iptables Cheatsheet

By Dejan Panovski Updated on Download PDF

Quick reference for common iptables firewall commands

Iptables is the classic Linux firewall tool for filtering, NAT, and packet mangling. This cheatsheet covers the most common commands for inspecting rules, allowing or blocking traffic, port forwarding, and managing persistence.

View Rules

Inspect current firewall rules.

CommandDescription
sudo iptables -LList rules
sudo iptables -L -nList without resolving names
sudo iptables -L -vVerbose output
sudo iptables -L -n --line-numbersShow rule numbers
sudo iptables -SShow rules as commands
sudo iptables -t nat -L -n -vView NAT rules

Default Policies

Set default policies for chains.

CommandDescription
sudo iptables -P INPUT DROPDefault drop inbound
sudo iptables -P FORWARD DROPDefault drop forwarding
sudo iptables -P OUTPUT ACCEPTDefault allow outbound

Allow Traffic

Allow common inbound traffic.

CommandDescription
sudo iptables -A INPUT -i lo -j ACCEPTAllow loopback
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTAllow established
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPTAllow SSH
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPTAllow HTTP
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPTAllow HTTPS
sudo iptables -A INPUT -p icmp -j ACCEPTAllow ping
sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPTAllow subnet

Block Traffic

Drop or reject traffic.

CommandDescription
sudo iptables -A INPUT -s 203.0.113.10 -j DROPDrop IP address
sudo iptables -A INPUT -s 203.0.113.0/24 -j DROPDrop subnet
sudo iptables -A INPUT -p tcp --dport 23 -j DROPBlock Telnet
sudo iptables -A INPUT -p tcp --dport 25 -j REJECTReject SMTP
sudo iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROPBlock MAC address

Port Forwarding (DNAT)

Redirect traffic to a different host or port.

CommandDescription
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80Forward port to host
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80Redirect local port
sudo iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 80 -j ACCEPTAllow forwarded traffic

NAT (Masquerade)

Enable NAT for outbound traffic.

CommandDescription
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADENAT for interface
sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 203.0.113.1Static NAT
sudo sysctl -w net.ipv4.ip_forward=1Enable IP forwarding

Rate Limiting

Limit connection rates to prevent abuse.

CommandDescription
sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPTLimit SSH attempts
sudo iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j DROPLimit connections per IP
sudo iptables -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPTLimit ping rate

Logging

Log matched packets for debugging.

CommandDescription
sudo iptables -A INPUT -j LOG --log-prefix "IPT-DROP: "Log dropped packets
sudo iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH: " --log-level 4Log SSH access
sudo iptables -A INPUT -m limit --limit 5/min -j LOGLog with rate limit

Delete and Insert Rules

Manage rule order and removal.

CommandDescription
sudo iptables -D INPUT 3Delete rule number 3
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPTDelete by specification
sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPTInsert rule at top
sudo iptables -R INPUT 3 -p tcp --dport 443 -j ACCEPTReplace rule number 3
sudo iptables -FFlush all rules
sudo iptables -F INPUTFlush INPUT chain only

Save and Restore

Persist rules between reboots.

CommandDescription
sudo iptables-save > /etc/iptables/rules.v4Save rules
sudo iptables-restore < /etc/iptables/rules.v4Restore rules
sudo apt install iptables-persistentAuto-persist on Debian/Ubuntu
sudo service iptables saveSave on RHEL and Derivatives