How iptables Works
iptables processes packets through chains of rules:
- INPUT — incoming traffic destined for this server
- OUTPUT — outgoing traffic from this server
- FORWARD — traffic passing through (routing/NAT)
Each rule matches criteria and takes an action (ACCEPT, DROP, REJECT).
Viewing Rules
# List all rules with line numbers
sudo iptables -L -n -v --line-numbers
# List NAT rules
sudo iptables -t nat -L -n -vBasic Rules
# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Drop everything else
sudo iptables -P INPUT DROPDanger Always add the SSH allow rule BEFORE setting the default policy to DROP, or you'll lock yourself out immediately.
Rate Limiting
# Limit SSH connections (prevent brute force)
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROPPort Forwarding
# Forward port 8080 to internal service on port 3000
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 3000Saving Rules
# Install persistence package
sudo apt install -y iptables-persistent
# Save current rules
sudo netfilter-persistent save
# Rules saved to:
# /etc/iptables/rules.v4
# /etc/iptables/rules.v6UFW vs iptables
| Feature | UFW | iptables |
|---|---|---|
| Complexity | Simple | Full control |
| Learning curve | Minutes | Days |
| Application profiles | Yes | No |
| IPv6 | Automatic | Separate rules |
| Best for | Most users | Advanced setups |
Tip For most Kazepute users, UFW is sufficient and much safer to manage. Use raw iptables only when you need features UFW doesn't expose.