IPTables Explained

IPTables Explained

iptables is the traditional Linux firewall interface to the netfilter kernel subsystem. While UFW provides a simpler interface for common use cases, understanding iptables is necessary for complex scenarios: custom NAT rules, Docker networking, VPN masquerading, and reading existing rules on production systems. Ubuntu 22.04+ uses nftables as the backend, but the iptables command remains available via compatibility wrappers.

Tables and chains

iptables organizes rules into TABLES, each containing CHAINS:

Table: filter (default — for allowing/blocking traffic)
  Chains: INPUT, OUTPUT, FORWARD

Table: nat (for address/port translation)
  Chains: PREROUTING, OUTPUT, POSTROUTING

Table: mangle (for packet modification)
  Chains: all five

Table: raw (for connection tracking bypass)
  Chains: PREROUTING, OUTPUT

Each chain = ordered list of rules. Packet evaluated top to bottom,
first match wins. Falls to chain POLICY if no rule matches.

How a packet traverses iptables

Incoming packet to this host:
  PREROUTING (nat/mangle) → route decision
       ↓ (destination = local process)
  INPUT (filter) → local application

Packet forwarded through this host:
  PREROUTING → FORWARD (filter) → POSTROUTING

Outgoing packet from this host:
  local application → OUTPUT (filter/nat/mangle) → POSTROUTING (nat)

Writing iptables rules

# View current rules
sudo iptables -L -n -v          # filter table, with verbose + no DNS
sudo iptables -t nat -L -n -v   # nat table

# Add a rule (-A = append to end of chain)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Insert at position 1 (-I = insert)
sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT

# Delete a rule
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT

# Flush (delete all rules in a chain)
sudo iptables -F INPUT    # Clear INPUT chain
sudo iptables -F          # Clear all chains in filter table

Common rule examples

# Stateful firewall (most common correct approach):
# Allow established/related connections (responses to your outbound traffic)
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP/HTTPS
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# Allow from specific subnet only
sudo iptables -A INPUT -p tcp --dport 3306 -s 10.0.1.0/24 -j ACCEPT

# Drop everything else (set default policy)
sudo iptables -P INPUT DROP

# NAT masquerade (for sharing internet connection / VPN gateway)
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1

Saving and restoring rules

# iptables rules are NOT persistent across reboots by default

# Method 1: iptables-persistent (Debian/Ubuntu)
sudo apt install -y iptables-persistent
sudo netfilter-persistent save    # Save current rules
sudo netfilter-persistent reload  # Reload saved rules

# Rules saved to:
# /etc/iptables/rules.v4 (IPv4)
# /etc/iptables/rules.v6 (IPv6)

# Method 2: Manual save/restore
sudo iptables-save > /etc/iptables/rules.v4
sudo iptables-restore < /etc/iptables/rules.v4

Conclusion

For most Ubuntu server use cases, UFW is the right tool — it wraps iptables with a simpler interface and handles both IPv4 and IPv6. Use raw iptables when you need complex NAT rules, or when debugging what rules are actually in effect (Docker, VPNs, and other tools add rules directly to iptables without updating UFW). Always view rules with iptables -L -n -v and save them with netfilter-persistent save or the rules will be lost on reboot.