Hello everyone, I am Deng Ju~
iptables is a powerful firewall tool in the Linux system, used to manage firewall rules and network traffic. It allows administrators to configure rules to filter, transform, or forward packets, making it a core component of Linux network and security configuration. With iptables, users can set security policies to control incoming and outgoing traffic, define port forwarding, and implement Network Address Translation (NAT).
Next, I will provide a detailed introduction to iptables.
1. Basic Concepts of iptables
Core Components
-
Tables: A collection of rules, iptables includes five main tables:
- filter table: The default table for packet filtering, containing INPUT, OUTPUT, and FORWARD chains
- nat table: Handles Network Address Translation, containing PREROUTING and POSTROUTING chains
- mangle table: Used for special packet modifications
- raw table: Configures connection tracking exemptions
- security table: Used for enforcing access control
-
Chains: Containers for rules, built-in chains include:
- INPUT: Handles packets destined for the local machine
- OUTPUT: Handles packets generated by the local machine
- FORWARD: Handles packets forwarded through the local machine
- PREROUTING: Modifies packets immediately upon arrival
- POSTROUTING: Modifies packets before they leave
2. Common Commands and Parameters
Basic Operation Commands
# Append a rule to the chain
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
# Delete a rule
iptables -D INPUT 2
# Check if a rule exists
iptables -C INPUT -s 192.168.1.123 -j DROP
# Flush all rules
iptables --flush
Key Parameter Explanation
Protocol Match (-p)
# Drop all UDP packets
iptables -A INPUT -p udp -j DROP
Source Address Match (-s)
# Accept traffic from a specific IP
iptables -A INPUT -s 192.168.1.230 -j ACCEPT
Destination Address Match (-d)
# Block access to a specific IP
iptables -A OUTPUT -d 192.168.1.123 -j DROP
Interface Control
# Block traffic from wireless interface
iptables -A INPUT -i wlan0 -j DROP
3. Practical Configuration Examples
Basic Firewall Settings
# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow local loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Open SSH port
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Open web service ports
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
NAT Configuration Example
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Set Source NAT (SNAT)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Destination NAT (DNAT)
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80
4. Discussing iptables Application Scenarios
Deng Ju primarily uses iptables for server protection, employing fine-grained port control and access restrictions to safeguard servers from unauthorized access. It can also managenetwork bandwidth, ensuring priority for critical service performance.
By utilizing the logging feature, network activity can be monitored for security analysis and troubleshooting. As mentioned earlier, Network Address Translation allowsmultiple devices to share a single public IP, suitable for home and enterprise network environments.
Best Practice Recommendations
- Exercise Caution: Ensure you do not lock yourself out when modifying rules on a remote server
- Test Rules: Use
<span>-C</span>to check if rule syntax is correct - Backup Configuration: Backup existing configuration before important changes
- Gradual Implementation: Add rules incrementally to avoid complex configurations at once
- Log Monitoring: Use logging features judiciously, but avoid log overflow
Conclusion
As the cornerstone of network security in Linux systems, iptables provides powerful traffic control and security protection capabilities. By mastering the various tables and chains, and formulating reasonable rule strategies based on actual needs, the network security level of the system can be significantly enhanced. Whether for embedded platforms, personal servers, or enterprise-level network environments, iptables is an indispensable tool.

END
Author:Deng Ju
Source:Embedded Intelligence BureauCopyright belongs to the original author. If there is any infringement, please contact for removal..▍Recommended ReadingAn Irresistible VSCode Plugin!A Mobile Operating System Designed Based on FreeRTOSThe Most Legendary American Programmer, Only Using China’s Loongson Computer…→ Follow for more updates ←