iptables/nftables — Firewall Rule Management
iptables is the traditional management tool for the Linux kernel netfilter firewall, while nftables is its modern replacement. This cheatsheet covers core operations for both: rule CRUD, NAT configuration, port forwarding, rule persistence, and advanced matching (rate limiting, string matching, connection tracking).
Updated: 2026-07-17·33 commands
Overview
iptables is the user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall. This cheatsheet covers basic rules, NAT, forwarding, and persistence.
Quick Start
``bash
iptables -L -v -n # List current rules
iptables -P INPUT DROP # Set default policy
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow SSH
``
Refer to the command table below for detailed usage.
Basic Rules(19)
| Command | Level | ||
|---|---|---|---|
iptables -L -v -n --line-numbersList all rules with details, line numbers, and no DNS resolution | Basic | iptables -L INPUT -v -n --line-numbers | |
iptables -AAppend a rule to the end of a chain | Basic | iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
iptables -IInsert a rule at the beginning or a specific position | Basic | iptables -I INPUT 2 -p tcp --dport 443 -j ACCEPT | |
iptables -DDelete a specific rule | Basic | iptables -D INPUT 3 | |
iptables -FFlush all rules from a specific chain | Basic | iptables -F INPUT | |
iptables -PSet the default policy for a chain | Basic | iptables -P INPUT DROP | |
iptables -pMatch protocol (tcp/udp/icmp/all) | Basic | iptables -A INPUT -p udp --dport 53 -j ACCEPT | |
iptables --dportMatch destination port | Basic | iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |
iptables -sMatch source IP address | Basic | iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT | |
iptables -j ACCEPTAllow matching packets through | Basic | iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT | |
iptables -j DROPSilently drop matching packets | Basic | iptables -A INPUT -s 203.0.113.0/24 -j DROP | |
iptables -j REJECTReject matching packets with an error response | Intermediate | iptables -A INPUT -p tcp --dport 23 -j REJECT --reject-with tcp-reset | |
ip6tablesIPv6 firewall rule management | Intermediate | ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT | |
nft list rulesetList the entire nftables ruleset | Intermediate | nft list ruleset | |
nft add ruleAdd a rule to an nftables chain | Intermediate | nft add rule inet filter input tcp dport 22 accept | |
nft add tableCreate an nftables table | Intermediate | nft add table inet my_table | |
nft add chainCreate an nftables chain | Expert | nft add chain inet my_table my_chain { type filter hook input priority 0\; } | |
nft delete ruleDelete an nftables rule | Intermediate | nft delete rule inet filter input handle 3 | |
nft flush rulesetFlush all nftables rules | Intermediate | nft flush ruleset |
Advanced(6)
| Command | Level | ||
|---|---|---|---|
iptables -j LOGLog matching packets to syslog without blocking | Intermediate | iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH_ATTEMPT: " | |
iptables -m state --stateMatch by connection state (legacy state module) | Intermediate | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -m conntrack --ctstateMatch by connection tracking state (recommended) | Intermediate | iptables -A INPUT -m conntrack --ctstate NEW -p tcp --dport 80 -j ACCEPT | |
iptables -m limitRate limiting match (prevents DOS/brute force) | Expert | iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 5 -j ACCEPT | |
iptables -m recentDynamic match based on recent connection history | Expert | iptables -A INPUT -p tcp --dport 22 -m recent --name SSH --rcheck --seconds 60 -j DROP | |
iptables -m string --string --algoMatch by packet payload (string filtering) | Expert | iptables -A FORWARD -m string --string "BitTorrent" --algo bm -j DROP |
NAT(5)
| Command | Level | ||
|---|---|---|---|
iptables -t nat -A PREROUTINGAdd a DNAT rule in the NAT table PREROUTING chain | Intermediate | iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.5:8080 | |
iptables -t nat -A POSTROUTINGAdd a SNAT/MASQUERADE rule in the NAT table POSTROUTING chain | Intermediate | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
iptables -t nat -A PREROUTING -j DNATDestination NAT (port forwarding) | Intermediate | iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.100:443 | |
iptables -t nat -A POSTROUTING -j SNATSource NAT (fixed egress IP) | Intermediate | iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.10 | |
iptables -t nat -A POSTROUTING -j MASQUERADESource masquerade (dynamic egress IP) | Intermediate | iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE |
Forwarding(1)
| Command | Level | ||
|---|---|---|---|
iptables -t filter -A FORWARDAdd a forwarding control rule in the filter table FORWARD chain | Intermediate | iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate NEW -j ACCEPT |
Persistence(2)
| Command | Level | ||
|---|---|---|---|
iptables-saveExport current iptables rules to stdout | Intermediate | iptables-save > /etc/iptables/rules.v4 | |
iptables-restoreRestore iptables rules from file (atomic operation) | Intermediate | iptables-restore < /etc/iptables/rules.v4 |
FAQ
This cheatsheet is compiled from official tool documentation. Last updated: 2026-07-17.