Quick Introduction to Linux iptables

Overview

Linux iptables is a powerful and flexible firewall tool built into the Linux kernel’s Netfilter framework. It allows system administrators to define rules for packet filtering, NAT (Network Address Translation), and traffic redirection. Understanding iptables is crucial for managing network security and optimizing traffic flow.

Basic Concepts of iptables

Tables

iptables has multiple tables that serve different functions:

  • filter: Default table for packet filtering.
  • nat: Handles NAT operations, such as source and destination NAT.
  • mangle: Used for packet alteration.
  • raw: Controls whether a packet should be tracked.
  • security: Used for SELinux security contexts.

Chains

Each table contains chains where rules are applied:

  • INPUT: Rules for incoming traffic to the host.
  • FORWARD: Rules for traffic passing through the host.
  • OUTPUT: Rules for outgoing traffic from the host.

Targets

A rule can have one of the following actions:

  • ACCEPT: Allow the packet.
  • DROP: Discard the packet.
  • REJECT: Discard and notify the source.
  • SNAT: Source Network Address Translation.
  • DNAT: Destination Network Address Translation.

Common Commands

Viewing Rules 

sudo iptables -L -n -v

Adding Rules 

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Deleting Rules 

sudo iptables -D INPUT -p tcp --dport 22 -j ACCEPT

Saving Rules 

sudo iptables-save > /etc/iptables/rules.v4

Restoring Rules 

sudo iptables-restore < /etc/iptables/rules.v4

Load Balancing with iptables

Linux iptables can be configured for basic load balancing using NAT and routing features. Below are the common modes and methods for achieving load balancing.

Modes of Load Balancing

  1. NAT-based Load Balancing: Network Address Translation allows traffic destined for a single IP to be distributed among multiple backend servers.

    Configuration Steps: 

    sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.101:80-192.168.1.103:80
sudo iptables -t nat -A POSTROUTING -j MASQUERADE

    In this configuration:

    • Traffic on port 80 is distributed to backend servers in the IP range 192.168.1.101 to 192.168.1.103.

  2. Round-Robin Load Balancing: This method distributes traffic sequentially across multiple backend servers.

    Configuration Example: 

    sudo iptables -A PREROUTING -t nat -p tcp --dport 80 -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.1.101:80
sudo iptables -A PREROUTING -t nat -p tcp --dport 80 -m statistic --mode nth --every 2 --packet 1 -j DNAT --to-destination 192.168.1.102:80

  3. Least Connection Load Balancing: This mode requires external tools or custom scripts as iptables does not natively support dynamic traffic balancing based on active connections.

Important Considerations

  • Ensure backend servers can handle the traffic and respond correctly.
  • Properly configure POSTROUTING masquerading to maintain correct routing.
  • Always test the configuration in a development environment before deploying it to production.

Troubleshooting Tips

  1. Check Rule Order: 
    sudo iptables -L -n --line-numbers

    Ensure that rules are in the correct order.

  2. Inspect NAT Table: 
    sudo iptables -t nat -L -n -v
  3. View Connection Tracking: 
    sudo conntrack -L
  4. Check Logs: Enable logging for debugging: 
    sudo iptables -A INPUT -j LOG --log-prefix "IPTables-INPUT: " --log-level 4

Performance issue Of Iptables in k8s environment

demerits-of-iptables

Conclusion

Linux iptables provides a robust way to manage network traffic and implement load balancing. With careful configuration and monitoring, it can efficiently distribute traffic and secure your systems. Understanding the basics of tables, chains, and load balancing modes is essential for network administrators seeking to optimize traffic management.

© 2025 Jatin Sharma. All rights reserved.