iptables

View chains, rules, packet/byte counters and line numbers for the filter table

$ sudo iptables [[-vnL --line-numbers|--verbose --numeric --list --line-numbers]]

$ sudo iptables [[-P|--policy]] [chain] [rule]

$ sudo iptables [[-A|--append]] [chain] [[-s|--source]] [ip] [[-j|--jump]] [rule]

$ sudo iptables [[-A|--append]] [chain] [[-s|--source]] [ip] [[-p|--protocol]] [tcp|udp|icmp|...] --dport [port] [[-j|--jump]] [rule]

$ sudo iptables [[-t|--table]] [nat] [[-A|--append]] [POSTROUTING] [[-s|--source]] [192.168.0.0/24] [[-j|--jump]] [MASQUERADE]

$ sudo iptables [[-D|--delete]] [chain] [rule_line_number]

iptables [-t table] [-A|-I chain rule-specification] [-D chain rule-specification] [-R chain rule-number rule-specification] [-S [chain]] [-F [chain]] [-Z [chain]] [-L [chain] [-v [-v]] [-x] [-n] [--line-numbers] [-N chain] [-X [chain]] [-P chain target] [-E old-chain-name new-chain-name] [-h|--help]

-t table
    Specifies the table to use (e.g., filter, nat, mangle, raw, security). Default is 'filter'.

-A chain
    Appends a new rule to the end of the specified chain.

-I chain [rulenum]
    Inserts a new rule into the specified chain at the given position (rulenum). If rulenum is omitted, the rule is inserted at the beginning.

-D chain rule-specification
    Deletes a rule from the specified chain. rule-specification can be either the rule number or the rule itself.

-R chain rulenum rule-specification
    Replaces a rule in the specified chain at the given position (rulenum).

-S [chain]
    Prints all rules in the selected chain. If no chain is specified, all rules in all chains are printed.

-F [chain]
    Flushes (deletes all rules from) the specified chain. If no chain is specified, all chains are flushed.

-Z [chain]
    Zeros the packet and byte counters for all rules in the specified chain. If no chain is specified, all chains are zeroed.

-L [chain]
    Lists the rules in the specified chain. If no chain is specified, all chains are listed.

-v
    Verbose output.

-x
    Expand numbers (don't abbreviate bytes, packets and so on).

-n
    Numeric output. Don't try to resolve hostnames or services.

--line-numbers
    Show line numbers when listing rules.

-N chain
    Creates a new chain with the given name.

-X [chain]
    Deletes the specified empty chain. If no chain is specified, all user-defined chains are deleted.

-P chain target
    Sets the policy for the specified chain to the given target. The target must be one of the built-in targets: ACCEPT, DROP, REJECT, or RETURN.

-E old-chain-name new-chain-name
    Renames the specified chain.

-h|--help
    Displays help information.

iptables is a command-line utility used to configure the IPv4 packet filter ruleset of the Linux kernel's netfilter firewall. It acts as the interface for managing the tables, chains, and rules that govern how network traffic is handled. These rules specify criteria for matching packets and actions to be taken on matching packets, such as accepting, dropping, or modifying them.

Essentially, iptables allows system administrators to define policies for network security, including filtering traffic based on source/destination IP addresses, ports, protocols, and more. It's a powerful tool for creating firewalls, network address translation (NAT), and other network security configurations. It operates by traversing a set of pre-defined tables and chains containing rules, providing a flexible way to manage network traffic flow.

The user interacts with iptables by creating and modifying rules which are stored in the kernel's memory.

Iptables requires root privileges to run. Rules are not persistent across reboots unless saved (e.g., using `iptables-save` and `iptables-restore`). Iptables can be complex to configure correctly, and misconfigurations can lock you out of the system.

Targets specify what to do with a packet that matches a rule. Common targets include:
ACCEPT: Allow the packet.
DROP: Silently drop the packet.
REJECT: Drop the packet and send an ICMP error message back to the sender.
RETURN: Stop traversing the current chain and resume processing in the previous chain.
Also it is possible to redirect or masquerade a packet.

Iptables organizes rules into different tables, each serving a specific purpose:
filter: Default table; used for general packet filtering.
nat: Used for Network Address Translation (NAT).
mangle: Used for altering packet headers (e.g., TTL).
raw: Used for configuring exemptions from connection tracking.
security: For Mandatory Access Control (MAC) networking rules, such as those enabled by SELinux.

iptables replaced ipchains in Linux 2.4 as the primary tool for managing the netfilter firewall. Its development stemmed from the need for a more flexible and extensible firewall framework. Iptables quickly became a standard tool for system administrators, enabling complex network security configurations. Recently, nftables is designed to be the successor to iptables.

iptables-save(8), iptables-restore(8), netfilter(3), nft(8)