Netfilter/Iptables 101

Iptables command structure:

iptables -t table_name -CHAIN_OPERATION CHAIN_NAME -criteria -j TARGET
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT

(if table_name is omited the default value is filter)

Table Name:

  • filter
  • nat
  • raw
  • mangle

Chain Operations:

  • -A -> add rule at the end of the specific chain table;
  • -I -> add rule at the beginning of the specific chain table;
  • -D -> delete a specific rule;
  • -L -> list rules;
  • -P -> policy, default rule if there is no match for the packet;
  • -N -> create new user defined chain;
  • -X -> delete user defined chain;
  • -F -> flush, deletes rules from a specific chain table;
  • -Z -> zero, reset counters;

Chain Names:



  • ACCEPT -> accept packet;
  • DROP -> drop packet;
  • REJECT -> packet is rejected and the host responds with an error message to the source;
  • LOG -> logs/saves information about the packet in a file;
  • LIMIT -> limits the number of packets in a period of time;
  • SNAT -> source nat;
  • MASQUERADE -> used with source nat;
  • DNAT -> destination nat/port forwarding;
  • TTL -> modifies the TTL from a packet (IP header);


  • -s IP_source (ex: -s
  • -d IP_destination (ex: -d 0/0)
  • -p protocol (ex: -p tcp)
  • –sport source_port (ex: –sport 22)
  • –dport destination_port (ex: –dport 80)
  • -i interface_in (ex: -i eth0)
  • -o interface_out (ex: -o eth1)

Example of Source NAT where is the public IP:

iptables -t nat -A POSTROUTING -o eth0 -s -j SNAT --to-source
iptables -t nat -A POSTROUTING -j MASQUERADE     //only if public IP is dinamic

Example of Destination NAT(port forwarding) where is the web server:

iptables -t nat -A PREROUTING -p tcp -d --dport 80 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

Example of inbound port opening:

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s