Iptables

Right, let’s talk about the magic trick that makes stateful firewalls not just bearable, but actually useful: connection tracking (conntrack). Without this, you’d be trying to write a coherent novel by individually approving or rejecting every single letter someone tries to type. It would be a nightmare. Connection tracking is the firewall’s memory—it remembers conversations so you can write rules about what is being said, not just the raw packets.

Right, so you’ve landed on a system running Red Hat, Fedora, or one of their less-annoying-than-they-used-to-be cousins. Welcome to firewalld. If iptables feels like hand-crafting a wooden chair with precise chisels, firewalld is the IKEA version. It comes with pre-fab pieces (zones, services) and an Allen key (firewall-cmd), and for most people, it gets the job up and running without you needing to be a master carpenter. Its core idea is simple but powerful: instead of writing a bajillion rules, you assign interfaces to zones, and those zones have pre-defined or custom sets of rules. It’s a stateful firewall, so it understands connections, which is 90% of what you need.

Right, so you’ve decided you want a firewall but don’t want to descend into the special circle of hell that is raw iptables syntax. I don’t blame you. Enter ufw, the Uncomplicated Firewall. It’s exactly what it says on the tin: a mercifully sane front-end for the soul-crushing complexity of iptables, designed primarily for Ubuntu and Debian systems. It won’t give you the fine-grained control of writing your own chains, but for 90% of what you need to do on a server or desktop, it’s more than enough. And for the other 10%? Well, we can drop down to the raw iptables layer, but we’ll cross that bridge when we come to it.

Alright, let’s talk about nftables. You’ve probably heard it’s the replacement for iptables, and you’d be right. It’s not just a new coat of paint; it’s a complete engine swap. The old iptables, ip6tables, arptables, and ebtables utilities were a tangled mess of four different tools trying to do four related but separate jobs. nftables replaces them all with a single, unified framework. It’s cleaner, more efficient, and frankly, a lot more sane.

Right, let’s talk about writing iptables rules and making them stick. This is the part where most people’s hair starts to fall out, not because the concepts are hard, but because the tooling is a bit of a historical artifact. iptables itself is brilliant, but the way we save and load rules feels like it was designed by someone who assumed you’d never reboot your server. We’ll fix that. First, a crucial piece of context that everyone misses until it bites them: iptables rules are not configuration files. They are a runtime configuration for the Linux kernel’s netfilter system. When you run an iptables command, you’re changing the in-memory ruleset right now. This is fantastic for immediate testing and utterly useless for surviving a reboot. The kernel doesn’t care about your /etc directory. This is the fundamental disconnect we have to bridge.

Right, let’s talk about iptables. It’s the crusty old warlord that still runs the show on a staggering number of Linux systems, and for good reason: it’s powerful, it’s everywhere, and it works. It’s also a bit of a cantankerous beast with a syntax that feels like it was designed by a medieval scribe. I’m here to help you tame it. The core of iptables’ power, and its complexity, comes from its structure of tables, chains, and rules. Think of tables as different departments in a security company. The filter department decides who gets in and out (the bouncer). The nat department rewrites addresses on packages to route them correctly (the mailroom). The mangle department is for specialized, advanced packet alteration (the… weird guy in the basement with a soldering iron). We’ll focus on these three.

Right, let’s get our hands dirty with the actual mechanics of packet filtering. Forget the abstract theory for a moment; this is where the rubber meets the road, or more accurately, where packets meet their glorious or ignominious end. The core concept here is that of a chain. Think of a chain as a numbered checklist of rules that a packet must work through. When a packet enters your machine’s network stack, the kernel figures out which chain to send it to based on what the packet is doing (e.g., is it a new incoming connection? is it traffic being forwarded? is it traffic originating from this machine?).