This is more a note than a full tutorial. Full tutorial can be found from the link at the end of this post.
Type of table:
Type of chains (customizable):
Type of targets:
- LOG (non-terminated)
- (... check via
Some rules have [!], which mean that ! is optional, added to negate the condition.
- -A: append rule (default)
- -D <chain> <rule num |or| rule spec>: delete rule
- [!] -i <interface> [+]: specify input interface. if + presents, match all interfaces having specified prefix.
- [!] -o <interface> [+]: output interface. similar to -i flag
- -t <table>: default is -t filter
- [!] --dport <port or port_start:port_end>: --dport 1000:2000 to specify all port between 1000 and 2000, inclusive
- -I <chain> [position]: if position is omitted. -I can be omitted and <chain> becomes first positional argument.
- [!] -p <protocol>: protocol is tcp or dcp
- -j <target>: jump to target. target can be chain or target. Some rules only allow specific target. For e.g: nat table rules do not allow DROP target.
- [!] -s <ip>: source. can be xx.xx.xx.xx or xx.xx.xx.xx/len, so called CIDR notation.
- [!] -d <ip>: destination. ip format is same as -s.
- -m <module> [module params]: match extension module
To list existing rules, use
- -L: list rules
- -n: display port number rather ran application name
- -v: verbose additional information, such as in/out interface
- -S: simple mode. This flag should not be combined with any other flag. Useful to specify rule removal command.
- -P: set default policy
- -F: flush all rules. to ask user to keep or remove rule on by one
- -E: rename chain
- -h: help
- -N: new chain
- -R: replace rule
iptables rules are in memory, all the rules stay in kernel memory and are wiped out after reboot. To persist your setting, you must setup your own service to run append command on each reboot or use external tool. For example: follow this post to create your own startup script (service).