Firewall Rules Explained: The Basics + Chains (Linux & MikroTik) - based on how I understand them
Firewall Rules Explained: The Basics + Chains (Linux & MikroTik)
Have you heard of a firewall rule list and thought: What on earth is happening here? Some rules say “drop”, others say “reject”. Then you see words like PREROUTING, FORWARD, INPUT, OUTPUT, POSTROUTING—and that’s when the real confusion kicks in.
It’s normal to feel lost. Firewalls can look like a maze of rules, tables, and chains. Add to that the fear of getting it wrong—blocking your own connection, or worse, leaving a hole wide open—and it’s no wonder so many admins copy-paste rules without fully understanding them.
Here’s the good news: firewall logic isn’t as mysterious as it first seems. Once you understand the basics of firewalling—what rules are made of, how stateful inspection works, and how packets actually travel through a firewall—you’ll see there’s a method to the madness.
In this guide, you’ll learn:
The fundamentals of firewalls (rules, states, and zones)
The different types of rules (allow, deny, drop, reject)
How packet flow chains work (PREROUTING to POSTROUTING, and everything in between)
Practical examples in both Linux and MikroTik
Common mistakes to avoid and best practices to follow
By the end, you’ll not only understand what each chain does—you’ll also know how to build firewall rules that make sense, keep your network secure, and don’t accidentally lock you out.
What Is a Firewall?
At its core, a firewall is just a traffic controller. It decides what’s allowed in, what’s allowed out, and what gets stopped at the door. Think of it as the security guard of your network: checking IDs, scanning bags, and making sure only the right people get through.
Firewalls can be:
Hardware firewalls → dedicated devices (like MikroTik, Fortinet, or Cisco) that sit between your network and the internet.
Software firewalls → programs that run on a computer or server (like Windows Firewall, Linux iptables, or pfSense).
No matter the form, the purpose is the same:
Protect your devices and data.
Control how traffic flows between networks (e.g. your LAN and the internet).
Enforce rules so that only authorised traffic gets through.
Without a firewall, your network is like an open house with no locks. With a firewall, you set the rules: who’s allowed in, who’s not, and under what conditions.
Firewall Rules Basics
A firewall works by following rules—a list of instructions that tell it what to do with each packet of data passing through. You can think of these rules like a guest list at a club: some people are let in, some are turned away, and some never even make it to the door.
Actions a Rule Can Take
Allow (Accept/Permit) → The traffic is allowed through.
Deny/Drop → The traffic is silently discarded, with no response.
Reject → The traffic is blocked, but with a reply (e.g. “connection refused”).
Source vs Destination
Source = who’s knocking on the door (an IP, subnet, or network zone).
Destination = the target they’re trying to reach (IP, port, or service).
Ports & Protocols
Rules can filter by protocol (TCP, UDP, ICMP) and by port numbers (e.g. 80 for web traffic, 22 for SSH).
Stateless vs Stateful Firewalls
Stateless → Each packet is judged on its own, with no memory of past packets.
Stateful → The firewall remembers connections, so return traffic from your requests is automatically allowed.
Most modern firewalls (Linux, MikroTik, pfSense) are stateful, which makes life a lot easier.
Zones & Interfaces
Firewalls also think in terms of where traffic comes from and where it’s going.
Interfaces are physical/virtual network ports (e.g. WAN, LAN).
Zones are logical groupings of interfaces, based on trust levels.
The most common zones are:
WAN → the internet (untrusted).
LAN → your internal network (trusted).
DMZ → a “demilitarised zone” for public-facing servers.
Analogy:
LAN = your living room (trusted space).
WAN = the street outside (untrusted).
DMZ = your porch, where deliveries can be left but strangers don’t enter your house.
Zones simplify firewalling: you can allow LAN → WAN, block WAN → LAN, and allow WAN → DMZ under specific conditions.
Packet Flow & Chains
When a packet arrives at your firewall, it goes through a journey. At each stage, rules can apply. These stages are called chains.
Think of it like moving through an airport:
PREROUTING → First checkpoint, before the firewall decides where the packet should go (used for DNAT/port forwarding).
INPUT → For traffic to the firewall itself (e.g. SSH into the router).
FORWARD → For traffic through the firewall (e.g. your PC browsing the internet).
OUTPUT → For traffic generated by the firewall itself (e.g. updates).
POSTROUTING → Final checkpoint, after routing, often used for SNAT/masquerade.
Once you understand this flow, placing rules becomes logical instead of guesswork.
Examples of Rule Placement
1. Block external SSH attempts (INPUT)
Linux:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROPMikroTik:
/ip firewall filter add chain=input in-interface=WAN protocol=tcp dst-port=22 action=drop
2. Allow LAN to access the internet (FORWARD)
Linux:
iptables -A FORWARD -i lan0 -o eth0 -p tcp -m multiport --dports 80,443 -j ACCEPTMikroTik:
/ip firewall filter add chain=forward src-address=192.168.1.0/24 out-interface=WAN protocol=tcp dst-port=80,443 action=accept
3. NAT for LAN devices (POSTROUTING)
Linux:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEMikroTik:
/ip firewall nat add chain=srcnat out-interface=WAN action=masquerade
4. Port forwarding to a web server (PREROUTING)
Linux:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.10:80MikroTik:
/ip firewall nat add chain=dstnat in-interface=WAN protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.10 to-ports=80
Common Pitfalls & Best Practices
✅ Map traffic flow first → Decide if traffic is to, through, or from the firewall.
✅ Rule order matters → Firewalls read rules top to bottom; first match wins.
✅ Don’t lock yourself out → Test carefully, especially with remote access.
✅ Log wisely → Log important drops, but avoid logging everything.
✅ Keep it simple → Use zones and broad logic, not endless one-off rules.
✅ Update regularly → Keep firewall software and rules current.
Quick Reference Cheat Sheet
| Chain | Purpose | Linux (iptables) | MikroTik |
|---|---|---|---|
| PREROUTING | Before routing; DNAT/port forwarding | iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.10:80 | /ip firewall nat add chain=dstnat in-interface=WAN protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.10 to-ports=80 |
| INPUT | Traffic to the firewall itself | iptables -A INPUT -p tcp --dport 22 -j DROP | /ip firewall filter add chain=input protocol=tcp dst-port=22 action=drop |
| FORWARD | Traffic through the firewall | iptables -A FORWARD -i lan0 -o eth0 -j ACCEPT | /ip firewall filter add chain=forward src-address=192.168.1.0/24 out-interface=WAN action=accept |
| OUTPUT | Traffic from the firewall | iptables -A OUTPUT -p udp --dport 53 -j ACCEPT | /ip firewall filter add chain=output protocol=udp dst-port=53 action=accept |
| POSTROUTING | After routing; SNAT/masquerade | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | /ip firewall nat add chain=srcnat out-interface=WAN action=masquerade |
Final Thoughts
Protect the firewall itself with INPUT rules.
Control through-traffic with FORWARD.
Use PREROUTING and POSTROUTING for NAT.
Don’t forget OUTPUT for the firewall’s own traffic.
With this mental model—and a cheat sheet at hand—you can build strong, clear firewall rules that secure your network without the guesswork.
Comments
Post a Comment