Firewall Configuration (iptables)
Objective
Configure host-based firewall rules with iptables: INPUT/OUTPUT/FORWARD chains, NAT, and rule persistence.
Tools & Technologies
iptablesiptables-saveiptables-restorenetfilter
Key Commands
iptables -L -n -viptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -P INPUT DROPiptables-save > /etc/iptables/rules.v4Architecture Overview
flowchart TD
PKT[Incoming Packet] --> PREROUTE[PREROUTING chain]
PREROUTE --> LOCAL{Destined for\nthis host?}
LOCAL -->|Yes| INPUT[INPUT chain]
LOCAL -->|No| FORWARD[FORWARD chain]
INPUT -->|ACCEPT| APP[Application]
INPUT -->|DROP| BIN[🗑 Dropped]
FORWARD --> POSTROUTE[POSTROUTING chain]
APP --> OUTPUT[OUTPUT chain]
OUTPUT --> POSTROUTE[POSTROUTING]
style INPUT fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0
style BIN fill:#1a1a2e,stroke:#ff4444,color:#ff4444
Step-by-Step Process
01
View Current Rules
See what rules are currently active.
iptables -L -n -v # all chains, numeric, verbose
iptables -L INPUT -n -v # INPUT chain only
iptables -t nat -L -n -v # NAT table02
Build a Secure Default Policy
Set default DROP and allow only required traffic.
# Set default DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established/related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT03
Save & Restore Rules
Persist rules across reboots.
sudo apt install iptables-persistent
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
# Restore manually
iptables-restore < /etc/iptables/rules.v4Challenges & Solutions
- Default DROP before allowing SSH locks you out if SSH rule is wrong
- Rule order matters — first match wins; put specific rules before broad ones
Key Takeaways
- Always test rules on a VM before production
- iptables -F flushes all rules — leaves default policy in place