Iptables Commands
Linux firewall rules and iptables/nftables commands.
Viewing Rules
iptables -LList all rules in all chains
iptables -L -vList rules with verbose output
iptables -L -nList rules without DNS resolution
iptables -L -v -n --line-numbersList rules with line numbers
iptables -t nat -L -v -nList NAT table rules
iptables -SShow all rules as commands
iptables -S INPUTShow INPUT chain rules as commands
Basic Filtering
iptables -A INPUT -p tcp --dport 22 -j ACCEPTAllow SSH connections
iptables -A INPUT -p tcp --dport 80 -j ACCEPTAllow HTTP traffic
iptables -A INPUT -p tcp --dport 443 -j ACCEPTAllow HTTPS traffic
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPTAllow traffic from subnet
iptables -A INPUT -i lo -j ACCEPTAllow loopback traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTAllow established connections
Blocking Traffic
iptables -A INPUT -s 10.0.0.5 -j DROPBlock traffic from specific IP
iptables -A INPUT -s 10.0.0.0/24 -j DROPBlock traffic from subnet
iptables -A INPUT -p tcp --dport 23 -j DROPBlock Telnet port
iptables -A INPUT -p icmp -j DROPBlock ICMP (ping) traffic
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.5 -j DROPBlock SSH from specific IP
iptables -A OUTPUT -d 192.168.1.100 -j DROPBlock outbound traffic to IP
Managing Rules
iptables -D INPUT 5Delete rule number 5 from INPUT chain
iptables -D INPUT -s 10.0.0.5 -j DROPDelete specific rule by specification
iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPTInsert rule at position 1
iptables -R INPUT 1 -p tcp --dport 80 -j ACCEPTReplace rule at position 1
iptables -FFlush all rules in all chains
iptables -F INPUTFlush rules in INPUT chain
iptables -XDelete all user-defined chains
Policy Management
iptables -P INPUT DROPSet default INPUT policy to DROP
iptables -P OUTPUT ACCEPTSet default OUTPUT policy to ACCEPT
iptables -P FORWARD DROPSet default FORWARD policy to DROP
iptables -P INPUT ACCEPTSet default INPUT policy to ACCEPT
NAT & Port Forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEEnable NAT masquerading
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080Redirect port 80 to 8080
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 10.0.0.5:80Port forward to internal server
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to 1.2.3.4Source NAT for subnet
Rate Limiting
iptables -A INPUT -p tcp --dport 22 -m limit --limit 5/min -j ACCEPTRate limit SSH connections
iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPTRate limit ICMP to 1 per second
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPTRate limit new TCP connections
iptables -A INPUT -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip -j DROPLimit connections per source IP
Logging
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "Log dropped packets with prefix
iptables -A INPUT -p tcp --dport 22 -j LOG --log-level 4Log SSH traffic with level warning
iptables -A INPUT -j LOG --log-prefix "DROPPED: " --log-level 7Log with custom prefix and debug level
Save & Restore
iptables-save > /etc/iptables/rules.v4Save current rules to file
iptables-restore < /etc/iptables/rules.v4Restore rules from file
service iptables saveSave rules (RHEL/CentOS)
netfilter-persistent saveSave rules (Debian/Ubuntu)
netfilter-persistent reloadReload saved rules
Advanced Matching
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROPBlock NULL packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROPBlock syn-flood attacks
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROPBlock XMAS packets
iptables -A INPUT -m recent --name blacklist --set -j DROPAdd IP to recent list and drop
iptables -A INPUT -m conntrack --ctstate INVALID -j DROPDrop invalid packets
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPTMatch multiple ports