iptables Network Packet Filtering Examples

This cheatsheet provides practical examples for using iptables to manage network traffic and firewall rules. It covers common scenarios like prerouting and destination NAT (DNAT).

Prerouting and DNAT Configuration

This section demonstrates how to configure iptables for prerouting traffic. For instance, redirecting incoming connections from a client to a specific destination IP address and port.

Scenario: A client connects to host (10.20.1.1:2098), and this connection needs to be forwarded to a destination IP and port (10.22.23.4:22).

# Create and insert a DNAT rule at the top of the PREROUTING chain
iptables -t nat -I PREROUTING -p tcp --dport 2098 -j DNAT --to-destination 10.22.23.4:22

# Create and append a DNAT rule to the PREROUTING chain
iptables -t nat -A PREROUTING -p tcp --dport 2098 -j DNAT --to-destination 10.22.23.4:22

# Delete a specific DNAT rule from the PREROUTING chain
iptables -t nat -D PREROUTING -p tcp --dport 2098 -j DNAT --to-destination 10.22.23.4:22

Understanding iptables Chains and Targets

The PREROUTING chain in the nat table is crucial for modifying packets before they are routed. The DNAT target allows you to change the destination IP address and port of incoming packets.

Managing iptables Rules

Effectively managing firewall rules involves knowing how to add, insert, and delete rules. Using the -I option inserts a rule at a specific position, while -A appends it to the end. The -D option is used for deletion.

Further Resources

For a deeper understanding of the differences between DNAT and REDIRECT in iptables, refer to the following resource:

• Difference between DNAT and REDIRECT in iptables