LinuxCommandLibrary

iptables

Configure Linux firewall rules

TLDR

View chains, rules, packet/byte counters, and line numbers for the filter table

$ sudo iptables [[-vnL --line-numbers|--verbose --numeric --list --line-numbers]]
copy

Set chain policy rule
$ sudo iptables [[-P|--policy]] [chain] [rule]
copy

Append rule to chain policy for IP
$ sudo iptables [[-A|--append]] [chain] [[-s|--source]] [ip_address] [[-j|--jump]] [rule]
copy

Append rule to chain policy for IP considering protocol and port
$ sudo iptables [[-A|--append]] [chain] [[-s|--source]] [ip_address] [[-p|--protocol]] [tcp|udp|icmp|...] --dport [port] [[-j|--jump]] [rule]
copy

Add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host's public IP
$ sudo iptables [[-t|--table]] [nat] [[-A|--append]] [POSTROUTING] [[-s|--source]] [192.168.0.0/24] [[-j|--jump]] [MASQUERADE]
copy

Delete chain rule
$ sudo iptables [[-D|--delete]] [chain] [rule_line_number]
copy

SYNOPSIS

iptables [-t table] { -A|-D|-I|-R chain [rulenum] | -L|-F|-Z [chain] | -N|-X chain | -P chain target } [matches] [-j target]

PARAMETERS

-A, --append
    Append one or more rules to the end of selected chain

-D, --delete
    Delete one or more rules from selected chain

-I, --insert
    Insert one or more rules at position in selected chain

-R, --replace
    Replace a rule at specific position in chain

-L, --list
    List rules in selected chain(s)

-F, --flush
    Delete all rules in selected chain(s)

-Z, --zero
    Zero packet/byte counters in selected chain(s)

-N, --new-chain
    Create a new user-defined chain

-X, --delete-chain
    Delete user-defined chain(s)

-P, --policy
    Set default policy for chain (e.g., ACCEPT, DROP)

-E, --rename-chain
    Rename user-defined chain

-t, --table
    Specify table (filter, nat, mangle, raw, security)

-s, --source
    Match source IP(s) or network

-d, --destination
    Match destination IP(s) or network

-p, --protocol
    Match protocol (tcp, udp, icmp, all)

--sport, --source-port
    Match source port(s) or range

--dport, --destination-port
    Match destination port(s) or range

-i, --in-interface
    Match incoming interface name

-o, --out-interface
    Match outgoing interface name

--ctstate
    Match connection state (NEW, ESTABLISHED, RELATED, INVALID)

-j, --jump
    Target to jump to (ACCEPT, DROP, REJECT, LOG)

-g, --goto
    Jump to chain without leaving current chain

-m, --match
    Load extension module for matches

--line-numbers
    Number rules when listing (-L)

-v, --verbose
    Verbose output

-n, --numeric
    Numeric output (no DNS resolves)

-h, --help
    Display help

-V, --version
    Output version information

DESCRIPTION

iptables is a user-space command-line tool for configuring the Linux kernel's Netfilter framework, enabling packet filtering, NAT (Network Address Translation), packet mangling, and connection tracking. It implements firewall rules to control inbound, outbound, and forwarded traffic, essential for securing servers, routers, and hosts.

Netfilter organizes rules into tables (e.g., filter for access control, nat for address translation, mangle for header modifications, raw for prerouting marks) containing chains—ordered lists of rules. Built-in chains include INPUT (local incoming), OUTPUT (local outgoing), FORWARD (routed packets), PREROUTING (pre-routing), and POSTROUTING (post-routing).

Each rule matches packet attributes like source/destination IP (-s, -d ), ports (--dport), protocols (-p), interfaces (-i, -o), and state (--ctstate). Matching rules invoke targets such as ACCEPT, DROP, REJECT, LOG, or custom chains.

Operations include appending (-A), inserting (-I), listing (-L), flushing (-F), and setting policies (-P). Stateful inspection uses conntrack. Though powerful, its syntax is verbose; legacy configs persist, but modern systems favor nftables.

CAVEATS

Deprecated in modern Linux; nftables recommended for new setups. No native set support; verbose syntax. Changes require root; persistent rules need iptables-persistent or similar. IPv4 only (use ip6tables for IPv6).

TABLES

filter (default: packet filtering), nat (SNAT/DNAT/MASQUERADE), mangle (TTL/ecn changes), raw (bypass conntrack), security (selinux). Use -t to select.

BUILT-IN CHAINS

filter: INPUT, OUTPUT, FORWARD.
nat/mangle: PREROUTING, INPUT, OUTPUT, POSTROUTING, FORWARD.
Packets traverse chains predictably per table/hook.

COMMON TARGETS

ACCEPT (allow), DROP (silent drop), REJECT (error reply), RETURN (exit chain), LOG (kernel log), QUEUE (userspace), MARK (set fwmark). Extensions add more.

HISTORY

Part of Netfilter project (1999) by Rusty Russell et al. Introduced in Linux 2.4 (2001). Enhanced in 2.6 kernels with conntrack/NATv4. Stable until nftables debuted in 3.13 (2014), becoming default in many distros by 2020s.

SEE ALSO

ip6tables(8), nft(8), arptables(8), ebtables(8), conntrack(8), firewalld(1), ufw(1)

Copied to clipboard