IPTables cheatsheet

Basic Commands

List Rules

# List all rules
$ iptables -L
$ iptables -L -v
$ iptables -L -n -v  # numeric output

# List rules for specific chain
$ iptables -L INPUT
$ iptables -L FORWARD
$ iptables -L OUTPUT

Rule Management

# Add rule
$ iptables -A INPUT    # append
$ iptables -I INPUT 1  # insert at position

# Delete rules
$ iptables -D INPUT 1  # delete rule at position
$ iptables -F         # flush all rules
$ iptables -F INPUT   # flush chain

# Default policies
$ iptables -P INPUT DROP
$ iptables -P FORWARD ACCEPT
$ iptables -P OUTPUT ACCEPT

Rule Specifications

Common Matches

# Protocol matches
-p tcp
-p udp
-p icmp

# Interface matches
-i eth0
-o eth0

# Source/destination
-s 192.168.1.0/24
-d 192.168.1.1

# Port matches
--sport 22
--dport 80
--ports 21,22,23

Extended Matches

# State matching
-m state --state NEW,ESTABLISHED

# Multiport
-m multiport --sports 21,22,23
-m multiport --dports 80,443

# Limit matching
-m limit --limit 3/minute

# Connection tracking
-m conntrack --ctstate NEW
-m conntrack --ctstate ESTABLISHED

Actions and Targets

Basic Targets

# Accept/Drop/Reject
-j ACCEPT
-j DROP
-j REJECT

# Jump to chain
-j CHAIN_NAME

# Return from chain
-j RETURN

Advanced Targets

# NAT targets
-j SNAT --to-source 192.168.1.1
-j DNAT --to-destination 10.0.0.1
-j MASQUERADE

# Logging
-j LOG --log-prefix "IPTables: "
-j LOG --log-level 4

# Rate limiting
-j ACCEPT -m limit --limit 1/second

Common Usage Examples

Basic Firewall

# Allow established connections
$ iptables -A INPUT -m conntrack \
    --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow SSH
$ iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP/HTTPS
$ iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Default deny
$ iptables -P INPUT DROP

NAT Configuration

# Enable NAT
$ iptables -t nat -A POSTROUTING \
    -o eth0 -j MASQUERADE

# Port forwarding
$ iptables -t nat -A PREROUTING \
    -i eth0 -p tcp --dport 80 \
    -j DNAT --to-destination 192.168.1.2

# Redirect ports
$ iptables -t nat -A PREROUTING \
    -p tcp --dport 80 -j REDIRECT --to-port 8080

Advanced Features

String Matching

# Match URL in HTTP request
$ iptables -A INPUT -p tcp --dport 80 \
    -m string --string "GET /admin" \
    --algo bm -j DROP

# Match specific content
$ iptables -A INPUT \
    -m string --string "malicious" \
    --algo kmp -j DROP

Time-based Rules

# Restrict access by time
$ iptables -A INPUT \
    -p tcp --dport 80 \
    -m time --timestart 09:00 \
    --timestop 18:00 \
    --weekdays Mon,Tue,Wed,Thu,Fri \
    -j ACCEPT

# Rate limiting by time
$ iptables -A INPUT \
    -m time --datestart 2024-01-01 \
    --datestop 2024-12-31 -j ACCEPT

Persistence

Saving Rules

# Debian/Ubuntu
$ netfilter-persistent save
$ netfilter-persistent reload

# RHEL/CentOS
$ service iptables save
$ service iptables restart

# Manual
$ iptables-save > /etc/iptables/rules.v4
$ iptables-restore < /etc/iptables/rules.v4

References

Based on iptables 1.8.7
For more detailed information: man iptables
Netfilter Documentation