IPTables – Linux Firewall Configuration for Cybersecurity

1. Introduction to IPTables

iptables is a powerful command-line utility used in Linux systems to configure and manage the kernel-level netfilter firewall.

Key Use Cases:

• Packet Filtering – decide which traffic to allow or block

• Network Address Translation (NAT) – modify IP addresses in packets

• Traffic Redirection – route traffic to specific ports or hosts

• Logging – monitor traffic for auditing or threat detection

Used extensively in cybersecurity to:

• Harden systems against unauthorized access

• Drop malicious packets

• Control data exfiltration/infiltration

Installation and Version

Install iptables and check its version:

sudo apt install iptables

iptables --version

2. Core Concepts of IPTables

Tables

IPTables is structured around tables, each with a specific function:

Table	Purpose
filter	Default table for allowing or blocking packets, Packet Filtering (ACCEPT, DROP)
nat	For modifying packet source/destination (e.g., port forwarding, SNAT)
mangle	Modify packet headers (QoS, TTL, etc.)
raw	Used to configure exemptions from connection tracking
security	Interface with security modules (like SELinux). For mandatory access control (MAC) filtering

Common default table: filter

---

Chains

Chains are predefined sequences of rules where packets are checked. Each table consists of chains:

Chain	Direction	Typical Use
INPUT	Inbound to local machine. Incoming packets	Control traffic to host itself. filter
OUTPUT	Outbound from local machine. Outgoing Packet	Outgoing connections from host. filter
FORWARD	Routed through the host	Useful in gateway/routers. filter
PREROUTING	Before routing decisions. Alter before routing	Used with DNAT. mangle
POSTROUTING	After routing decisions. Alter after routing	Used with SNAT/MASQUERADE. mangle

---

Rules

A rule defines:

• What to match (source IP, protocol, port, etc.)

• What action to take if matched (target)

Targets (Actions)

Target	Description
ACCEPT	Allow packet through
DROP	Silently discard the packet
REJECT	Discard and reply with ICMP error
LOG	Log packet details to /var/log/syslog
SNAT	Source NAT (used to mask source IP when sending out)
DNAT	Destination NAT (used for port forwarding to internal servers)
MASQUERADE	Dynamic SNAT (used when IP is assigned dynamically like via DHCP/PPP)

3. Basic Command Structure

iptables [options] [chain] [command] [match criteria] [target]

Example:

sudo iptables -A INPUT -s 192.168.1.100 -j DROP

• -A INPUT: Append to INPUT chain

• -s 192.168.1.100: Source IP to match

• -j DROP: Drop the matching packet

4. Common Commands

List All Rules

sudo iptables -L -n -v

• -L: List rules in all chains

• -n: Don't resolve DNS (faster)

• -v: Verbose output with packet counters

---

Flush All Rules

sudo iptables -F

Removes all rules in all chains (use with caution).

---

Save and Restore Rules (Debian/Ubuntu)

Save rules across reboots:

sudo apt install iptables-persistent
sudo iptables-save > /etc/iptables/rules.v4

Restore saved rules:

sudo iptables-restore < /etc/iptables/rules.v4

5. Practical Use Cases in Cybersecurity

Block All Ping (ICMP) Requests

sudo iptables -A INPUT -p icmp -j DROP

This drops all ICMP echo requests (commonly used by ping). Useful for making a system invisible on a network.

---

Allow Ping from a Specific Host

sudo iptables -I INPUT -s 172.1.27.103 -p icmp -j ACCEPT

Allows ICMP requests only from a specific IP (e.g., an admin or monitoring server).

---

Accept All ICMP Requests

sudo iptables -A INPUT -p icmp -j ACCEPT

Drop All Connections from a Malicious IP

sudo iptables -A INPUT -s 10.10.10.5 -j DROP

This blocks all packets from the given source IP.

---

Open SSH Port (22) to Avoid Getting Locked Out

Always add this before setting restrictive rules:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

---

Monitor Incoming ICMP (Ping) Packets

Use tcpdump to view real-time ping packets:

sudo tcpdump -i eth0 icmp

Replace eno1 with your actual network interface (e.g., eth0, wlan0).

6. NAT and Port Forwarding

Redirect Port 80 to Port 8080

Useful when running a service on 8080 but want it accessible on standard HTTP port.

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

---

SNAT – Change Source IP

Used for outbound traffic behind a static public IP:

sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.5

---

MASQUERADE – NAT for Dynamic IP (e.g., DHCP)

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Commonly used for sharing internet in home networks.

---

7. Security Hardening Tips

Log Suspicious Traffic

sudo iptables -A INPUT -p tcp --dport 23 -j LOG --log-prefix "TELNET attempt: "

Detect attempts to use Telnet (a highly insecure protocol).

---

Rate-Limit SSH to Prevent Brute Force

sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min -j ACCEPT

Allows only 3 SSH connections per minute — helps mitigate brute force attacks.

---

8. Managing IPTables with Other Tools

Tool	Use Case
ufw (Uncomplicated Firewall)	Easier syntax, used in Ubuntu systems
firewalld	Zone-based dynamic firewall (CentOS/RHEL)
iptables-persistent	Automatically restore rules on boot

Example: UFW for Simplicity

sudo ufw allow 22          # Allow SSH
sudo ufw deny from 192.168.1.100   # Deny specific IP
sudo ufw enable

Best Practices

• Always allow essential ports (e.g., SSH) before applying restrictive rules

• Regularly audit your firewall rules with iptables -L -n -v

• Use logging to detect suspicious or unexpected traffic

• Combine IPTables with tools like Fail2Ban, Snort, or Suricata for intrusion detection