Iptables
========

Note that iptables is now largely considered legacy, in favour of nftables. 

iptables works with the following concepts:

- tables: goup of similar rules, a table consists of several rule chains.

- chains: a chain is a list of rules. When a packet is received, iptables finds
  the appropriate table and filters it through the rule chain until a match is
  found.

- rules: a rule is a statement that defines the conditions for matching a
  packet, which is then sent to a target

- targets: a decision of what to do with a packet. The packet is either
  accepted, dropped, or rejected.

Tables
------

Iptables has four default tables that manage different rule chains:

- filter: default packet filtering table. It acts as a gatekeeper that decides
  which packets enter and leave a network.

- NAT: network address translation rules for routing packets to
  remote networks.

- mangle: adjust the IP header properties of packets

- raw: exempts packets from connection tracking

Chains
------

There are different chains, each with a specific purpose:

- INPUT: handles incoming packets destined for a local pllication service.

- OUTPUT: manages outgoing packets generated on a local application or service.

- FORWARD: works with packets that pass through the system between network
  interfaces.

- PREROUTING: alters packets before they are routed. The NAT, mangle and raw
  tables contain this chain.

- POSTROUTING: alters packets after they are routed. The NAT and mangle tables
  contain this chain.

Targets
-------

Common targets include ACCEPT, DROP, REJECT, LOG, SNAT, DNAT, MASQUERADE.

For example, here is how to allow traffic over port 22 and disable
all the rest:

.. code-block:: bash

    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -j DROP

For ipv6, we use the utility `ip6tables` instead.

To clear all rules:

.. code-block:: bash

    iptables -F
    ip6tables -F