IPTables: Linux Packet Filtering and NAT Configuration
Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read
IPTables is the userspace interface for the Linux kernel’s netfilter packet filtering framework. Even with nftables gaining adoption as the successor, IPTables remains the default on millions of production Linux systems. If you manage Linux infrastructure, you need to understand how IPTables processes packets, how to write effective rules, and how to avoid locking yourself out of your own servers.
Chain Architecture
IPTables organizes rules into tables, and each table contains chains. The three tables you will work with most:
Filter table (default): controls whether packets are accepted or dropped. Contains three built-in chains:
INPUT— packets destined for the local systemFORWARD— packets being routed through the systemOUTPUT— packets originating from the local system
NAT table: handles network address translation. Contains:
PREROUTING— modifies destination address before routing (DNAT)POSTROUTING— modifies source address after routing (SNAT/MASQUERADE)OUTPUT— NAT for locally generated packets
Mangle table: modifies packet headers (TTL, TOS, marking packets for policy routing).
Packets traverse chains from top to bottom. The first matching rule determines the packet’s fate. If no rule matches, the chain’s default policy applies. Set default policies to DROP for INPUT and FORWARD, ACCEPT for OUTPUT — this gives you a default-deny posture for incoming and forwarded traffic.
Practical Rule Examples
Allow established connections and related traffic (this should be your first rule): “ iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT `
Allow SSH from a specific management subnet: ` iptables -A INPUT -p tcp -s 10.0.1.0/24 --dport 22 -j ACCEPT `
Allow HTTP and HTTPS from anywhere: ` iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT `
Drop and log everything else: ` iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " iptables -A INPUT -j DROP `
NAT Configuration
SNAT/Masquerade for outbound traffic (typical for a gateway/router): ` iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE `
DNAT for port forwarding (forward external port 8080 to internal web server): ` iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80 iptables -A FORWARD -p tcp -d 192.168.1.100 --dport 80 -j ACCEPT `
MASQUERADE is simpler than SNAT because it automatically uses the outgoing interface's current IP address, making it appropriate for dynamic IP assignments. Use SNAT with a fixed IP for static configurations -- it is slightly more efficient.
Rate Limiting
Protect services from brute force and DoS: ` iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP `
This limits new SSH connections to 3 per minute per source IP. The recent module tracks source addresses and timestamps.
For broader rate limiting, the hashlimit module provides per-source-IP rate limiting without the connection tracking overhead: ` iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-above 50/sec --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name http -j DROP `
Stateful Filtering
The conntrack module is what makes IPTables a stateful firewall. It tracks connection states:
- NEW -- first packet of a connection
- ESTABLISHED -- part of an already established connection
- RELATED -- associated with an existing connection (like FTP data connections or ICMP error messages)
- INVALID -- packet does not belong to any known connection
Always drop INVALID state packets -- they are often the result of port scans, malformed packets, or network errors: ` iptables -A INPUT -m conntrack --ctstate INVALID -j DROP `
Save your rules with iptables-save > /etc/iptables/rules.v4 and ensure they load on boot. On Debian/Ubuntu, the iptables-persistent` package handles this.
Next Steps
- Assess your Linux security skills with the skills assessment
- Browse network and infrastructure security topics in the skills library
- Check your market value with the salary calculator for network security roles
Related Guides in This Series
- EDR: Endpoint Detection, Response, and Threat Hunting — HADESS | 2026
- Firewall Management: Rules, Zones, and Change Control — HADESS | 2026
- Hardware Security Modules: Key Management and Compliance — HADESS | 2026
Take the Next Step
Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.
See your certification roadmap. Check out the see your certification roadmap.
Get started free — Create your HADESS account and access all career tools.
Frequently Asked Questions
How long does it take to learn this skill?
Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.
Do I need certifications for this skill?
Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.
What career paths use this skill?
Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.
—
HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
