Master iptables: Essential Command Syntax and Practical Examples

iptables command basic syntax

iptables [-t table] command [chain] [match] [-j target]

Below is a breakdown of iptables command components:

-t table

Specifies the table to use; options are filter, nat, mangle. If omitted, the default is the filter table.

command parameter

Specifies the operation to perform on the rule. Common commands include: -A Append: adds a rule at the end.

iptables -A INPUT -j DROP # Reject all incoming traffic (as the last rule)
# If -t is not specified, the filter table is used by default

-I

Insert: inserts a rule at a specified position.

iptables -I INPUT 2 -s 10.10.10.1 -j ACCEPT # Allow host 10.10.10.1 to access the machine
# Insert as the second rule in the INPUT chain of the filter table

-L

List: displays the rule list.

Common options:

n: show numeric IPs and ports

v: verbose output

x: disable automatic unit conversion

--line-number: show rule numbers

iptables -L -n -v --line-number

-D

Delete: removes a rule from the list.

iptables -D INPUT 2
# Delete the second rule in the INPUT chain of the filter table

-P

Policy: sets the default policy for a chain.

iptables -P INPUT DROP
# Set the default policy of the INPUT chain in the filter table to DROP

-F

Flush: clears all rules.

iptables -F INPUT # Clear rules in INPUT chain of filter table
iptables -F # Clear all chains in filter table
iptables -t nat -F PREROUTING # Clear PREROUTING chain in NAT table
iptables -t nat -F # Clear all chains in NAT table

Note: -F clears rules but does not affect the default policy set with -P. In production, if the default policy is DROP, running iptables -F can lock you out because it removes ACCEPT rules while leaving the DROP policy.

-Z

Zero: resets counters for the specified chain (or all chains if omitted).

iptables -Z INPUT
# Reset counters on INPUT chain of filter table

Match parameters

Match by network interface: -i Matches incoming interface (commonly used with nat table). -o Matches outgoing interface.

-i eth0   # Match packets entering via eth0
-o eth1   # Match packets leaving via eth1

Match source and destination addresses: -s Matches source address (IP, subnet, or hostname; empty matches any). -d Matches destination address.

iptables -A INPUT -s 10.10.10.10 -j DROP
iptables -A OUTPUT -d www.baidu.com -j DROP

Match protocol type: -p Matches protocol (tcp, udp, icmp, etc.).

iptables -A INPUT -s 10.10.10.10 -p icmp -j DROP

Match source and destination ports: --sport Matches source port (single or range). --dport Matches destination port.

--sport 23               # Source port 23
--sport 2000:3000       # Source ports 2000-3000
--sport :2000           # Source ports up to 2000
--sport 1000:           # Source ports 1000 and above

Note: --sport and --dport must be used together with -p.

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow external traffic to local port 80

Target actions

-j ACCEPT

Accepts the packet without further processing.

iptables -A INPUT -j ACCEPT
# Allow all incoming traffic

-j DROP

Drops the packet, preventing it from passing.

iptables -A FORWARD -s 10.10.10.10 -j DROP
# Block packets from 10.10.10.10

-j SNAT

Source NAT: can translate to a single IP or an IP pool.

# Single IP
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 18.18.18.18
# IP pool
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 18.18.18.18-18.18.18.28

-j DNAT

Destination NAT: can translate to a single IP or an IP pool.

# Single IP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.1
# IP pool
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.1-192.168.1.10

-j MASQUERADE

Dynamic SNAT for interfaces with changing IP addresses.

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
# Masquerade source addresses on eth0

iptables common extension modules

State matching:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow established connections

MAC address matching:

iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
# Drop packets from specified MAC address

Rate limiting:

iptables -A FORWARD -d 192.168.1.1 -m limit --limit 50/s -j ACCEPT
iptables -A FORWARD -d 192.168.1.1 -j DROP
# Limit to 50 packets per second, then drop excess

limit matches at a specified rate; to enforce a limit you need a subsequent DROP rule.

Multiport matching:

iptables -A INPUT -p tcp -m multiport --dports 22,53,80,443 -j ACCEPT
# Allow access to ports 22,53,80,443

Note: this option must be used together with -p.

iptables rule backup and restore

When iptables commands are executed, rules reside only in memory and are not saved to a file; after a reboot they disappear. After confirming the rules, save them with:

service iptables save
# Saves to /etc/sysconfig/iptables

To back up, copy the file: cp /etc/sysconfig/iptables /opt/myipt.rule To restore:

iptables-restore < /opt/myipt.rule
service iptables save