Managing Firewall Rules with iptables on Linux Server
iptables is a packet filtering tool that runs on the Linux kernel's netfilter framework. It lets you control all network traffic entering and leaving your server. A properly configured iptables ruleset blocks unauthorized access, slows brute force attacks, and ensures only necessary services are exp
Ahmet Yılmaz
Senior Infrastructure Engineer
iptables is a packet filtering tool that runs on the Linux kernel's netfilter framework. It lets you control all network traffic entering and leaving your server. A properly configured iptables ruleset blocks unauthorized access, slows brute force attacks, and ensures only necessary services are exposed. This guide covers iptables management from basic rules to rate limiting.
iptables Basic Concepts
iptables operates on three main chains: INPUT (incoming traffic), OUTPUT (outgoing traffic), and FORWARD (routed traffic). Rules in each chain are evaluated sequentially; the first matching rule is applied. The default policy determines what happens when no rule matches.
| Chain | Direction | Usage |
|---|---|---|
| INPUT | External to server | SSH, HTTP, HTTPS access control |
| OUTPUT | Server to external | DNS, updates, API calls |
| FORWARD | Through the server | NAT, VPN, container networks |
Basic Security Rules
The following ruleset creates a basic security configuration for a web server. The default policy is set to DROP and only permitted traffic is accepted:
#!/bin/bash
# Flush existing rules
iptables -F
iptables -X
# Default policy: drop everything
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# SSH (port 22 or custom port)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# HTTP and HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# ICMP (ping) - limited
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT⚠️ Important: Make sure your SSH rule is correct before setting the INPUT policy to DROP. Incorrect configuration can permanently lock you out of the server. If working remotely, first set up a cron job that resets rules as a safety net.
Rate Limiting and Brute Force Protection
Limiting SSH brute force attacks with iptables provides an additional layer of protection alongside Fail2Ban:
# SSH brute force protection: max 4 connections per 60 seconds
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
-m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
-m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
# HTTP flood protection: max 25 new connections per second
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 25 -j DROPUse the iptables-persistent package to make rules persistent. For detailed SSH hardening, check our SSH Hardening guide, and for DDoS protection, see our DDoS Protection guide. Build a secure infrastructure with Hosted Cloud servers.
Frequently Asked Questions
Should I use iptables or nftables?
nftables is the modern successor to iptables and offers better performance. However, iptables is still widely used and most guides use iptables syntax. nftables is recommended for new setups; iptables continues to work fine on existing systems.
Do iptables rules persist across reboots?
No, iptables rules are stored in memory by default. Make them persistent with the iptables-persistent package: sudo apt install iptables-persistent and sudo netfilter-persistent save.
What if I lock myself out with a wrong rule?
To prevent remote access loss, set up a cron job before applying rules: */5 * * * * /sbin/iptables -F. This resets rules every 5 minutes. Remove the cron job once you've confirmed everything works correctly.
Does Docker conflict with iptables?
Docker adds its own iptables rules and uses the FORWARD chain. Use the DOCKER-USER chain to control network access for Docker containers. Disabling Docker's iptables management is not recommended.
What's the difference between UFW and iptables?
UFW (Uncomplicated Firewall) is a simplified interface built on top of iptables. It creates iptables rules behind the scenes. UFW is sufficient for simple configurations; use iptables directly for advanced rules (rate limiting, conntrack).
Conclusion
iptables is a fundamental building block of Linux server security. Use a default DROP policy to open only necessary ports, slow brute force attacks with rate limiting, and efficiently manage existing connections with conntrack. Remember to make rules persistent with iptables-persistent and take precautions against access loss before making changes.
Secure Server Infrastructure
Keep your firewall rules under full control with Hosted Cloud cloud servers.
Explore Cloud Server Plans →Ahmet Yılmaz
Senior Infrastructure Engineer
With over 10 years of experience in cloud infrastructure and DevOps, Ahmet specializes in Kubernetes, Terraform, and high-availability architectures.
Comments coming soon