{"id":5614,"date":"2019-11-29T03:51:46","date_gmt":"2019-11-29T03:51:46","guid":{"rendered":"https:\/\/www.hostinger.com\/tutorials\/?p=5614"},"modified":"2026-05-28T17:46:30","modified_gmt":"2026-05-28T17:46:30","slug":"iptables-tutorial","status":"publish","type":"post","link":"\/my\/tutorials\/iptables-tutorial","title":{"rendered":"Iptables tutorial: securing VPS with Linux firewall"},"content":{"rendered":"

Iptables is a Linux firewall tool that lets you control which traffic reaches your VPS by configuring rules for allowing, blocking, forwarding, and filtering packets. <\/p>

It works through the netfilter framework built into the Linux kernel and remains one of the most widely used firewall solutions for Linux servers.<\/p>

Iptables organizes rules into tables, chains, matches, and targets. The safest setup order starts with allowing SSH and established connections before applying any DROP rules. Rules must be saved explicitly to persist after a reboot. <\/p>

Both UFW and nftables are viable alternatives depending on your needs.<\/p>

The main steps to configure iptables are:<\/p>

    \n
  1. Check and install iptables.<\/li>\n\n\n\n
  2. List existing rules.<\/li>\n\n\n\n
  3. Allow SSH before applying restrictive rules.<\/li>\n\n\n\n
  4. Add basic firewall rules.<\/li>\n\n\n\n
  5. Open common service ports.<\/li>\n\n\n\n
  6. Delete or flush rules.<\/li>\n\n\n\n
  7. Save rules permanently.<\/li>\n<\/ol>

    <\/p>

    What is iptables?<\/h2>

    Iptables is a command-line firewall tool that manages Linux firewall rules via the netfilter framework, a packet-filtering system built directly into the Linux kernel. Every packet that enters or leaves your server passes through netfilter, and iptables gives you the rules that decide what happens to it.<\/p>

    Iptables handles IPv4 traffic. For IPv6, you need ip6tables, which uses the same syntax but operates on a separate rule set.<\/p>

    Understanding iptables starts with five core concepts:<\/p>

    Concept<\/strong><\/td>What it is<\/strong><\/td><\/tr>
    Table<\/td>A collection of chains grouped by purpose. The main tables are filter<\/strong>, nat<\/strong>, and mangle<\/strong>.<\/td><\/tr>
    Chain<\/td>A list of rules within a table. Built-in chains include INPUT<\/strong>, OUTPUT<\/strong>, and FORWARD<\/strong>.<\/td><\/tr>
    Rule<\/td>A condition that a packet is checked against. If the packet matches, iptables applies the target.<\/td><\/tr>
    Match<\/td>The criteria used to evaluate a packet – source IP, destination port, protocol, and so on.<\/td><\/tr>
    Target<\/td>The action taken when a packet matches a rule: ACCEPT<\/strong>, DROP<\/strong>, RETURN<\/strong>, or REJECT<\/strong>.<\/td><\/tr><\/tbody><\/table><\/figure>

    Most basic VPS security<\/a> configurations use the filter table, which contains three default chains. INPUT handles incoming packets to the server. OUTPUT handles packets leaving the server. FORWARD handles packets routed to a destination other than the server.<\/p>

    How does iptables work?<\/h3>

    Iptables checks each packet against rules in a chain from top to bottom. The first rule that matches the packet applies, and iptables stops checking the rest of that chain. Rule order matters because an earlier rule can allow or block traffic before any later rules are evaluated.<\/p>

    There are two ways to add rules: the -A<\/strong> flag appends a rule to the bottom of a chain, and the -I<\/strong> flag inserts a rule at a specific position. That’s useful when you need a rule evaluated before existing ones. If you append a broad DROP rule before your SSH allow rule, you will lock yourself out; adding rules in the right order prevents that.<\/p>

    Always add essential allow rules – especially for SSH – before any rules that block or drop traffic.<\/p>

    What is the difference between iptables, ip6tables, and nftables?<\/h3>

    Iptables handles IPv4 firewall rules. ip6tables handles IPv6 firewall rules using the same command syntax, but the two rule sets are completely separate – a rule in iptables has no effect on IPv6 traffic, and vice versa.<\/p>

    Nftables is the newer Linux firewall framework that replaces both iptables and ip6tables. It handles IPv4 and IPv6 in a single rule set and uses a cleaner syntax. On modern Ubuntu versions, iptables commands may run through an nftables backend transparently, meaning your iptables rules are actually stored and processed by nftables under the hood.<\/p>

    For users who want simpler firewall management on Ubuntu without writing iptables rules directly, UFW is covered later in this guide.<\/p>

    How to configure iptables on Ubuntu VPS<\/h2>

    The safest way to set up a VPS<\/a> firewall with iptables is to build rules in a specific order: check existing rules first, then allow SSH, established connections, and required service ports before blocking anything. <\/p>

    Apply DROP rules last – skipping this order can lock administrators out of a server they can no longer reach.<\/p>

    1. Check and install iptables<\/h3>

    Iptables comes preinstalled on most Linux distributions. This tutorial uses Ubuntu VPS as the main example. To check whether iptables is already available on your system, run:<\/p>

    iptables --version<\/pre>
    If the command returns a version number, iptables is already installed. On modern Ubuntu versions, this may show a reference to the nftables backend, meaning iptables commands are processed by nftables under the hood. The syntax stays the same either way.<\/p>
    If iptables is not installed, run:<\/p>
    sudo apt update\n\nsudo apt install iptables<\/pre>
    2. List existing iptables rules<\/h3>
    Check your existing rules before adding new ones. An existing rule may already allow or block traffic you intend to configure, and adding duplicate or conflicting rules causes unpredictable behavior.<\/p>
    List all current rules with verbose output and line numbers:<\/p>
    sudo iptables -L -v -n --line-numbers<\/pre>
    The -n<\/strong> flag prints IP addresses and port numbers numerically instead of resolving them to hostnames, which is faster and easier to read. Line numbers identify each rule’s position in the chain – you will need them to delete or insert rules at specific positions. <\/p>
    The packet and byte counters in the output show whether traffic actually matches each rule, which helps with troubleshooting.<\/p>
    3. Allow SSH before changing firewall rules<\/h3>
        
    \n        Warning! <\/strong>Applying restrictive firewall rules before allowing SSH will lock you out of your VPS. There is no error message – the connection simply drops, and you lose access.    <\/p>\n    \n\n\n\n<\/p>
    Allow SSH before adding any DROP or REJECT rules. The default SSH port is 22:<\/p>
    sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT<\/pre>
    If you’ve changed your VPS’ SSH port<\/a>, replace 22<\/strong> with that port number instead. If you’re not sure, check your server configuration by opening this file:<\/p>
    sudo nano \/etc\/ssh\/sshd_config<\/pre>
    Passwords are the most common SSH authentication method, but setting up SSH keys<\/a> is more secure and worth doing before you lock down your firewall.<\/p>
    After adding the SSH rule, keep your current session open and test access from a second terminal window before saving any restrictive rules. If the second connection succeeds, it is safe to continue.<\/p>
    4. Add basic iptables firewall rules<\/h3>
    The remaining rules build out your firewall in order of priority. Add them in the sequence below to avoid blocking traffic you need.<\/p>
    Allow localhost traffic<\/strong><\/p>
    Traffic on the loopback interface stays within the server itself. Blocking it breaks internal communication between services running on the same machine, such as a web application connecting to a local database:<\/p>
    sudo iptables -A INPUT -i lo -j ACCEPT<\/pre>
    Allow established and related connections<\/strong><\/p>
    This rule allows traffic that belongs to connections your server already initiated or accepted. Without it, responses to outgoing requests get blocked:<\/p>
    sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT<\/pre>
    Allow HTTP and HTTPS<\/strong><\/p>
    Open ports 80 and 443 to allow web traffic:<\/p>
    sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT\n\nsudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT<\/pre>
    Block a specific IP address<\/strong><\/p>
    To drop all traffic from a single IP address:<\/p>
    sudo iptables -A INPUT -s 192.0.2.1 -j DROP<\/pre>
    Block an IP range<\/strong><\/p>
    Use the iprange<\/strong> module to drop traffic from a range of addresses:<\/p>
    sudo iptables -A INPUT -m iprange --src-range 192.0.2.1-192.0.2.254 -j DROP<\/pre>
    Drop invalid packets<\/strong><\/p>
    Invalid packets do not belong to any known connection and are often used in network attacks. Drop them before they reach your services:<\/p>
    sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP<\/pre>
    Drop all other incoming traffic<\/strong><\/p>
    Add this rule last. It drops any incoming traffic that has not matched an earlier ACCEPT rule. Placing it before your allow rules will block everything, including SSH:<\/p>
    sudo iptables -A INPUT -j DROP<\/pre>
    5. Open common service ports with iptables<\/h3>
    Each service running on your VPS uses a specific port, and iptables needs an explicit rule to allow traffic on that port:<\/p>
    Service<\/strong><\/td>Protocol<\/strong><\/td>Port<\/strong><\/td>Notes<\/strong><\/td><\/tr>
    SSH<\/td>TCP<\/td>22<\/td>Change the default port if possible<\/td><\/tr>
    HTTP<\/td>TCP<\/td>80<\/td>Required for unencrypted web traffic<\/td><\/tr>
    HTTPS<\/td>TCP<\/td>443<\/td>Required for encrypted web traffic<\/td><\/tr>
    MySQL<\/td>TCP<\/td>3306<\/td>Restrict to trusted IPs only<\/td><\/tr>
    PostgreSQL<\/td>TCP<\/td>5432<\/td>Restrict to trusted IPs only<\/td><\/tr>
    SMTP<\/td>TCP<\/td>25<\/td>Only if running a mail server<\/td><\/tr>
    IMAP<\/td>TCP<\/td>993<\/td>Only if running a mail server<\/td><\/tr><\/tbody><\/table><\/figure>
    Database ports like 3306 and 5432 should never be opened to the public internet. Restrict them to a trusted IP address or a private network interface instead:<\/p>
    sudo iptables -A INPUT -p tcp --dport 3306 -s 192.0.2.1 -j ACCEPT<\/pre>
    Replace 192.0.2.1<\/strong> with the IP address of the machine that needs database access.<\/p>
    6. Delete or flush iptables rules<\/h3>
    Deleting a specific rule removes it without touching the rest of your configuration; flushing removes all rules at once.<\/p>
    Deleting a specific rule<\/strong><\/p>
    To remove one rule without affecting the rest, use its line number. First, list rules with line numbers:<\/p>
    sudo iptables -L INPUT --line-numbers<\/pre>
    Then delete the rule at the position you want to remove. To delete rule number 3 from the INPUT chain:<\/p>
    sudo iptables -D INPUT 3<\/pre>
    Flushing all rules<\/strong><\/p>
    To remove all rules at once, use the -F<\/strong> flag:<\/p>
    sudo iptables -F<\/pre>
        
    \n        Warning!<\/strong> Flushing the rules on a remote VPS removes all allow rules and all block rules. If your default chain policy is DROP, flushing leaves you locked out. If the default policy is ACCEPT, flushing exposes all ports. Know your default policy before flushing.    <\/p>\n    \n\n\n\n<\/p>
    DROP vs REJECT<\/strong><\/p>
    When blocking traffic, you have two options. DROP silently discards the packet: the sender gets no response and the connection eventually times out. REJECT discards the packet and sends an error response to the sender, making troubleshooting easier but also confirming to the sender that the port exists.<\/p>
    Use DROP for public-facing rules where you do not want to reveal information about your server. Use REJECT in internal or development environments where faster feedback is useful.<\/p>
    7. Save iptables rules permanently<\/h3>
    Iptables rules are stored in memory and do not survive a reboot by default. To keep your rules after restarting the VPS, save them to a file.<\/p>
    Install iptables-persistent<\/strong><\/p>
    The iptables-persistent<\/strong> package automatically saves and loads rules. On Ubuntu, installing it also installs netfilter-persistent<\/strong>, which is the underlying service that loads the saved rules at boot:<\/p>
    sudo apt install iptables-persistent<\/pre>
    During installation, you will be prompted to save your current IPv4 and IPv6 rules. Choose Yes<\/strong> for both.<\/p>
    Save rules manually<\/strong><\/p>
    If you installed iptables-persistent<\/strong>, the \/etc\/iptables\/<\/strong> directory already exists. After adding or changing rules, save them so they persist through reboots:<\/p>
    sudo netfilter-persistent save<\/pre>
    This writes both IPv4 and IPv6 rules to \/etc\/iptables\/rules.v4<\/strong> and \/etc\/iptables\/rules.v6<\/strong>, respectively.”<\/p>
    Restore rules manually<\/strong><\/p>
    If you need to reload saved rules without rebooting:<\/p>
    sudo iptables-restore < \/etc\/iptables\/rules.v4\n\nsudo ip6tables-restore < \/etc\/iptables\/rules.v6<\/pre>
    Verify after reboot<\/strong><\/p>
    After restarting your VPS, confirm that the rules loaded correctly:<\/p>
    sudo iptables -L -v -n<\/pre>
    The output should match the rules you saved before rebooting.<\/p>
    How to configure NAT and port forwarding with iptables<\/h2>
    NAT and port forwarding are used when your VPS acts as a gateway, router, VPN endpoint<\/a>, or traffic forwarder – routing packets between networks or redirecting traffic from one port to another. These rules use the NAT table rather than the filter table used in the steps above.<\/p>
    Port forwarding also requires IP forwarding to be enabled at the kernel level. To enable it temporarily:<\/p>
    sudo sysctl -w net.ipv4.ip_forward=1<\/pre>
    To make it permanent, add the following line to \/etc\/sysctl.conf<\/strong>:<\/p>
    net.ipv4.ip_forward=1<\/pre>
    Then apply the change:<\/p>
    sudo sysctl -p<\/pre>
    To forward traffic arriving on port 80 to a different host on your network:<\/p>
    sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.0.2.1:80\n\nsudo iptables -t nat -A POSTROUTING -j MASQUERADE<\/pre>
    If your FORWARD<\/strong> chain policy is set to DROP<\/strong>, you also need to allow the forwarded traffic explicitly:<\/p>
    sudo iptables -A FORWARD -p tcp -d 192.0.2.1 --dport 80 -j ACCEPT<\/pre>
    iptables vs UFW: Which firewall tool should you use?<\/h2>
    Iptables gives you direct control over every aspect of your firewall, such as rule order, NAT, port forwarding, custom chains, and compatibility with existing scripts. That control comes at a cost: the syntax is verbose, rule order is unforgiving, and mistakes on a remote VPS can lock you out instantly.<\/p>
    UFW (Uncomplicated Firewall) is a frontend for iptables that simplifies common firewall tasks on Ubuntu. If you only need to allow SSH, HTTP, and HTTPS, you can configure a firewall on Ubuntu using UFW<\/a> with a handful of commands and no risk of rule-ordering mistakes.<\/p>
    Nftables is the more modern long-term replacement for iptables. It handles IPv4 and IPv6 in a single rule set and uses a cleaner syntax, but it requires learning a new framework from scratch.<\/p>
    The right tool depends on what you need:<\/p>