Tutorial

How the Iptables Firewall Works

How the Iptables Firewall Works

Introduction

Setting up a firewall is an essential step to take in securing any modern operating system. Most Linux distributions ship with a few different firewall tools that you can use to configure a firewall. In this guide, we’ll be covering the iptables firewall.

Iptables is a standard firewall included in most Linux distributions by default. It is a command-line interface to the kernel-level netfilter hooks that can manipulate the Linux network stack. It works by matching each packet that crosses the networking interface against a set of rules to decide what to do.

In this guide, you will review how Iptables works. For a more in-depth approach, you can read A Deep Dive into Iptables and Netfilter Architecture.

How Iptables Works

First, let’s review some terminology and discuss how iptables works.

The iptables firewall operates by comparing network traffic against a set of rules. The rules define the characteristics that a network packet needs to have to match, and the action that should be taken for matching packets.

There are many options to establish which packets match a specific rule. You can match the packet protocol type, the source or destination address or port, the interface that is being used, its relation to previous packets, and so on.

When the defined pattern matches, the action that takes place is called a target. A target can be a final policy decision for the packet, such as ACCEPT or DROP. It can also move the packet to a different chain for processing, or log the encounter. There are many options.

These rules are organized into groups called chains. A chain is a set of rules that a packet is checked against sequentially. When the packet matches one of the rules, it executes the associated action and skips the remaining rules in the chain.

A user can create chains as needed. There are three chains defined by default. They are:

  • INPUT: This chain handles all packets that are addressed to your server.
  • OUTPUT: This chain contains rules for traffic created by your server.
  • FORWARD: This chain is used to deal with traffic destined for other servers that are not created on your server. This chain is a way to configure your server to route requests to other machines.

Each chain can contain zero or more rules, and has a default policy. The policy determines what happens when a packet drops through all of the rules in the chain and does not match any rule. You can either drop the packet or accept the packet if no rules match.

Iptables can also track connections. This means you can create rules that define what happens to a packet based on its relationship to previous packets. The capability is “state tracking”, “connection tracking”, or configuring the “state machine”.

IPv4 Versus IPv6

The netfilter firewall that is included in the Linux kernel keeps IPv4 and IPv6 traffic completely separate. The Iptables tools used to manipulate the tables that contain the firewall rulesets are distinct as well. If you have IPv6 enabled on your server, you will have to configure both tables to address the traffic on your server.

Note: Nftables, a successor to Iptables, integrates handling of IPv4 and IPv6 more closely. The iptables-translate command can be used to migrate Iptables rules to Nftables.

The regular iptables command is used to manipulate the table containing rules that govern IPv4 traffic. For IPv6 traffic, a companion command called ip6tables is used. Any rules that you set with iptables will only affect packets using IPv4 addressing, but the syntax between these commands is the same. The iptables command will make the rules that apply to IPv4 traffic, and the ip6tables command will make the rules that apply to IPv6 traffic. Don’t forget to use the IPv6 addresses of your server to craft the ip6tables rules.

Things to Keep in Mind

Now that you know how iptables directs packets that come through its interface – direct the packet to the appropriate chain, check it against each rule until one matches, issue the default policy of the chain if no match is found – you can begin to create rules.

First, you need to make sure that you have rules to keep current connections active if you implement a default drop policy. This is especially important if you are connected to your server through SSH. If you accidentally implement a rule or policy that drops your current connection, you may need to log into your server using a browser-based recovery console.

Another thing to keep in mind is that the order of the rules in each chain matter. A packet must not come across a more general rule that it matches if it is meant to match a more specific rule.

Because of this, rules near the top of a chain should have a higher level of specificity than rules at the bottom. You should match specific cases first, and then provide more general rules to match broader patterns. If a packet falls through the entire chain (if it doesn’t match any rules), it will follow the most general rule, i.e., the default policy.

For this reason, a chain’s default policy strongly dictates the types of rules that will be included in the chain. A chain with the default policy of ACCEPT will contain rules that explicitly drop packets. A chain that defaults to DROP will contain exceptions for packets that should be specifically accepted.

Conclusion

At this point, you’re ready to implement your own firewall. For this, you should read How To Set Up a Firewall Using Nftables on Ubuntu 22.04. Or, for a more high-level approach, How To Set Up a Firewall with UFW on Ubuntu 22.04. If you’d prefer to run your firewall as a managed service layer, you can also try DigitalOcean’s Cloud Firewalls.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
5 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

I’m new to this but just before the conclusion you talk about ACCEPT or DROP: A chain with the default policy of ACCEPT will contain rules that explicitly drop packets. A chain that defaults to DROP will contain exceptions for packets that should be specifically accepted.

A chain with default ACCEPT will contain rules that explicitly accept packets should it be right? and DROP reject?

Justin Ellingwood
DigitalOcean Employee
DigitalOcean Employee badge
August 28, 2014

kutkuta2: Thanks for the kind words!

As for your question: The iptables command (and the related set of commands: ip6tables, arptables, and ebtables) serves as an interface to the Netfilter package filtering mechanism enabled in the Linux kernel. The ufw tool simply serves as a front-end to these commands, making the interface more approachable to users.

The ufw tool does provide some compelling advantages over the *tables commands. For instance, it unifies the interface, allowing you to specify rules for IPv4 and IPv6 connections seamlessly. It also provides a built-in framework for saving and restoring rules, and can allow applications to provide their own sets of firewall rules. This last bit makes it possible to manage specific sets of rules as a unit, meaning that you can turn an application’s access “on” or “off” very easily.

In the end, ufw is simply a wrapper for the *tables commands. You can easily use either to accomplish the same task. If you are more comfortable using ufw, you can use that. If you happen to find some strange edge-case where ufw does not have the functionality you need, an iptables rule can be used to supplement your ufw rules.

Really thank you JUSTIN! but what about ufw and how it works with iptables? Can i implement every thing i can in iptables using ufw especially in ubuntu server 14.04?

nice article

Thanks for the article, nice explanation on iptables basics.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more