iptables
- Introduction
  - Quick commands
- Configuration
  - filter
  - nat
  - mangle
- References

iptables

Changelog

2024-11-16: Init

Introduction

Userspace program for configuring Linux kernel firewall for IP packets
Network packets go through a series of firewall chains hosted in specific firewall tables
- Available tables differ between kernel configurations
- Commonly used ones are filter, nat and mangle
Typically coupled with iproute2 for routing
- One probably already used them; commands include ip and ss

Other hierarchy:

Firewall chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING, configured with parameters under iptables(8).
Protocol matching, e.g. -p tcp (for which also implies the extended matching module -m tcp), configured with options under iptables-extensions(8) MATCH EXTENSIONS.
Targets: ACCEPT, DROP, etc. (as well as DNAT, MARK, MASQUERADE, REDIRECT, REJECT, SNAT, etc. in extended targets under iptables-extensions(8)). Options in their respective manpage.

This is baked directly into the kernel, and there is no option to enable/disable the table other than to modify the rules.

Quick commands

View all rules across all tables: iptables-save

Configuration

filter

nat

sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD -i wlan0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

mangle

Used to modify packet headers. Most common use case in marking packets for specialized routing, using the MARK target. Example¹⁾ below shows mail packets being redirected by ip-route to a different routing table mail:

# Set '1' mark on TCP packets headed to port 25
user:~$ iptables -t mangle ... -p tcp --dport 25 -j MARK --set-mark 1
 
# Create 'mail' table (with table ID 201) and add routing rule
user:~$ echo 201 mail >> /etc/iproute2/rt_tables
user:~$ ip route add default via 195.96.98.253 ... table mail
 
# Force packets with '1' mark to use the 'mail' routing table
user:~$ ip rule add fwmark 1 table mail