Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Understanding iptables: NAT and Filter Tables Configuration

Tech 2

NAT Table Overview

The NAT (Network Address Translation) table handles IP address and port translation for network packets.

Chain Purpose
PREROUTTING Modifies destination address/port for incoming packets - used for port forwarding and IP mappping
POSTROUTING Modifies source address/port for outgoing packets - used for NAT/masquerading
OUTPUT Modifies destination address for packets generated locally

Filter Table Reference

Chain Purpose
INPUT Packets destined for local socket
FORWARD Packets being routed through the system
OUTPUT Locally generated packets

Filter Table Configuration

Environment Setup

Install and enable iptables on both servers:

# Verify package installation
rpm -qa iptables-services

# Check package contents
rpm -ql iptables-services
/etc/sysconfig/iptables
/usr/lib/systemd/system/iptables.service

# Stop firewalld and enable iptables
systemctl stop firewalld
systemctl restart iptables
systemctl enable iptables

Load required kernel modules:

modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state

Verify module loading:

lsmod | egrep 'nat|ipt|filter'

Expected output shows loaded modules:

nf_nat_ftp             12770  0 
nf_conntrack_ftp       18638  1 nf_nat_ftp
ipt_MASQUERADE         12678  1 
nf_nat_masquerade_ipv4    13412  1 ipt_MASQUERADE
iptable_filter         12810  1 
iptable_nat            12875  1 
nf_nat_ipv4            14115  1 iptable_nat
ip_tables              27126  2 iptable_filter,iptable_nat

Blocking SSH Port Access

Clear existing rules:

iptables -F
iptables -X
iptables -Z
iptables -nL

Default output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Add rule to block SSH (port 22):

iptables -t filter -A INPUT -p tcp --dport 22 -j DROP

Important: This will terminate your SSH session. Recovery options:

  1. Access server console directly to remove the rule
  2. Have data center staff restart the server
  3. Use remote management card (recommended)
  4. Schedule a job to disable firewall periodically before applying

Delete the blocking rule:

iptables -nL --line-number
iptables -t filter -D INPUT 1
iptables -nL --line-number

Restricting Access by Network Segment

Allow only specific subnet access:

iptables -A INPUT -p tcp ! -s 10.0.0.0/24 -j DROP

Result:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       tcp  -- !10.0.0.0/24          0.0.0.0/0

Verification: From another host, attempt connections:

ssh 10.0.0.61    # Allowed
ssh 172.16.1.61  # Blocked

Port-Based Access Control

Block range of ports (1-1024 allowed):

iptables -I INPUT -p tcp ! --dport 1:1024 -j DROP

Output:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:!1:1024
2    DROP       tcp  -- !10.0.0.0/24          0.0.0.0/0

Block non-contiguous ports:

iptables -I INPUT -p tcp -m multiport ! --dport 80,443,22 -j DROP

Output:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports  !80,443,22

iptables Command Reference

Parameter Description
-t Specify table: filter (default), nat
-A Append rule to end of chain
-I Insert rule at position 1 (preferred for DROP rules)
-p Protocol: tcp, udp, or icmp
--dport Destination port
--sport Source port
-d Destination IP address
-s Source IP address
-j Target action: DROP, ACCEPT, or REJECT

Rule Management

Parameter Description
-F Flush all rule in chain
-X Delete user-defined chains
-Z Zero packet and byte counters
-n Numeric output (don't resolve hostnames)
-L List rules
--line-number Display rule numbers
-D Delete rule by number

Using nc for Port Testing

The nc (netcat) utility serves for port connectivity testing:

# Server: Listen on specified port
nc -l <port>

# Client: Connect to remote port
nc <host> <port>
Tags: iptablesFirewall
Back to List

Prev: Creating Randomized Snowfall Animations with LESS

Next: Resolving CMake Build Errors When Integrating OpenCV with Qt Projects

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top