FixPedia
Linux

iptables Basics: Configuring a Linux Firewall to Secure Your Server

In this tutorial, you'll learn the fundamentals of iptables, how to create traffic filtering rules, and safely configure network access. By the end, your server will be protected against unauthorized connections.

Updated at April 4, 2026
15-20 min
Medium
FixPedia Team
Применимо к:Ubuntu 22.04/24.04 LTSDebian 12+RHEL 9 / AlmaLinux 9openSUSE Leap 15.5+

Introduction / Why You Need This

iptables is the standard network traffic filtering tool in the Linux kernel. Despite the ecosystem's gradual shift to nftables, it remains a working standard for packet management on servers and workstations. Proper firewall configuration blocks unauthorized access, hides unused services, and reduces network overhead. After completing this guide, you will be able to manually manage rule chains, open required ports, and implement a "deny all, except explicitly allowed" policy.

Prerequisites / Preparation

Before you begin, ensure you have root access or sudo privileges. All commands are executed in the terminal. It is recommended to connect via SSH and verify the utility is installed:

iptables --version

If the command is not found, install the package using your distribution's package manager (e.g., sudo apt install iptables or sudo dnf install iptables). Make sure you do not lock yourself out: keep access to your hosting provider's web console handy in case you lose connectivity.

Step 1: Clearing the Current Configuration

Start with a clean slate to prevent old rules from conflicting with the new policy. Run the following commands to remove all rules from all chains:

sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F

The -F option flushes the rules, while -X deletes user-defined chains. The command with -t nat resets the network address translation rules. This is a safe step because the default policy is usually set to ACCEPT, so active sessions will not be dropped.

Step 2: Setting Default Policies

Set strict rules for all incoming traffic. The server will drop packets unless there is an explicit rule allowing them.

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

Here, DROP silently discards packets, making port scanning more difficult for attackers. Setting ACCEPT for outbound traffic allows the server to download updates and reach external APIs without requiring additional rules.

Step 3: Allowing Established and SSH Connections

To prevent your current SSH session from being interrupted, allow traffic for already established connections and explicitly open the remote access port.

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

The -m conntrack module tracks packet states. If a connection has already been initiated, it will be allowed through. The second command permits incoming TCP requests on port 22. If you are using a non-standard SSH port, replace 22 with your custom port number.

Step 4: Opening Web Ports and Local Access

If your server is running a web server or database, add the corresponding rules. It is also important to allow traffic on the loopback interface so that system utilities can communicate with each other.

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

The -i lo flag allows all traffic on the 127.0.0.1 interface. The rules for ports 80 and 443 make websites accessible to visitors. For other services (e.g., MySQL on port 3306), use similar syntax, but restrict access to trusted IPs using -s 192.168.1.0/24.

Verifying the Results

Verify that the rules were applied correctly by displaying the current configuration along with packet counts and traffic volume:

sudo iptables -L -n -v

The -n flag speeds up output by disabling reverse DNS resolution, while -v displays packet traversal statistics. You should see the INPUT chain with a DROP policy and ACCEPT lines for SSH, loopback, and web ports. Try accessing a website hosted on the server from a browser and connecting via SSH from another device. Both actions should complete without delays.

Troubleshooting

iptables v1.8.x: command not found Error or Version Conflicts In modern distributions, iptables may be a symlink to iptables-nft or iptables-legacy. Use sudo update-alternatives --config iptables to select the appropriate implementation if you encounter compatibility errors.

Loss of Access After Applying Policies If the INPUT DROP policy is activated before allowing SSH, you will be locked out of your session. Restore access via the VNC console and run sudo iptables -F. In the future, use the iptables-apply utility with an automatic timeout, which will roll back changes if connectivity is lost.

Rules Disappear After Rebootiptables stores rules only in RAM. To persist them, install iptables-persistent:

sudo apt install iptables-persistent
sudo netfilter-persistent save

On systemd-based systems, the service automatically loads rules from /etc/iptables/rules.v4 during OS startup. Regularly update this file after making changes to your network configuration.

F.A.Q.

Are iptables rules saved after a server reboot?
Can I still use iptables on modern Linux distributions?
What should I do if I accidentally lock myself out of SSH?

Hints

Check Status and Clear Existing Rules
Configure Default Policies
Allow Established Connections and SSH
Allow HTTP/HTTPS and Local Traffic
Save the Configuration

Did this article help you solve the problem?

FixPedia

Free encyclopedia for fixing errors. Step-by-step guides for Windows, Linux, macOS and more.

© 2026 FixPedia. All materials are available for free.

Made with for the community