Firewall in Linux: A Practical and Theoretical

Exploration

By:
Rawan Ali Alshehri
443809696
Lama Mohammed Alshehri
443807183
Shaden Abdullah
442809056
Leen mohammed asaaf
443809075
1. Introduction
The growth of the digital world depends on establishing computer network security as an essential
foundation. Organizations together with individual users operate under continuous danger from
cybercriminals who search after security holes in connected networks. The firewall represents a
fundamental protective measure which acts as security software to accept or block network traffic using
planned safety protocols. Firewalls function as network defenders by examining data packets before
implementing security criteria to determine packet passage authorization.
Iptables operates as a command-line utility which serves as the main firewall solution for Linux systems
to configure the packet filtering process and Network Address Translation (NAT). administering systems
manually depends on iptables which provides administrators with a powerful tool but offers a difficult
configuration process. New firewall technologies known as nftables were introduced to provide a
modern approach for improved firewall rule administration during recent times. Enterprise-grade
security platforms under the name of Unified Threat Management (UTM) firewall systems combine
multiple features in one panel between intrusion prevention and antivirus alongside content filtering
capabilities.
The research investigates firewall operation mechanisms alongside iptables implementation on Linux
platforms as well as features additional challenges met during deployment. The research analyzes
firewall structure together with its applications and connections to security applications to demonstrate
the fundamental operation of firewalls which are vital for today's cybersecurity environment.
2. Background
Networked computing initial firewalls appeared around their early days to function as basic packet
filters. As network activities became more diverse and digital attacks improved in complexity modern
firewall systems developed through time. The modern firewalls now protect networks by implementing
complete security standards while monitoring unsafe data movements and creating detailed tracking
reports for improved analysis.
The Linux kernel released iptables in 2000 and it became the standard methodology for defining system-
level network security policies. The software groups its rules through chains which are part of filter, nat
and mangle tables. The packet handling depends on the chain type which comprises INPUT, OUTPUT
and FORWARD because these chains function at different phases according to transmission orientation.
Administrators can develop rules within these chains to rule in or out network traffic through IP address
matching and port testing besides protocol checks and additional packet attributes.
At its core, iptables is a command-line utility that interfaces with the Linux kernel’s netfilter framework.
It allows system administrators to define rules that inspect, accept, reject, or drop packets based on
attributes such as IP address, port, and protocol. These rules are grouped into chains, which belong to
tables—each designed for a specific purpose, such as filtering packets, modifying addresses (NAT), or
marking packets for routing.
The Linux community has depended on iptables for decades yet its syntax remains complex enough to
create errors specifically when creating rules for large networks. In response to known limitations the
Linux development community released nftables as its successor during 2014. Nftables functions as a
consolidated and efficient rule management system that integrates different rule management interfaces
into a single standardized environment. Its new capabilities enable faster performance combined with
simplified syntax tools that enable set and map features to handle the requirements of current large-scale
systems implementation.
The market acceptance of Unified Threat Management (UTM) firewalls resulted from their integration
of firewall protections along with advanced security modules in a single package. Enterprise
environments depend on these all-in-one appliances to receive protection through IDS/IPS capabilities
and antivirus scanning and VPN support and application control systems.
Despite these advancements, many security professionals still prefer iptables for its transparency, low
overhead, and full control over packet filtering behavior. It remains a valuable tool for learning firewall
concepts, implementing lightweight security policies, and building secure Linux-based systems.
Comparison of Firewall Technologies
UTM Firewalls
Feature iptables (Linux) nftables (Linux)
(Commercial)
Configuration
CLI-based Unified CLI Web GUI / CLI
Interface
Moderate (simplified Low (pre-configured
Complexity High (rule-based)
syntax) modules)
Efficient for small Optimized for larger Scalable, appliance-
Performance
setups rulesets optimized
Integration with Manual (e.g., Native support via
Often built-in IDS/IPS
IDS Snort) sets/maps
Logging & Manual setup Centralized, real-time
More granular options
Monitoring required dashboards
Lightweight server Large-scale Linux Enterprise networks,
Best Use Case
setups deployments SMBs

3. Mechanisms
The internal workings of iptables are organized around a logical structure of tables and chains, which
govern how traffic is processed within a Linux system. Each packet that enters or exits the system is
evaluated against a set of rules stored in these chains. The most common table used is the filter table,
which contains the INPUT, OUTPUT, and FORWARD chains. These chains determine how traffic is
handled based on its direction—whether it's incoming to the host, outgoing from it, or passing through
it.
This table contains three default chains:
▪ INPUT: Handles packets destined for the local system.
▪ OUTPUT: Manages packets originating from the local system.
▪ FORWARD: Deals with packets routed through the system.
Rules added to these chains use criteria such as source/destination IP address, port number, and protocol
type to determine the fate of a packet—whether it should be accepted, dropped, or forwarded.
Other tables include:
▪ Nat (Network Address Translation): Used for modifying packet headers (e.g., port forwarding
or masquerading).
▪ mangle: For altering packet headers to set special routing conditions.
▪ raw: For advanced users who need to bypass connection tracking.
Each rule in a chain is evaluated in order, and once a match is found, the specified action—called a
target (like ACCEPT or DROP)—is executed. This simple yet powerful rule-matching mechanism is
what allows iptables to enforce network policies, restrict access, and protect systems against threats.
This flowchart illustrates the journey of an incoming or locally generated packet through iptables chains
and tables, including PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING. It
highlights the impact of different rule types and routing decisions within the Linux firewall architecture.
Source: Phil Hagen, SANS FOR572 — http://for572.com/iptables-structure
4. Implementation Example (Linux iptables)
To demonstrate how iptables is used in practice, consider a scenario where the goal is to allow only SSH
(port 22) and HTTP (port 80) traffic into a Linux machine, while blocking all other incoming
connections. This kind of setup is common in server environments where only secure remote access and
web services are needed.
Configuration Steps:
# Step 1: Clear all existing rules
sudo iptables -F
# Step 2: Allow incoming SSH connections
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Step 3: Allow incoming HTTP connections
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Step 4: Drop all other incoming traffic
sudo iptables -A INPUT -j DROP

This setup uses a whitelist approach: it explicitly permits only the desired services and blocks all others.
The final DROP rule is critical, as it acts as a safety net, ensuring that no unfiltered traffic can reach the
system.
Verifying the Rules:
To confirm the configuration, use the following command to view the current iptables rules:
sudo iptables -L -v

This will display the chains along with the number of packets and bytes matched by each rule, providing
insight into how the firewall is performing.
5. Challenges
The iptables tool brings several operational obstacles to complex network management especially in
large-scale and high-volume environments. The implementation of default DROP policy in firewall rule
chains represents a core aspect that needs thorough examination for network security.
Systems which implement DROP-by-default security policies gain substantial security improvements
because they reject all traffic except specifically permitted protocols. A default DROP policy enables
only authorized traffic flow through the network because it strongly reduces attack exposure while
limiting unauthorized access attempts. Public-facing servers require a safety-oriented method using this
default policy that transitions network security from bad traffic blocking to only permitted good traffic.
The security benefit introduced by a DROP-by-default methodology creates potential operational
challenges. Dangerous situations can occur when rules have improper structure or essential traffic lacks
explicit permission thus blocking legitimate communication. The failure to enable DNS and SSH traffic
through proper router rules could lead to a complete network outage which prevents system
administrators from getting access. The problem becomes severe for remote servers because limited
recovery choices can be available to affected operators.
During situations where a DROP policy serves as default the correct ordering of rules takes on
extraordinary importance. Concerns regarding rule ordering with iptables become significant because
the system reviews all rules in their appearance sequence and a single DROP entry positioned badly can
forfeit future allow rules and generate system irregularities. The process requires experts to fully grasp
network services as well as careful strategizing during rule generation steps.
The inability to easily monitor iptables activities remains a significant challenge because this tool does
not include helpful built-in viewing or debugging features. The addition of logging rules is possible
through manual configuration yet understanding system log output demands outside tools and
knowledge of system logs. The diagnosis process for dropped traffic requires extended time because
clear feedback is unavailable.
Lastly, rule persistence across system reboots is not enabled by default. If rules are not saved and
restored properly, a system reboot may reset the firewall to an open or inconsistent state, undermining
the security posture.
In summary, while a default DROP policy is a best practice for hardening firewall security, it must be
implemented with precision, thorough testing, and clear documentation. The benefits in terms of security
are substantial—but so are the risks if misconfigured.
6. Integration with IDS (e.g., Snort)
One of the more advanced and practical applications of iptables is its ability to integrate with Intrusion
Detection Systems (IDS) such as Snort. While iptables alone provides strong packet filtering
capabilities, its functionality can be significantly extended when combined with IDS tools that offer
real-time traffic analysis and threat detection.
Snort is an open-source IDS that monitors network packets for suspicious patterns or anomalies that
may indicate malicious activity. When integrated with iptables, administrators can design a hybrid
security system—iptables handles blocking or allowing traffic, while Snort performs deeper inspection
of what is permitted or logged.
There are two main ways iptables and Snort can be combined:
1. Logging Suspicious Traffic:
iptables can be configured to log packets that meet certain criteria—such as accessing a sensitive port
or using an unusual protocol. These logs can then be picked up by Snort for further analysis. For
example:
sudo iptables -A INPUT -p tcp --dport 8080 -j LOG --log-prefix
"SuspiciousTraffic: "

This rule logs attempts to access port 8080, appending a recognizable prefix to each entry in
2. Traffic Redirection for Analysis:
iptables can also be used to mirror traffic to Snort using Linux tools like tee or by using NFQUEUE
targets, which allow packets to be handed off to user-space programs like Snort in real time.
Integrating iptables with Snort provides the best of both worlds—real-time prevention and real-time
detection. This kind of layered defense is crucial for environments where security threats can bypass
basic filters or where log analysis is needed for forensic investigation.
7. Conclusion
The secure network foundation needs firewalls together with iptables remaining as a dependable tool
for Linux systems which enforces access control policies. The iptables system continues to provide
unparalleled execution control and script-driven capabilities because it retains a core following from
professionals who understand its commands and functionality patterns despite the availability of newer
systems such as nftables and UTM enterprise firewalls.
The iptables security solution enables administrators to build adaptable security rules by using
processing chains which can contain multiple layers of rules to match operational requirements. Its
exclusive protocol rules enable the system to let through only SSH and HTTP traffic while blocking all
other communication which proves extremely helpful for minimal-access security. Snort IDS tools work
in conjunction with iptables to create hybrid defense systems which merge computer threat monitoring
with security filtering capabilities to produce active alerts.
However, administrators need to understand iptables implementation challenges because it requires
constant effort to maintain rules along with difficulties in debugging and order conflicts. Small and mid-
sized networks can use iptables as a firewall component and practical learning tool when administrators
adopt proper planning techniques along with comprehensive testing and persistent monitoring.

8. References
[1] Filkins, B. (2016). Intrusion Detection Systems with Snort. SANS Institute.
https://www.sans.org/white-papers/36774/
[2] Hagen, P. (2024). iptables Processing Flowchart. SANS FOR572. http://for572.com/iptables-
structure
[3] Linux man pages. (n.d.). iptables(8) - Linux man page. https://man7.org/linux/man-
pages/man8/iptables.8.html
[4] Red Hat. (2023). Introduction to firewalld and nftables.
https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/9/html/security/introduction-to-nftables_firewall
[5] Snort.org. (2023). Snort – Network Intrusion Detection & Prevention System.
https://www.snort.org/
[6] Ubuntu Community. (2023). How to make iptables rules persistent.
https://help.ubuntu.com/community/IptablesHowTo