top of page

Linux Iptables with Examples

Iptables is a command line interface used to set up and maintain tables for the Netfilter firewall for IPv4, included in the Linux kernel. The firewall matches packets with rules defined in these tables and then takes the specified action on a possible match.

  • Tables is the name for a set of chains.

  • Chain is a collection of rules.

  • Rule is condition used to match packet.

  • Target is action taken when a possible rule matches. Examples of the target are ACCEPT, DROP, QUEUE.

  • Policy is the default action taken in case of no match with the inbuilt chains and can be ACCEPT or DROP.


Here the Table Options

  • filter: Default used table for packet filtering. It includes chains like INPUT, OUTPUT and FORWARD.

  • nat : Related to Network Address Translation. It includes PREROUTING and POSTROUTING chains.

  • mangle : For specialised packet alteration. Inbuilt chains include PREROUTING and OUTPUT.

  • raw : Configures exemptions from connection tracking. Built-in chains are PREROUTING and OUTPUT.

  • security : Used for Mandatory Access Control


Here the few built-in chains that are included in tables.

  • INPUT :set of rules for packets destined to localhost sockets.

  • FORWARD :for packets routed through the device.

  • OUTPUT :for locally generated packets, meant to be transmitted outside.

  • PREROUTING :for modifying packets as they arrive.

  • POSTROUTING :for modifying packets as they are leaving.

Restore Firewall Rules

To restore firewall rules form a file called /root/, enter:

#iptables-restore < /root/

To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:

#service iptables restart

Iptable Examples:

Only Block Incoming Traffic

To drop all incoming / forwarded packets, but allow outgoing traffic, enter:

#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT ACCEPT
#iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -L -v -n

### *** now ping and wget should work *** ###



Drop Private Network Address On Public Interface

IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:

#iptables -A INPUT -i eth1 -s -j DROP
#iptables -A INPUT -i eth1 -s -j DROP

Block Incoming Port Requests (BLOCK PORT)

To block all service requests on port 80, enter:

#iptables -A INPUT -p tcp --dport 80 -j DROP
#iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

To block port 80 only for an ip address, enter:

#iptables -A INPUT -p tcp -s --dport 80 -j DROP
#iptables -A INPUT -i eth1 -p tcp -s --dport 80 -j DROP

Block Outgoing IP Address

To block outgoing traffic to a particular host or domain such as, use the host command or dig command:

host -t a

Sample outputs: has address

Note down its ip address and type the following to block all outgoing traffic to

#iptables -A OUTPUT -d -j DROP

You can use a subnet as follows:

#iptables -A OUTPUT -d -j DROP
#iptables -A OUTPUT -o eth1 -d -j DROP

Redirect port 80 to 8080

#iptables -t nat -A PREROUTING -i $interfaceName -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumber

To redirect all incoming traffic on port 80 redirect to port 8080

#iptables -t nat -I PREROUTING --src 0/0 --dst -p tcp --dport 80 -j REDIRECT --to-ports 8080

Port Forwarding

Either you can use sysctl to check if forwarding is enabled or not. Use below command to check –

[root@kingoncloud ~]#  sysctl -a |grep -i eth0.forwarding
net.ipv4.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0

Since both values are zero, port forwarding is disabled for ipv4 and ipv6 on interface eth0.

Or you can use the process filesystem to check if port forwarding is enabled or not.

[root@kingoncloud ~]# cat /proc/sys/net/ipv4/conf/eth0/forwarding
[root@kingoncloud ~]# cat /proc/sys/net/ipv6/conf/eth0/forwarding

Again here process FS with zero values confirms port forwarding is disabled on our system. Now we need to first enable port forwarding on our system then we will configure port forwarding rules in iptables.

How to enable port forwarding in Linux

As we checked above, using the same methods you can enable port forwarding in Linux. But its recommended using sysctl command rather than replacing 0 by 1 in proc files.

Enable port forwarding in Linux using sysctl command –

[root@kingoncloud ~]# sysctl net.ipv4.conf.eth0.forwarding=1
net.ipv4.conf.eth0.forwarding = 1
[root@kingoncloud ~]# sysctl net.ipv6.conf.eth0.forwarding=1
net.ipv6.conf.eth0.forwarding = 1

To make it persistent over reboots, add parameters in /etc/sysctl.conf

[root@kingoncloud ~]# echo "net.ipv4.conf.eth0.forwarding = 1">>/etc/sysctl.conf
[root@kingoncloud ~]# echo "net.ipv6.conf.eth0.forwarding = 1">>/etc/sysctl.conf
[root@kingoncloud ~]# sysctl -p
net.ipv4.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1

Now, we have port forwarding enabled on our server, we can go ahead with configuring port forwarding rules using iptables.

Here we will forward port 80 to port 8080 on Do not get confused port forwarding with port redirection.

We need to insert an entry in PREROUTING chain of iptables with DNAT target. Command will be as follows –

# iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to
# iptables -A FORWARD -p tcp -d --dport 8080 -j ACCEPT

Change interface, IP and ports as per your requirement. The first command tells us to redirect packets coming to port 80 to IP on port 8080. Now packet also needs to go through FORWARD chain so we are allowing in in the second command.

Creating Service Account Run the following command to add a new service account called king: $ kubectl create serviceaccount king serviceaccount/king created Find the name of the secret that stores t

Kubernetes RBAC The Kubernetes API provides access to sensitive data, including deployment details, persistent storage settings, and secrets. Over the years, the Kubernetes community has provided seve

This page contains a list of commonly used kubectl commands and flags. Kubectl apply - Creating objects # create resource(s) kubectl apply -f ./my-manifest.yaml # create from multiple files kubectl a

bottom of page