GARY IS COMING FOR YOU

You shouldn't have done that.

iptables Tool Reference

iptables is the traditional Linux firewall tool for configuring IPv4 packet filtering rules. It uses tables and chains to control network traffic.

Basic Commands

  • iptables -L - List all rules
  • iptables -L -v - List rules with verbose output
  • iptables -L -n - List rules with numeric addresses
  • iptables -L -v -n --line-numbers - Full listing with line numbers
  • iptables -S - Show rules in iptables-save format
  • iptables -F - Flush all rules (clear all)
  • iptables -X - Delete all user-defined chains
  • iptables -Z - Zero all packet and byte counters

Tables

  • filter - Default table for packet filtering (INPUT, OUTPUT, FORWARD)
  • nat - Network address translation (PREROUTING, POSTROUTING, OUTPUT)
  • mangle - Packet alteration (all chains)
  • raw - Connection tracking exemptions (PREROUTING, OUTPUT)
  • security - SELinux rules (INPUT, OUTPUT, FORWARD)

Use -t to specify table:

  • iptables -t nat -L - List NAT rules
  • iptables -t mangle -L - List mangle rules

Chains

Filter Table Chains

  • INPUT - Incoming packets destined for local system
  • OUTPUT - Outgoing packets from local system
  • FORWARD - Packets routed through the system

NAT Table Chains

  • PREROUTING - Alter packets before routing
  • POSTROUTING - Alter packets after routing
  • OUTPUT - Alter locally-generated packets before routing

Adding Rules

  • iptables -A <chain> <rule> - Append rule to chain
  • iptables -I <chain> <rule> - Insert rule at beginning
  • iptables -I <chain> <num> <rule> - Insert rule at position
  • iptables -R <chain> <num> <rule> - Replace rule at position
  • iptables -D <chain> <rule> - Delete specific rule
  • iptables -D <chain> <num> - Delete rule by number

Rule Matching

Interface Matching

  • -i eth0 - Match input interface
  • -o eth0 - Match output interface

Address Matching

  • -s 192.168.1.0/24 - Match source address/network
  • -d 10.0.0.1 - Match destination address
  • ! -s 192.168.1.100 - Negate (match everything except)

Protocol Matching

  • -p tcp - Match TCP protocol
  • -p udp - Match UDP protocol
  • -p icmp - Match ICMP protocol
  • -p all - Match all protocols

Port Matching (requires -p tcp or -p udp)

  • --sport 22 - Match source port
  • --dport 80 - Match destination port
  • --dport 80:443 - Match port range
  • -m multiport --dports 22,80,443 - Match multiple ports

Targets (Actions)

  • -j ACCEPT - Accept the packet
  • -j DROP - Drop the packet silently
  • -j REJECT - Reject and send error response
  • -j LOG - Log the packet
  • -j RETURN - Return to calling chain
  • -j SNAT --to-source <ip> - Source NAT
  • -j DNAT --to-destination <ip> - Destination NAT
  • -j MASQUERADE - Dynamic source NAT (for dynamic IPs)

Connection Tracking

  • -m state --state NEW - New connections
  • -m state --state ESTABLISHED - Established connections
  • -m state --state RELATED - Related connections (e.g., FTP data)
  • -m state --state INVALID - Invalid packets
  • -m conntrack --ctstate NEW,ESTABLISHED - Modern syntax

Common Examples

Allow SSH

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow Established Connections

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Block IP Address

iptables -A INPUT -s 192.168.1.100 -j DROP

Allow HTTP/HTTPS

iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

Port Forwarding (NAT)

iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:80
iptables -t nat -A POSTROUTING -j MASQUERADE

Log Dropped Packets

iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A INPUT -j DROP

Basic Firewall Setup

# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Saving and Restoring

  • iptables-save > /etc/iptables.rules - Save rules to file
  • iptables-restore < /etc/iptables.rules - Restore rules from file
  • netfilter-persistent save - Save rules (Debian/Ubuntu)
  • service iptables save - Save rules (RHEL/CentOS)

Default Policies

  • iptables -P INPUT DROP - Set default INPUT policy to DROP
  • iptables -P OUTPUT ACCEPT - Set default OUTPUT policy to ACCEPT
  • iptables -P FORWARD DROP - Set default FORWARD policy to DROP

Rate Limiting

# Limit SSH connections to 3 per minute
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

IPv6

  • ip6tables - IPv6 version of iptables
  • ip6tables -L - List IPv6 rules
  • ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT - Allow SSH over IPv6

Tips

  • Always allow loopback interface first
  • Allow established/related connections before specific rules
  • Set default policies after adding allow rules to avoid lockout
  • Use -n flag for faster output (skips DNS lookups)
  • Test rules with -C (check) before adding
  • Use iptables-save to backup before making changes
  • Consider migrating to nftables - it's the modern replacement
  • Use --line-numbers when deleting rules by number
  • Log before dropping to debug connectivity issues
  • Be careful with -F when default policy is DROP (lockout risk)