Mousey's Guide to netfilter and iptables

The system described here is a low-level method of packet filtering that enables a UNIX/Linux box to function as an advanced perimeter firewall with capabilities that are comparable to, if not better than, expensive commercial equipment.

Basic Theory

The basic description of iptables is a ‘kernel firewall’ that uses netfilter kernel modules to implement packet filtering policies. In other words, the netfilter modules provide the kernel packet filtering services, and iptables provides the user space method of defining the rules. The rules are defined through the /sbin/iptables. The chances are the firewall configuration desktop application will be a front-end for /sbin/iptables.

Firewall rules are grouped into 'chains'. Each table should have the following chains by default:

  • INPUT: Packets to be delivered somewhere on the local system, and independently of any network socket.
  • FORWARD: All packets that are routed non-locally.
  • OUTPUT: Packets sent from the local host.
  • PREROUTING: Used for NAT.
  • POSTROUTING: Used for NAT.

Each chain is going to define how netfilter handles packets as they pass through the networking components of the kernel.

More Tables

What might cause a little confusion is thgat other table exist alongside iptables. There’s another table for Network Address Translation (nat), a third table for modifying packets as they passes through netfilter (mangle), and a fourth table that allows packets through without interference or alteration (raw).So now an iptables setup encompasses the following tables:

  • filter
  • nat
  • mangle
  • raw

Also on a UNIX/Linux system, we have (or should have) ip6tables. This is very important, because IPv6 and IPv4 headers are both different and have definite field lengths, which is how a firewall knows what it’s reading. Unless we set up IPv6 packet filtering as well, we could end up with a firewall that ignores all incoming IPv6 traffic.

Kernel Modules

With Ubuntu and Linux Mint (and probably most mainstream distros) the netfilter modules are compiled into the kernel. Compiling the kernel yourself should give you the option of having netfilter as a loadable module.

Administrating iptables and Packet Filtering

As I’ve already mentioned, filtering policies can be administrated using /sbin/iptables, but this is the cumbersome and rather complicated method until we develop a BASH script for our own needs. What I didn’t know, until looking into this, is that the Uncomplicated Firewall and its GUI (gufw) are also front-ends for iptables, and we can configure the firewall using those instead.

Here are some example commands:
The first one flushes/wipes all the existing iptables entries: $iptables -F Send all incoming packets to the DROP chain, if present: $iptables -A INPUT -j DROP The ‘-A‘ option tells iptables to append the rule to the existing INPUT chain. The following allows all HTTP and HTTPS traffic: $iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
$iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT

So far so good. The simpler rules share pretty much the same format of other command line stuff. In the above rule, the packets are directed to the INPUT chain, they are sifted for TCP packets going through port 80 or 443, and they are ‘jumped’ to the ACCEPT chain.

Another example, from The Geek Stuff tutorial, allows all incoming SSH, HTTP and HTTPS traffic over TCP by chaining three policies within a single iptables entry: $iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

Here we’ll notice there’s the state option, because iptables/netfilter can provide stateful filtering, that’s to say it can look at a packet in the context of whatever stream, and not as an isolated bit of data. In the above entry, I’m guessing that netfilter is being configured to accept only packets that are either establishing a connection or are part of an established connection, and therefore ignore anything that might be associated with a Denial of Service attack or stealth scan. We also have two network interfaces: input and output (both eth0). In the case of a perimeter firewall, both will be needed as the host will bridge the local network and the outside world.


Some people have reported problems in trying to make the firewall rules persistent. That’s because the rules are lost if they aren’t explicitly saved before the system is rebooted. The core problem here seems to be that iptables is intended for production systems that aren’t rebooted as often as PCs, and therefore the tables must be saved to file and manually restored unless the system is configured otherwise. As always, this is done in the command line: $iptables-restore`: Restore tables from file.
$iptables-save`: Dump tables to file.
$iptables-xml`: Convert output of iptables-save to XML format.

I believe the Red Hat distro also comes with a script/exectutable that automates this further: $/usr/libexec/iptables.init save

This does the same as running iptables-save. The /etc/sysconfig/iptables file is then saved as /etc/sysconfig/ The system should then run iptables-restore when the system reboots.

Useful Links

FEDORA DOCUMENTATION. 2013. Fedora Documentation: Saving IPTables Rules. [WWW]. (17th August 2013).

NATARAJAN, R. 2011. The Geek Stuff: 25 Most Frequently Used Linux IPTables Rules Examples. [WWW]. (17th August 2013).

NATARAJAN, R. 2011. The Geek Stuff: Linux IPTables: How to Add Firewall Rules (With Allow SSH Example). [WWW]. (17th August 2013).

NIXCRAFT. 2013. Linux Iptables Setup Firewall for a Web Server. [WWW]. (17th August 2013).

RACKSPACE US, INC. 2013. Knowledge Center: Introduction to iptables. [WWW]. (17th August 2013).

RUSSEL, R. WELTE, H. 2002. Linux netfilter Hacking HOWTO: Netfilter Architecture. [WWW]. (24th August 2013).