Linux iptables is one of the most powerful—and most misunderstood—components of the Linux networking stack. Many administrators learn to “make rules work” without fully understanding why multiple iptables tables exist, how packets move between them, or when to use the filter, NAT, or mangle table.
This article provides a clear, technical explanation of the differences between the filter, NAT, and mangle tables in iptables, explaining:
-
Their purpose
-
Where they operate in the packet flow
-
What problems each table is designed to solve
-
Practical, real-world use cases
The goal is not just to describe the tables, but to help you choose the right table for the right job.
A Quick Overview of iptables Architecture
iptables is a user-space interface to the Linux kernel’s Netfilter framework. Netfilter allows packets to be inspected, modified, accepted, dropped, or rerouted at various points during their journey through the kernel.
Instead of a single rule list, iptables organizes rules into:
-
Tables (what you want to do)
-
Chains (when you want to do it)
Understanding tables is the first step toward understanding iptables correctly.
Why iptables Uses Multiple Tables
Each iptables table exists to solve a specific category of networking problems.
Separating functionality into tables provides:
-
Performance optimization
-
Logical clarity
-
Predictable packet behavior
Trying to do everything in one table would make packet handling slow, ambiguous, and error-prone.
The Three Most Important iptables Tables
While iptables supports several tables (filter, nat, mangle, raw, security), most real-world configurations rely heavily on three:
-
filter – Decide whether packets are allowed or blocked
-
nat – Modify source or destination addresses
-
mangle – Modify packet metadata and headers
Each serves a fundamentally different role.
The Filter Table: Traffic Allow or Deny
Purpose of the Filter Table
The filter table is the default and most commonly used table in iptables. Its sole purpose is to permit or block packets.
If you think of iptables as a firewall, this is the table that actually acts like a firewall.
Common Chains in the Filter Table
-
INPUT– packets destined for the local system -
FORWARD– packets being routed through the system -
OUTPUT– packets generated locally
What the Filter Table Is Designed For
The filter table is designed to answer a single question:
Should this packet be allowed to pass or not?
Typical use cases include:
-
Allowing SSH access
-
Blocking unwanted ports
-
Restricting traffic by IP
-
Enforcing basic security policies
Example: Allow SSH, Block Everything Else
This rule set:
-
Allows SSH
-
Blocks all other incoming traffic
What You Should Not Do in the Filter Table
The filter table is not meant for:
-
Changing IP addresses
-
Marking packets for routing decisions
-
Manipulating packet headers
Using the filter table for anything other than accept/drop logic is a design mistake.
The NAT Table: Network Address Translation
Purpose of the NAT Table
The NAT (Network Address Translation) table is used to change packet source or destination addresses.
It answers a different question:
Where should this packet appear to come from or go to?
Common Chains in the NAT Table
-
PREROUTING– before routing decisions -
OUTPUT– locally generated packets -
POSTROUTING– after routing decisions
What the NAT Table Is Designed For
The NAT table exists to:
-
Share a single public IP across many systems
-
Redirect traffic to internal services
-
Expose internal services to external networks
Common scenarios:
-
Port forwarding
-
Masquerading
-
Load redirection
Example: Port Forwarding
This rule:
-
Redirects incoming port 80 traffic
-
Forwards it to an internal server
Important NAT Behavior: First Packet Only
NAT rules apply only to the first packet of a connection. After that, the connection is tracked by conntrack.
This is why NAT is efficient—but also why it is not suitable for ongoing packet manipulation.
What You Should Not Do in the NAT Table
-
Filtering traffic (use filter)
-
Packet marking for QoS (use mangle)
-
Rewriting packets after routing decisions
The Mangle Table: Packet Manipulation & Marking
Purpose of the Mangle Table
The mangle table is used to alter packet metadata or headers beyond simple address translation.
It answers the question:
How should the kernel treat this packet?
Chains Available in the Mangle Table
The mangle table is the most flexible table and supports:
-
PREROUTING -
INPUT -
FORWARD -
OUTPUT -
POSTROUTING
What the Mangle Table Is Designed For
Common mangle use cases include:
-
Packet marking
-
Policy-based routing
-
Traffic prioritization
-
QoS classification
-
TTL modification
-
DSCP/TOS changes
Example: Packet Marking
This mark can later be used by:
-
ip rule -
tc(traffic control) -
Custom routing tables
Why Packet Marking Matters
Packet marking allows administrators to:
-
Route traffic differently
-
Apply bandwidth limits
-
Prioritize critical services
-
Separate workloads on multi-IP systems
This functionality cannot be achieved with filter or NAT tables.
Packet Flow: How Tables Work Together
Understanding packet flow is essential to using iptables correctly.
Simplified Packet Flow (Incoming)
-
PREROUTING(mangle → nat) -
Routing decision
-
INPUT(mangle → filter)
Simplified Packet Flow (Forwarded)
-
PREROUTING(mangle → nat) -
Routing decision
-
FORWARD(mangle → filter) -
POSTROUTING(mangle → nat)
Key Differences at a Glance
| Feature | Filter | NAT | Mangle |
|---|---|---|---|
| Primary Role | Allow / block | Address translation | Packet alteration |
| Default Table | Yes | No | No |
| Packet Marking | No | No | Yes |
| Changes IP Address | No | Yes | No |
| QoS / Traffic Control | No | No | Yes |
| Applied Per Packet | Yes | First packet only | Yes |
Real-World Scenarios: Choosing the Right Table
Scenario 1: Blocking an IP Address
→ Filter table
Scenario 2: Exposing an Internal Web Server
→ NAT table
Scenario 3: Prioritizing API Traffic Over Web Traffic
→ Mangle table
Scenario 4: Multi-ISP Routing
→ Mangle + ip rule
Common Mistakes Administrators Make
-
Using NAT to block traffic
-
Using filter to redirect packets
-
Overloading mangle rules without understanding packet flow
-
Forgetting connection tracking behavior
These mistakes often lead to:
-
Unpredictable routing
-
Performance degradation
-
Difficult debugging
iptables vs Modern Alternatives
While iptables remains widely used, newer systems like nftables and eBPF simplify many of these concepts.
However, the core ideas of filter, NAT, and mangle still apply—even in modern frameworks.
Final Thoughts
Understanding the difference between iptables filter, NAT, and mangle tables is not optional for serious Linux networking work—it is foundational.
Each table:
-
Solves a specific problem
-
Operates at a specific stage
-
Should be used intentionally
Using the right table makes your firewall:
-
Faster
-
Easier to debug
-
More secure
-
More predictable