iptables / nftables
Control network traffic, configure firewall rules, and set up NAT/port forwarding with iptables and nftables on Linux.
- iptables / nftables
- What iptables and nftables Do and When to Use Them
- Core Concepts of iptables / nftables
- iptables Tables and Chains
- nftables Tables, Chains, and Sets
- Rule Processing Order
- Common Tasks with iptables / nftables
- How to List Current Firewall Rules with iptables
- How to Allow Incoming SSH Traffic with iptables
- How to Block an IP Address with iptables
- How to Set Up NAT/Masquerading with iptables
- How to Save and Restore iptables Rules
- How to List Rules with nftables
- iptables / nftables Troubleshooting
- Related Tools and Guides
iptables / nftables
iptables is the traditional Linux firewall administration tool that configures Netfilter packet filtering rules in the kernel; nftables is its modern replacement, providing a unified framework for packet filtering, NAT, and traffic classification on Linux.
What iptables and nftables Do and When to Use Them
iptables and nftables control network traffic at the kernel level by defining rules that match packets and apply actions (accept, drop, reject, masquerade, redirect). System administrators use them to restrict incoming connections, set up Network Address Translation (NAT), forward ports, and rate-limit traffic.
iptables uses separate tools for IPv4 (
iptables), IPv6 (
ip6tables), ARP (
arptables), and bridging (
ebtables). nftables unifies all four into a single command (
nft) with a consistent syntax. Debian 10+, Ubuntu 20.10+, RHEL 8+, and Fedora 18+ ship nftables as the default backend. The
iptables command on these systems is often a compatibility wrapper (
iptables-nft) that translates iptables syntax into nftables rules.
UFW (Uncomplicated Firewall) is a frontend to iptables/nftables — it generates firewall rules from simpler commands. Use UFW for straightforward allow/deny rules. Use iptables or nftables directly when you need NAT, custom chains, per-connection tracking, or advanced packet mangling. See the UFW article.
Core Concepts of iptables / nftables
iptables Tables and Chains
iptables organizes rules into tables, and each table contains chains. The
filter table (default) has three built-in chains:
INPUT (incoming traffic to the host),
OUTPUT (outgoing traffic from the host), and
FORWARD (traffic passing through the host as a router). The
nat table handles address translation with
PREROUTING,
POSTROUTING, and
OUTPUT chains.
nftables Tables, Chains, and Sets
nftables uses the same conceptual model but with a different syntax. Tables in nftables are user-defined (not pre-existing). Chains must be explicitly created and assigned a hook (input, output, forward, prerouting, postrouting) and a priority. nftables supports sets and maps — named collections of IPs, ports, or interfaces that can be referenced in rules for efficient matching.
Rule Processing Order
Both iptables and nftables evaluate rules sequentially within a chain. The first matching rule determines the packet's fate. If no rule matches, the chain's default policy applies (usually ACCEPT or DROP). Place the most specific rules first and catch-all rules last.
Common Tasks with iptables / nftables
How to List Current Firewall Rules with iptables
iptables lists active rules in the filter table with the
-L flag. Add
-n to show numeric addresses and
-v for packet counters:
sudo iptables -L -n -vHow to Allow Incoming SSH Traffic with iptables
iptables appends a rule to the INPUT chain to accept TCP connections on port 22:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPTHow to Block an IP Address with iptables
iptables drops all packets from a specific source IP:
sudo iptables -A INPUT -s 203.0.113.45 -j DROPHow to Set Up NAT/Masquerading with iptables
iptables enables source NAT (masquerading) for hosts behind a gateway. This allows internal hosts to access the internet through the gateway's public IP:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1How to Save and Restore iptables Rules
iptables rules are lost on reboot unless saved. Save the current rules to a file and restore them:
sudo iptables-save > /etc/iptables/rules.v4
sudo iptables-restore < /etc/iptables/rules.v4On Ubuntu/Debian, install
iptables-persistent to automatically save and restore rules at boot.
How to List Rules with nftables
nftables displays all rules across all tables with the
nft list ruleset command:
sudo nft list rulesetiptables / nftables Troubleshooting
| Error / Symptom | Cause | Fix |
|---|---|---|
| Rules are lost after reboot | Rules were not saved to a persistent file | → Full article |
| Docker bypasses iptables/UFW rules | Docker inserts its own FORWARD chain rules before user rules | → Full article |
iptables: No chain/target/match by that name | A referenced chain or module is not loaded | → Full article |
| Locked out after applying DROP policy | Default policy was set to DROP before allowing SSH | → Full article |
Related Tools and Guides
UFW is a simplified frontend to iptables/nftables for basic allow/deny rules. See the UFW article.
Fail2Ban uses iptables or nftables actions to ban IPs that trigger failed login patterns. See the Fail2Ban article.
Docker manipulates iptables rules directly, which can conflict with user-defined firewall rules. See the Docker article.