Linux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals

by Ramesh Natarajan on January 24, 2011

iptables firewall is used to manage packet filtering and NAT rules. IPTables comes with all Linux distributions. Understanding how to setup and configure iptables will help you manage your Linux firewall effectively.

iptables tool is used to manage the Linux firewall rules. At a first look, iptables might look complex (or even confusing). But, once you understand the basics of how iptables work and how it is structured, reading and writing iptables firewall rules will be easy.

This article is part of an ongoing iptables tutorial series. This is the 1st article in that series.

This article explains how iptables is structured, and explains the fundamentals about iptables tables, chains and rules.

On a high-level iptables might contain multiple tables. Tables might contain multiple chains. Chains can be built-in or user-defined. Chains might contain multiple rules. Rules are defined for the packets.

So, the structure is: iptables -> Tables -> Chains -> Rules. This is defined in the following diagram.


Fig: IPTables Table, Chain, and Rule Structure

Just to re-iterate, tables are bunch of chains, and chains are bunch of firewall rules.

I. IPTABLES TABLES and CHAINS

IPTables has the following 4 built-in tables.

1. Filter Table

Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table. Iptables’s filter table has the following built-in chains.

  • INPUT chain – Incoming to firewall. For packets coming to the local server.
  • OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
  • FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.

2. NAT table

Iptable’s NAT table has the following built-in chains.

  • PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).
  • POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).
  • OUTPUT chain – NAT for locally generated packets on the firewall.

3. Mangle table

Iptables’s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. Mangle table has the following built-in chains.

  • PREROUTING chain
  • OUTPUT chain
  • FORWARD chain
  • INPUT chain
  • POSTROUTING chain

4. Raw table

Iptable’s Raw table is for configuration excemptions. Raw table has the following built-in chains.

  • PREROUTING chain
  • OUTPUT chain

The following diagram shows the three important tables in iptables.

Fig: IPTables built-in tables

II. IPTABLES RULES

Following are the key points to remember for the iptables rules.

  • Rules contain a criteria and a target.
  • If the criteria is matched, it goes to the rules specified in the target (or) executes the special values mentioned in the target.
  • If the criteria is not matached, it moves on to the next rule.

Target Values

Following are the possible special values that you can specify in the target.

  • ACCEPT – Firewall will accept the packet.
  • DROP – Firewall will drop the packet.
  • QUEUE – Firewall will pass the packet to the userspace.
  • RETURN – Firewall will stop executing the next set of rules in the current chain for this packet. The control will be returned to the calling chain.

If you do iptables –list (or) service iptables status, you’ll see all the available firewall rules on your system. The following iptable example shows that there are no firewall rules defined on this system. As you see, it displays the default input table, with the default input chain, forward chain, and output chain.

# iptables -t filter --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Do the following to view the mangle table.

# iptables -t mangle --list

Do the following to view the nat table.

# iptables -t nat --list

Do the following to view the raw table.

# iptables -t raw --list

Note: If you don’t specify the -t option, it will display the default filter table. So, both of the following commands are the same.

# iptables -t filter --list
(or)
# iptables --list

The following iptable example shows that there are some rules defined in the input, forward, and output chain of the filter table.

# iptables --list
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
10   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

The rules in the iptables –list command output contains the following fields:

  • num – Rule number within the particular chain
  • target – Special target variable that we discussed above
  • prot – Protocols. tcp, udp, icmp, etc.,
  • opt – Special options for that specific rule.
  • source – Source ip-address of the packet
  • destination – Destination ip-address for the packet

Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 50 comments… read them below or add one }

1 Pushpraj January 24, 2011 at 12:56 am

very good….keep writing……

Thanks
Pushpraj

2 pupu January 24, 2011 at 3:22 am

Just note that DNAT and SNAT also stands for Dynamic and Static NAT, so don’t be confused when you read another text. Anyway, nice article, thanks!

3 Rendy January 24, 2011 at 3:22 am

Thank You Ramesh…very clear!

4 vaisakh January 24, 2011 at 3:59 am

Excellent .. I was searching for a good article about the fundamentals of IPtable.. Thanks. Also waiting for next part

5 Ben January 24, 2011 at 9:42 am

Nice article, look forward to rest of the series. Any idea when others will be out?

6 p campbell January 24, 2011 at 10:07 am

Some of your articles are excellent for beginners but this is not a tutorial it is misnamed.

7 Waly DIOUF January 24, 2011 at 11:06 am

This website is sooooo what I just need at work. Good work Ramesh, you’re a genuis.
Thanks a lot

8 shakerlxxv January 24, 2011 at 12:49 pm

Great topic. Looking forward to the rest of the series.

9 R January 24, 2011 at 1:36 pm

Ramesh,
You might want to include tutorial on fwbuilder, its a nice gui interface and used to manage firewall on 100′s of hosts.
-R

10 shaheem January 25, 2011 at 1:21 am

great stuff. also waiting for the follow up!

11 artie January 25, 2011 at 2:12 pm

great read and informative. look forward to the follow up.

12 shezars January 28, 2011 at 2:28 am

very helpfullllllll,,,
wait, for your next part.

13 Will Knight January 31, 2011 at 10:07 am

Good tutorial, I find iptables complex to understand but you have made it so easy, Thanks.

14 abc February 4, 2011 at 1:51 am

Very Nice tutorial. Thanks

15 saran February 10, 2011 at 10:00 am

great starter to the series
plz continue with the tutorial

16 abdul jamal February 18, 2011 at 9:37 am

Nice job.I read it and got the concept where is confused.. i have some question and answers ,,u will help me out to be correct.

Q1: Rule the matches ssh traffic(tcp,22) arriving through interface eth0.
ans. iptables -A INPUT -i eth0 -p tcp –dport 22
OR
iptables -A INPUT -i eth0 -p tcp –sport 22
Q2: Rule that matches traffic to a DNS server (udp,53) from any address in the range 10.0.0.0-10.0.0.255
Ans: iptable -A INPUT -m iprange –src-range 10.0.0.0-10.0.0.255 -d 10.19.6.142 (dns server) -p udp –dport 53

Q3:Rule that matches traffic from any address in the range 10.0.0.1 to 10.0.0.6,inclusive.
Ans. iptable -A INPUT -m iprange –src-range 10.0.0.1-10.0.0.6

Q4: Three rules that accept traffic from address 10.0.0.1 through 10.0.0.6, but drops traffic from 10.0.0.0 and 10.0.0.7 , without using any extension matches.
Ans: iptable -A INPUT -s 10.0.0.0 -j DROP
iptable -A INPUT -s 10.0.0.7 -j DROP
iptable -A INPUT -m iprange –src-range 10.0.0.1-10.0.0.6 -j ACCEPT

thanks for the correct and replying

17 Ishara Fernando July 8, 2011 at 12:38 am

Now only I understand the firewall concepts and the Iptable rules…
Each and every technique of explaining the theories are brilliant Mr.Ramesh… Keep it up.. We all Are with YOU…

18 OKELLO August 16, 2011 at 2:39 am

l think am beginning to understand the iptables, thanks man

19 freemao October 31, 2011 at 5:47 am

how to define the rules’ prior then?

20 Rob November 15, 2011 at 3:09 pm

Ramesh,

Very good article. Thanks. Has anyone considered the pros/cons to utilizing and maintaining their own open source firewall vs. paying for the service (ie. Verizon, AT&T, other)? How much time is associated to maintaining/supporting an open source solution? I’m trying to justify the idea of going away from a service based concept (appliance, maintenance/support are provided) vs. pulling in my own skilled resources to build/maintain an open source solution as discussed above.

Thanks,

Rob

21 Stan January 3, 2012 at 4:36 am

you said: “Iptables’s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. ”

Alters QOS bits in TCP header? I thought mangle altering TOS bits in IP header! TCP operate on higher level than IP, and mangle works with IP packets.

22 ramadan March 24, 2012 at 7:45 am

it’s very nice thanks for your posting .keep writing about iptables

23 sarah April 9, 2012 at 2:44 pm

it was really good,thank u so much,plz keep writing…

24 Rahul April 17, 2012 at 10:32 pm

Thanks, nice and clear

25 Rakesh Sindhu June 7, 2012 at 3:40 am

Really good and very clear ….

26 Amol June 19, 2012 at 1:21 am

Nice post.Very helpful for beginners.

27 mucivane July 23, 2012 at 7:44 am

looking for a rule that allows traffic comming from an external user through the internet to access FTP (192.168.0.252), SSH& web (192.168.0.253) servers and some workstation on the same network. The router of that network is 192.168.254

28 LJ July 31, 2012 at 12:51 am

Extraordinary introduction, Ramesh

You’ve the knowledge and astonishing skills to communicate it, an unusual combination

Congratulations!
LJ

29 Aman August 9, 2012 at 12:30 am

Super..

30 Bilo September 5, 2012 at 12:03 am

Thanks for the article. Now I really understand how this stuff work. Awesome

31 Conrad November 5, 2012 at 12:20 am

Thank you very much for your excellent tutorial. Looking forward to the next one.
Regards to you !

32 qh April 23, 2013 at 12:43 am

thanks for your so popular article.

33 madfrog April 23, 2013 at 3:00 am

Thanks a lot. It really has been benificial in clearing out some concepts. By coincidence i came over to the 2nd article first and landed up over here otherwise would have been difficult.
Is there any directory structure where one can have overview of the topics. That would be helpful as well. (The reason being that your explanations are really from grass root level)
Regards

34 fastthinker April 26, 2013 at 12:21 am

great article

35 kanyapond May 5, 2013 at 9:54 pm

Thank you for your article, It’s very good. :)

36 Houcheng Lin May 6, 2013 at 7:42 pm

Great and thank you :D

37 sisayt June 26, 2013 at 2:36 am

Thank you very much brother

38 kaliswaran August 18, 2013 at 10:57 am

Reall!!! nice and useful article for system admin’s

39 yang September 16, 2013 at 6:58 pm

Great ant thank you

40 laks October 4, 2013 at 4:08 am

good iptables structured and all administrator can easily understand this.

41 jeffin October 14, 2013 at 4:09 am

Very NIce Article… :)

42 Ganesh November 27, 2013 at 3:42 am

please add link for next page of current topic

43 Jame R December 7, 2013 at 1:01 am

Absolute BEAUTIFUL article. Very clear. For shame ALL the other posts out there including MAN pages.

A tear to my eye the series never continued….

44 Sandeep December 18, 2013 at 1:08 am

Hi Ramesh Natarajan,
Thank you very much for your post. Earlier the concept of ‘iptables’ was like a nightmare and too complicated and overwhelming to understand. Thank you very much for making the concept so simple. The clear and precise explanation should be appreciated.

45 Anonymous December 19, 2013 at 3:17 pm

Extremely well explained, as concepts were organized properly and follow a logical progression. Most other articles I read never actually explained the definition of a “chain”!….. This article did a marvelous job.

46 Maryann February 5, 2014 at 3:44 am

Thanks Ramesh for simplyfying an abstract topic and explain it in such simple terms. Surely you have a knack to break down complex stuff into simple sentences. Thanks
Maryann

47 Riddhi February 10, 2014 at 8:56 pm

How to direct incoming traffic from a trusted network to a chain?

-A FORWARD -i eth1 -o trusted-outside -j ACCEPT

48 Anu February 12, 2014 at 7:24 am

Many thanks Ramesh…

49 guoger April 3, 2014 at 7:56 am

Very clean and elegant words! Wheres the next blog?

50 Pawan April 14, 2014 at 4:01 pm

Nice article. and please update mangle rules.

Leave a Comment

Previous post:

Next post: