Stage 3 · Build
Networking Stack Deep Dive
Netfilter & iptables/nftables
Connection tracking, NAT, and the packet filtering framework that protects Linux networks.
Netfilter Architecture
Netfilter is the kernel framework for packet filtering, NAT, and port forwarding. It hooks into the networking stack at five points: PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING. Every packet passes through these hooks, where rules can inspect and modify it.
- PREROUTING — First hook. DNAT and connection tracking happen here
- INPUT — Packets destined for the local machine
- FORWARD — Packets passing through (routing)
- OUTPUT — Packets originating from the local machine
- POSTROUTING — Final hook. SNAT and masquerading happen here
iptables Basics
iptables is the traditional userspace tool for managing netfilter rules. Each rule specifies a chain, match criteria, and a target action (ACCEPT, DROP, REJECT, etc.). Rules are evaluated in order.
# View current rules
sudo iptables -L -v -n
# Chain INPUT (policy ACCEPT)
# target prot opt in out source destination
# ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP/HTTPS
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# Drop everything else (explicit policy)
sudo iptables -P INPUT DROP
# Save rules
sudo iptables-save > /etc/iptables/rules.v4iptables rules are evaluated top-to-bottom. The first matching rule determines the action. Place specific ACCEPT rules before the final DROP.
nftables: The Modern Replacement
nftables is the successor to iptables. It provides a unified framework for IPv4/IPv6, simpler syntax, better performance with large rule sets, and atomic rule replacement. Most modern distributions now default to nftables.
# Create a basic firewall ruleset
sudo nft add table inet filter
sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'
# Allow established connections
sudo nft add rule inet filter input ct state established,related accept
# Allow SSH
sudo nft add rule inet filter input tcp dport 22 accept
# Allow HTTP
sudo nft add rule inet filter input tcp dport { 80, 443 } accept
# List rules
sudo nft list rulesetnftables uses inet family to handle both IPv4 and IPv6 with a single ruleset. The 'ct state' match is equivalent to iptables -m conntrack --ctstate.
Connection Tracking (conntrack)
conntrack maintains state for every connection flowing through the firewall. It tracks TCP state, UDP "connections", ICMP, and other protocols. This statefulness allows the firewall to allow return traffic without explicit rules.
# View conntrack entries
sudo conntrack -L | head -10
# tcp 6 431 ESTABLISHED src=10.0.0.1 dst=10.0.0.2 sport=54321 dport=22 src=10.0.0.2 dst=10.0.0.1 sport=22 dport=54321 [ASSURED]
# Count connections
sudo conntrack -C
# 1234
# View conntrack statistics
cat /proc/net/stat/nf_conntrack
# entries: 1234
# inserts: 5678
# drops: 0
# early_drop: 0conntrack drops happen when the table is full. Increase net.netfilter.nf_conntrack_max if you see drops. Each connection uses about 300 bytes of memory.
NAT and Masquerading
NAT (Network Address Translation) rewrites packet addresses. SNAT changes the source address (outgoing), DNAT changes the destination address (incoming). Masquerading is SNAT with automatic source address detection.
# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
# Masquerade outgoing traffic (SNAT)
sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
# Port forwarding (DNAT)
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80
sudo iptables -A FORWARD -p tcp -d 192.168.1.100 --dport 80 -j ACCEPT
# nftables equivalent
sudo nft add rule ip nat postrouting oif eth0 masquerade
sudo nft add rule ip nat prerouting tcp dport 8080 dnat to 192.168.1.100:80Masquerading is simpler for dynamic IPs (home routers). SNAT with a fixed source IP is more efficient for servers because it avoids ARP overhead.
Performance Considerations
Netfilter adds overhead to every packet. For high-throughput servers, optimize rule sets, increase conntrack table size, and consider bypassing netfilter for trusted traffic.
# Increase conntrack table size
sysctl -w net.netfilter.nf_conntrack_max=1048576
# Reduce conntrack timeouts for faster cleanup
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
# Use raw table to skip conntrack for known traffic
sudo iptables -t raw -A PREROUTING -s 10.0.0.0/8 -j NOTRACK
# Monitor conntrack performance
cat /proc/sys/net/netfilter/nf_conntrack_buckets
conntrack -SThe raw table PREROUTING hook runs before conntrack. Using NOTRACK for trusted traffic reduces conntrack table pressure and improves throughput.
nftables is faster, cleaner, and the recommended choice for new systems. It handles IPv4/IPv6 in a single ruleset and provides atomic rule updates for zero-downtime firewall changes.
When nf_conntrack_max is reached, new connections are dropped. Monitor with cat /proc/net/stat/nf_conntrack | grep drops. Increase the table and reduce timeout values for busy servers.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.