Linux iptables as a Router


Netfilter : The actual filtering in a Linux box is done using Netfilter.
Iptables : is the tool used to create this filters.

Iptables maintain state-full firewall.
Ipchains does not maintain state-full firewall

The module ip_contract is needed to make iptables state-full. This modules get loaded automatically when certain arguments susch as -t nat, etc are used.

# modprobe ip_conntrack
This command manually add the module.

The file that maintains the session related date is /proc/net/ip_conntrack

The package to be installed to run iptables is iptables-xxxx.rpm



Linux host as a router

A linux host with two or more NICs, with iptables running on it can be used as a router. Refer figure on right.

If your host have two nic cards data will not be forwarded from one to another if the following is not done:

Enable IP forwarding permanently by editing the following in /etc/sysctl.conf
net.ipv4.ip_forward = 1

The command sysctl -p will reload sysctl.conf without rebooting the system.

Based on the above diagram, before ip_forward is enabled, the 192..168.0.x network will be able to ping only till But later they will be able to ping the entire range of 80.0.x.x network



FORWARD chain: This is a filter that is used in a router that connects two networks so that packets could be filtered

INPUT chain: This filter will affect packets destined to itself.

OUTPUT chain: This filter will affect packets going out of itself.




# iptables -t filter -A FORWARD -s -j DROP
By running this command the linux router will drop any packets that is coming from 192.168.0.x network

# iptables -t filter -L -n
This command lists the rules in iptables

# iptables -t filter -D FORWARD -s -j DROP
The linux router will delete the previous entry.

# Iptables -t filter -F
Delete all entries in the tables table

# service iptables save
Save the iptables created

# iptables -t filter -A FORWARD -s -d -j DROP
Drop all the packets traveling from 192.168.0.x network to

# iptables -t filter -A FORWARD -s -p tcp -j DROP
Drop all tcp packets from 192.168.0.x network

# iptables -t filter -A FORWARD -s -p tcp -dport 23 -j REJECT
Reject all telnet packets from Since the argument is REJECT, a message will be send to the source.



Order of entries in iptable

The order of entries in iptable matters a lot. When a packets passes through the firewall, it will be checked against the entries in firewall from top to bottom.

# iptables -t filter -I FORWARD 2 -s -j DROP
Insert the rule as the second one in the list.

# iptables -t filter -L -n -line-numbers
To views the filters and their line number.


Click here to view notes on creatinging just the required IPTABLES rules from scratch


Network Adress Transulation (NAT)

There are two types of natting:

(a) SNAT : Source Network Address translation.
(b) DNAT : Destination Network Address translation.



SNAT is typically used in a proxy environment.

If the client want to ping, its IP address should be nat�d to a public IP. Else will not be able to send the acknowledgement back to

Once tries to ping, the linux box will store few information in a separate table including the source port number (eg333) from and its IP address.

Lets say is also tries to ping the same time. Here the source port used is 555.

The table stored in the linux box will look like

When the requests leaves the linux box the source IPs will be changed from their private to Once the replies are on the way back, the linux box it will check the destination port number and from the above table it will find the correct destination.

In SNAT the address translation happens after the packets leave the linux box.

# iptables -t nat -A POSTROUTING -s -j SNAT -to-source
All the IPs in the 192.168.0.x network will get translated to once the packets leave the linux box




# iptables -t nat -A PREROUTING – tcp -dport 80 -j DNAT -to-destination Here if tries, the signal will reach