<\/code>, then run netfilter-persistent save<\/code>. This writes rules to \/etc\/iptables\/rules.v4<\/code> and rules.v6<\/code>, which load on boot.<\/p>\n\n<\/div>\n<\/div>\n\nDo I need separate rules for IPv6?<\/strong><\/h3>\n\n\nYes. IPv4 and IPv6 have separate rule sets. Use ip6tables<\/code> for IPv6 (or nftables for unified management). If your domain has AAAA records or your host has IPv6 enabled, mirror your IPv4 policy with IPv6 equivalents.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"Iptables is the built-in Linux firewall that filters network traffic using tables and chains. To use iptables on a Linux […]<\/p>\n","protected":false},"author":21,"featured_media":15530,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[350],"tags":[],"class_list":["post-13251","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"acf":[],"featured_image_src":"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/How-to-Use-IPTables-on-Linux-Server.jpg","author_info":{"display_name":"Sanjeet Chauhan","author_link":"https:\/\/www.youstable.com\/blog\/author\/sanjeet"},"_links":{"self":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/comments?post=13251"}],"version-history":[{"count":6,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13251\/revisions"}],"predecessor-version":[{"id":15531,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13251\/revisions\/15531"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media\/15530"}],"wp:attachment":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media?parent=13251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/categories?post=13251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/tags?post=13251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Iptables is a userspace utility that configures the Linux kernel\u2019s netfilter firewall. It lets you create rule sets to ACCEPT, DROP, or REJECT packets based on criteria like protocol, port, source\/destination IP, and connection state. For most VPS and dedicated servers<\/a>, iptables is a lightweight, powerful way to harden your perimeter quickly.<\/p>\n<\/div> Modern distributions increasingly use nftables under the hood. On many systems, the iptables command is a compatibility wrapper. That\u2019s fine\u2014your workflow remains similar. If you prefer higher-level tools, UFW (Ubuntu) or firewalld (RHEL family) sit on top of iptables\/nftables, but iptables gives you maximum control.<\/p>\n\n\n\n Iptables rules live in \u201ctables,\u201d and each table contains \u201cchains\u201d that packets traverse. The essentials:<\/p>\n\n\n\n This baseline allows loopback, established\/related traffic, SSH, HTTP\/HTTPS, optional ping, and drops everything else on INPUT. Adjust ports as needed.<\/p>\n\n\n\n Test SSH in a second terminal before closing your current session. If something goes wrong, restore immediately:<\/p>\n\n\n\n This simple approach drops new SSH attempts if there are too many in a short window.<\/p>\n\n\n\n Enable IP forwarding in sysctl and forward traffic coming to a public port to an internal host\/port.<\/p>\n\n\n\n By default, iptables rules are stored in memory. Save them to load on boot.<\/p>\n\n\n\n If your distro defaults to nftables, iptables may be an nft wrapper. That\u2019s okay, but be consistent. On Debian-based systems, you can check and switch with:<\/p>\n\n\n\n Log at a limited rate to avoid flooding syslog. Review logs in While testing remotely, schedule a rollback so changes revert if you lose access.<\/p>\n\n\n\n UFW (Ubuntu) and firewalld (RHEL) provide simpler syntax and profiles, great for quick setups and teams. Underneath, modern systems often use nftables. Iptables gives you explicit, fine-grained control and is perfect for power users, automation, and troubleshooting. Choose the tool your team can maintain consistently.<\/p>\n\n\n\n Docker manipulates iptables automatically (nat and filter). Avoid manual rules that conflict with Docker\u2019s chains. Place your custom rules before Docker\u2019s catch-all where appropriate, and test container networking thoroughly after changes.<\/p>\n\n\n\n If you need to wipe rules, switch default policies to ACCEPT first to avoid cutting your own access, then flush.<\/p>\n\n\n\n If you host your Linux VPS or dedicated server with YouStable, our support team can help you apply a production-ready iptables baseline, tailor rules to your stack, and set up persistence. That means you start with a least-privilege firewall and focus on scaling your apps safely.<\/p>\n\n\n\n Yes, iptables is still widely used. Many systems run iptables as a wrapper over nftables. If you\u2019re starting fresh and want a modern syntax, nftables is great. If you maintain legacy scripts or prefer iptables semantics, continue using it\u2014just stay consistent across your fleet.<\/p>\n\n<\/div>\n<\/div>\n Always allow SSH before setting DROP policies, keep a second SSH session open for testing, and schedule a timed rollback with a sleep\/restore command. Ideally, have console access via your provider\u2019s panel for emergency recovery.<\/p>\n\n<\/div>\n<\/div>\n DROP silently discards packets; REJECT actively informs the sender (e.g., with ICMP unreachable). DROP is stealthier, but REJECT can speed up client failures for legitimate users. Use each where it makes operational sense.<\/p>\n\n<\/div>\n<\/div>\n Install iptables-persistent: Yes. IPv4 and IPv6 have separate rule sets. Use Iptables is the built-in Linux firewall that filters network traffic using tables and chains. To use iptables on a Linux […]<\/p>\n","protected":false},"author":21,"featured_media":15530,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[350],"tags":[],"class_list":["post-13251","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"acf":[],"featured_image_src":"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/How-to-Use-IPTables-on-Linux-Server.jpg","author_info":{"display_name":"Sanjeet Chauhan","author_link":"https:\/\/www.youstable.com\/blog\/author\/sanjeet"},"_links":{"self":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/comments?post=13251"}],"version-history":[{"count":6,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13251\/revisions"}],"predecessor-version":[{"id":15531,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13251\/revisions\/15531"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media\/15530"}],"wp:attachment":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media?parent=13251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/categories?post=13251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/tags?post=13251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/figure><\/div>\n\n\n\nBefore You Start: Safety Checklist<\/strong><\/h2>\n\n\n\n
\n
iptables-save > \/root\/iptables.backup<\/code>.<\/li>\n\n\n\nIPTables Basics: Tables, Chains, Policies<\/strong><\/h2>\n\n\n\n
\n
Quick-Start: Build a Secure Baseline<\/strong><\/h2>\n\n\n\n
# 1) Backup current rules\niptables-save > \/root\/iptables.backup\n\n# 2) Set default policies (be careful: add allows before setting DROP if you're remote)\niptables -P INPUT DROP\niptables -P FORWARD DROP\niptables -P OUTPUT ACCEPT\n\n# 3) Allow loopback\niptables -A INPUT -i lo -j ACCEPT\n\n# 4) Allow established\/related\niptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# 5) Allow SSH (change 22 if custom)\niptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT\n\n# 6) Allow web traffic (HTTP\/HTTPS)\niptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT\n\n# 7) Optional: allow ping (ICMP echo-request)\niptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT\n\n# 8) Drop everything else (already handled by default policy)\n# No explicit rule necessary, but you can log before dropping (see later section)<\/code><\/pre>\n\n\n\niptables-restore < \/root\/iptables.backup<\/code><\/pre>\n\n\n\nCommon IPTables Tasks (Practical Examples)<\/strong><\/h2>\n\n\n\n
Allow or Deny Specific Ports<\/strong><\/h3>\n\n\n\n
# Allow SMTP and submission\niptables -A INPUT -p tcp -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT\n\n# Block Telnet explicitly\niptables -A INPUT -p tcp --dport 23 -j DROP<\/code><\/pre>\n\n\n\nAllow by Source IP\/Subnet<\/strong><\/h3>\n\n\n\n
# Only allow PostgreSQL from a private subnet\niptables -A INPUT -p tcp -s 10.0.0.0\/24 --dport 5432 -m conntrack --ctstate NEW -j ACCEPT<\/code><\/pre>\n\n\n\nBlock a Host or Network<\/strong><\/h3>\n\n\n\n
# Drop all packets from a hostile IP\niptables -A INPUT -s 203.0.113.77 -j DROP\n\n# Drop a CIDR block\niptables -A INPUT -s 198.51.100.0\/24 -j DROP<\/code><\/pre>\n\n\n\nRate-Limit SSH to Throttle Brute Force<\/strong><\/h3>\n\n\n\n
# Allow a burst of 10 new SSH connections per minute, then slow down\niptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set\niptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP<\/code><\/pre>\n\n\n\nPort Forwarding (DNAT) and Source NAT (SNAT)<\/strong><\/h3>\n\n\n\n
# Enable IP forwarding (persist by editing \/etc\/sysctl.conf)\nsysctl -w net.ipv4.ip_forward=1\n\n# Forward public :2222 to internal 10.0.0.10:22\niptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to-destination 10.0.0.10:22\niptables -A FORWARD -p tcp -d 10.0.0.10 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT\niptables -t nat -A POSTROUTING -p tcp -d 10.0.0.10 --dport 22 -j MASQUERADE\n\n# Generic outbound SNAT for internal network via eth0\niptables -t nat -A POSTROUTING -s 10.0.0.0\/24 -o eth0 -j MASQUERADE<\/code><\/pre>\n\n\n\nControl ICMP (Ping)<\/strong><\/h3>\n\n\n\n
# Allow ping to the server\niptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT\n\n# Or block ping explicitly\n# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<\/code><\/pre>\n\n\n\nPersisting IPTables Rules Across Reboots<\/strong><\/h2>\n\n\n\n
Debian\/Ubuntu<\/strong><\/h3>\n\n\n\n
apt-get update && apt-get install -y iptables-persistent\nnetfilter-persistent save\n# Files: \/etc\/iptables\/rules.v4 and \/etc\/iptables\/rules.v6<\/code><\/pre>\n\n\n\nRHEL\/CentOS\/Rocky\/AlmaLinux (iptables-services)<\/strong><\/h3>\n\n\n\n
yum install<\/a> -y iptables-services\nsystemctl enable iptables\nsystemctl start iptables\nservice iptables save # Saves to \/etc\/sysconfig\/iptables<\/code><\/pre>\n\n\n\nupdate-alternatives --config iptables<\/code><\/pre>\n\n\n\nVerify, Log, and Troubleshoot<\/strong><\/h2>\n\n\n\n
Inspect Rules and Counters<\/strong><\/h3>\n\n\n\n
iptables -L -n -v --line-numbers\niptables -t nat -L -n -v --line-numbers<\/code><\/pre>\n\n\n\nAdd Logging Before Dropping<\/strong><\/h3>\n\n\n\n
\/var\/log\/syslog<\/code> or \/var\/log\/messages<\/code> depending on your distro.<\/p>\n\n\n\n# Create a logging rule above the final drop\niptables -A INPUT -m limit --limit 5\/min -j LOG --log-prefix \"iptables denied: \" --log-level 7<\/code><\/pre>\n\n\n\nAvoid Lockouts: Timed Rollback Trick<\/strong><\/h3>\n\n\n\n
# Revert to backup after 2 minutes unless you cancel the job\n(sleep 120; iptables-restore < \/root\/iptables.backup) &\n\n# If everything works, kill the sleep process or overwrite the backup with new rules<\/code><\/pre>\n\n\n\nBest Practices for a Production Server<\/strong><\/h2>\n\n\n\n
\n
SSH-IN<\/code>, WEB-IN<\/code>).<\/li>\n\n\n\nip6tables<\/code> if you have AAAA records or IPv6 connectivity.<\/li>\n\n\n\nUFW and Firewalld vs IPTables vs Nftables<\/strong><\/h2>\n\n\n\n
Real-World Scenarios<\/strong><\/h2>\n\n\n\n
LAMP\/LEMP Web Server<\/strong><\/h3>\n\n\n\n
\n
Mail Server<\/strong><\/h3>\n\n\n\n
\n
Docker Hosts<\/strong><\/h3>\n\n\n\n
Flushing and Resetting Rules (Recovery)<\/strong><\/h3>\n\n\n\n
# Temporarily allow everything\niptables -P INPUT ACCEPT\niptables -P FORWARD ACCEPT\niptables -P OUTPUT ACCEPT\n\n# Flush rules and delete user chains\niptables -F\niptables -t nat -F\niptables -t mangle -F\niptables -X\n\n# Optionally restore from backup\niptables-restore < \/root\/iptables.backup<\/code><\/pre>\n\n\n\nYouStable Tip: Secure Defaults on Day One<\/strong><\/h2>\n\n\n\n
Key Takeaways<\/strong><\/h2>\n\n\n\n
\n
FAQs<\/strong><\/h2>\n\n\n
Is iptables still used, or should I switch to nftables?<\/strong><\/h3>\n
How do I prevent locking myself out over SSH?<\/strong><\/h3>\n
What\u2019s the difference between DROP and REJECT?<\/strong><\/h3>\n
How can I make iptables rules persistent on Ubuntu?<\/strong><\/h3>\n
apt-get install -y iptables-persistent<\/code>, then run netfilter-persistent save<\/code>. This writes rules to \/etc\/iptables\/rules.v4<\/code> and rules.v6<\/code>, which load on boot.<\/p>\n\n<\/div>\n<\/div>\nDo I need separate rules for IPv6?<\/strong><\/h3>\n
ip6tables<\/code> for IPv6 (or nftables for unified management). If your domain has AAAA records or your host has IPv6 enabled, mirror your IPv4 policy with IPv6 equivalents.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"