__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

iptables Cheatsheet

← Back to cheatsheets

← Home

iptables is the traditional Linux firewall tool for configuring IPv4 packet filtering rules. It uses tables and chains to control network traffic.

Basic Commands

  • iptables -L - List all rules
  • iptables -L -v - List rules with verbose output
  • iptables -L -n - List rules with numeric addresses
  • iptables -L -v -n --line-numbers - Full listing with line numbers
  • iptables -S - Show rules in iptables-save format
  • iptables -F - Flush all rules (clear all)
  • iptables -X - Delete all user-defined chains
  • iptables -Z - Zero all packet and byte counters

Tables

  • filter - Default table for packet filtering (INPUT, OUTPUT, FORWARD)
  • nat - Network address translation (PREROUTING, POSTROUTING, OUTPUT)
  • mangle - Packet alteration (all chains)
  • raw - Connection tracking exemptions (PREROUTING, OUTPUT)
  • security - SELinux rules (INPUT, OUTPUT, FORWARD)

Use -t to specify table:

  • iptables -t nat -L - List NAT rules
  • iptables -t mangle -L - List mangle rules

Chains

Filter Table Chains

  • INPUT - Incoming packets destined for local system
  • OUTPUT - Outgoing packets from local system
  • FORWARD - Packets routed through the system

NAT Table Chains

  • PREROUTING - Alter packets before routing
  • POSTROUTING - Alter packets after routing
  • OUTPUT - Alter locally-generated packets before routing

Adding Rules

  • iptables -A <chain> <rule> - Append rule to chain
  • iptables -I <chain> <rule> - Insert rule at beginning
  • iptables -I <chain> <num> <rule> - Insert rule at position
  • iptables -R <chain> <num> <rule> - Replace rule at position
  • iptables -D <chain> <rule> - Delete specific rule
  • iptables -D <chain> <num> - Delete rule by number

Rule Matching

Interface Matching

  • -i eth0 - Match input interface
  • -o eth0 - Match output interface

Address Matching

  • -s 192.168.1.0/24 - Match source address/network
  • -d 10.0.0.1 - Match destination address
  • ! -s 192.168.1.100 - Negate (match everything except)

Protocol Matching

  • -p tcp - Match TCP protocol
  • -p udp - Match UDP protocol
  • -p icmp - Match ICMP protocol
  • -p all - Match all protocols

Port Matching (requires -p tcp or -p udp)

  • --sport 22 - Match source port
  • --dport 80 - Match destination port
  • --dport 80:443 - Match port range
  • -m multiport --dports 22,80,443 - Match multiple ports

Targets (Actions)

  • -j ACCEPT - Accept the packet
  • -j DROP - Drop the packet silently
  • -j REJECT - Reject and send error response
  • -j LOG - Log the packet
  • -j RETURN - Return to calling chain
  • -j SNAT --to-source <ip> - Source NAT
  • -j DNAT --to-destination <ip> - Destination NAT
  • -j MASQUERADE - Dynamic source NAT (for dynamic IPs)

Connection Tracking

  • -m state --state NEW - New connections
  • -m state --state ESTABLISHED - Established connections
  • -m state --state RELATED - Related connections (e.g., FTP data)
  • -m state --state INVALID - Invalid packets
  • -m conntrack --ctstate NEW,ESTABLISHED - Modern syntax

Common Examples

Allow SSH

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow Established Connections

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Block IP Address

iptables -A INPUT -s 192.168.1.100 -j DROP

Allow HTTP/HTTPS

iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

Port Forwarding (NAT)

iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:80
iptables -t nat -A POSTROUTING -j MASQUERADE

Log Dropped Packets

iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A INPUT -j DROP

Basic Firewall Setup

# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Saving and Restoring

  • iptables-save > /etc/iptables.rules - Save rules to file
  • iptables-restore < /etc/iptables.rules - Restore rules from file
  • netfilter-persistent save - Save rules (Debian/Ubuntu)
  • service iptables save - Save rules (RHEL/CentOS)

Default Policies

  • iptables -P INPUT DROP - Set default INPUT policy to DROP
  • iptables -P OUTPUT ACCEPT - Set default OUTPUT policy to ACCEPT
  • iptables -P FORWARD DROP - Set default FORWARD policy to DROP

Rate Limiting

# Limit SSH connections to 3 per minute
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

IPv6

  • ip6tables - IPv6 version of iptables
  • ip6tables -L - List IPv6 rules
  • ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT - Allow SSH over IPv6

Tips

  • Always allow loopback interface first
  • Allow established/related connections before specific rules
  • Set default policies after adding allow rules to avoid lockout
  • Use -n flag for faster output (skips DNS lookups)
  • Test rules with -C (check) before adding
  • Use iptables-save to backup before making changes
  • Consider migrating to nftables - it's the modern replacement
  • Use --line-numbers when deleting rules by number
  • Log before dropping to debug connectivity issues
  • Be careful with -F when default policy is DROP (lockout risk)

← Back to cheatsheets

← Home