General Commands
Options
-L
List rules
-S
List rules and commands used in the background
-A
Append rule to bottom of list
-I
Insert rule above rule specified
-R
Replace specified rule
-P
Policy (change policy)
-D
Delete specified rule
-F
Flush rules
Match Statement Options
-i
Inbound interface
-o
Outbound interface
-s
Source IP
-d
Destination IP
-p
Protocol <tcp/udp/icmp>
-m
Match <multiport/state/conntrack/iprange>
List Rules
iptables -t [table] -L
List rules in table
iptables -t [table] -L <chain> --line-numbers
List rules in with line numbers
iptables -t [table] -S
List rules formatted as input for a script
Check Rules
iptables -t [table] -C <chain> <rule>
Check whether a specific rule exists
iptables -t filter -C INPUT -p tcp --dport 80 -j ACCEPT
Example
Set Default Policy
iptables -t [table] -P <chain> <action>
Set the default policy for the to
Add/Replace Rules
iptables -t [table] -A <chain> <specific rule>
Append rule to bottom of list
iptables -t [table] -I <chain> <rule_num> <rule>
Insert rule at specified rule number
iptables -t [table] -R <chain> <rule_num> <rule>
Replace rule at specified rule number
Delete Specific Rules
iptables -t [table] -D <chain> [rule_num]
Delete rule by number
iptables -t filter -D INPUT -p tcp --dport 22 -j ACCEPT
Delete specific rule
Flush Rules
iptables -t [table] -F
Flush all rules in [table]
iptables -t [table] -F <chain>
Flush all rules in in [table]
Zero out the Packet and Byte Counters
iptables -t [table] -Z
Zero the packet and byte counters in all chains of the [table]
iptables -t [table] -Z <chain>
Zero the packet and byte counters in of the [table]
Save/Restore iptables
iptables-save -t [table] > /[table]_rules_backup
Save the current iptables rules to a file
iptables-restore < /[table]_rules_backup
Restore iptables rules from a file
Custom Chains
iptables -t [table] -N MYCHAIN
Create custom chain MYCHAIN
iptables -t [table] -X MYCHAIN
Delete custom chain MYCHAIN (only if no references)
iptables -t [table] -E OLDCHAIN NEWCHAIN
Rename chain from OLDCHAIN to NEWCHAIN
RETURN Action
Exiting a user-defined chain and returning to the default processing flow.
This action is generally used within user-defined chains to stop processing and return to the calling chain.
Here, the RETURN action in MYCHAIN stops further processing of packets from the 192.168.1.0/24 network and returns to the PREROUTING chain.
Basic Example with a User-defined Chain:
First, create a user-defined chain named CHECK_HTTP and add a rule to it that logs HTTP traffic.
Then, use the RETURN action to return control to the calling chain after logging:
This setup logs HTTP traffic and then returns to the INPUT chain for further processing.
Conditional Return Based on Source IP:
Imagine a scenario where you want to apply special processing to packets from a specific source IP, then return to the main chain if those conditions are met:
Packets from 192.168.1.100 are logged, and then control returns to the INPUT chain.
Using RETURN in a Complex Filtering Scenario:
If you have complex filtering rules for different types of traffic, you might organize them into separate chains.
After specific conditions are checked in these chains, you might use RETURN to go back to a common set of rules:
This setup logs SSH and FTP attempts before dropping all other incoming traffic.
Excluding Traffic from Broad Rules
If you want to apply a broad rule but exclude certain traffic from it, you could use RETURN to bypass the broad rule for specific cases:
Here, packets from 192.168.1.200 are not logged, thanks to the RETURN action that bypasses the logging rule for this source IP.
Combining RETURN with Rate Limiting
You can use RETURN to create a rate-limiting mechanism for specific types of traffic, returning control to the calling chain if the rate limit is not exceeded:
This rule set logs up to one ICMP packet per minute and uses RETURN to continue processing other rules in the INPUT chain after applying rate limiting.
Last updated
Was this helpful?