Firewalls Cheat Sheet

iptables and nftables basics, firewall chains and rules, cloud security groups, WAF (Web Application Firewall) concepts, and defense-in-depth strategies.

Last Updated: May 1, 2025

iptables Basics

iptables -L -v -n

List all rules with packet counts (numeric, verbose)

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow SSH on INPUT chain

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow return traffic

iptables -P INPUT DROP

Set default policy to drop all INPUT

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

Allow entire subnet

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/min -j ACCEPT

Rate-limit HTTP

iptables -D INPUT 3

Delete rule #3 from INPUT chain

iptables-save > /etc/iptables/rules.v4

Save rules persistently

iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT

Insert rule at position 1

Chains & Tables

Item	Description
`INPUT`	Packets destined for this host (local delivery)
`OUTPUT`	Packets originating from this host
`FORWARD`	Packets routed through this host (gateway/NAT)
`PREROUTING`	Packets before routing decision (DNAT, redirect)
`POSTROUTING`	Packets after routing decision (SNAT, masquerade)
`filter table`	Default table — packet filtering (ACCEPT/DROP/REJECT)
`nat table`	Network Address Translation (SNAT, DNAT, MASQUERADE)

nftables (modern replacement)

nft add table inet filter

Create a new table (inet = IPv4+IPv6)

nft add chain inet filter input { type filter hook input priority 0; }

Create input chain

nft add rule inet filter input tcp dport 22 accept

Allow SSH

nft add rule inet filter input ct state established,related accept

Allow return traffic

nft list ruleset

Show all rules (like iptables -L)

nft -f /etc/nftables.conf

Load rules from config file

WAF Concepts

Item	Description
`WAF`	Web Application Firewall — filters HTTP traffic (layer 7)
`OWASP Top 10`	Standard threat model: SQLi, XSS, CSRF, etc.
`ModSecurity`	Open-source WAF module for Apache/Nginx
`Cloud WAF`	Cloudflare, AWS WAF, Azure WAF — managed at edge
`Rule types`	Allow-list (only known good) vs block-list (block known bad)
`False positives`	WAF blocking legitimate traffic — tune rules carefully

Pro Tip: iptables rules process in order — first match wins. Always put your default DROP policy LAST and add specific ALLOW rules above it. Test rules on a non-production server first.